Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1435591
MD5:b09b19c780bfaa784ccf35dc454f9326
SHA1:0efc9a13e26c279bcf9d07bdb62f928f19860c7a
SHA256:4bf00732a644554a0bef0eb0fa080a182a63b52eda03dd8d4df8704feebf20d2
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Snort IDS alert for network traffic
Yara detected RedLine Stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7492 cmdline: "C:\Users\user\Desktop\file.exe" MD5: B09B19C780BFAA784CCF35DC454F9326)
    • conhost.exe (PID: 7500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 7556 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 7564 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "5.42.65.96:28380", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000003.00000002.1742509849.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Process Memory Space: file.exe PID: 7492JoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 2 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.file.exe.89f018.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.file.exe.89f018.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.2.file.exe.870000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      3.2.RegAsm.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                        Sigma Signatures

                        No Sigma rule has matched

                        Snort Signatures

                        Timestamp:05/02/24-22:55:51.421922
                        SID:2046045
                        Source Port:49730
                        Destination Port:28380
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:05/02/24-22:55:56.823634
                        SID:2046056
                        Source Port:28380
                        Destination Port:49730
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:05/02/24-22:56:02.792026
                        SID:2043231
                        Source Port:49730
                        Destination Port:28380
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:05/02/24-22:55:51.596736
                        SID:2043234
                        Source Port:28380
                        Destination Port:49730
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: file.exeAvira: detected
                        Found malware configuration
                        Source: 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "5.42.65.96:28380", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}
                        Machine Learning detection for sample
                        Source: file.exeJoe Sandbox ML: detected
                        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00888F67 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00888F67

                        Networking

                        barindex
                        Snort IDS alert for network traffic
                        Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.4:49730 -> 5.42.65.96:28380
                        Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49730 -> 5.42.65.96:28380
                        Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 5.42.65.96:28380 -> 192.168.2.4:49730
                        Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 5.42.65.96:28380 -> 192.168.2.4:49730
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: 5.42.65.96:28380
                        Source: global trafficTCP traffic: 192.168.2.4:49730 -> 5.42.65.96:28380
                        Source: Joe Sandbox ViewIP Address: 5.42.65.96 5.42.65.96
                        Source: Joe Sandbox ViewASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003134000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003134000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000032FE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000032FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003134000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003134000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003134000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003134000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003134000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003134000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003134000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003134000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003134000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003134000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000032FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.0000000003134000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000032FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003134000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003134000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                        Source: RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003134000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003134000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003565000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.000000000359C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1786872785.000000000453A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1786872785.000000000451E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.0000000003505000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.00000000034CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: file.exe, file.exe, 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1742509849.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003565000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.000000000359C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1786872785.000000000453A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1786872785.000000000451E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.0000000003505000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.00000000034CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003565000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.000000000359C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1786872785.000000000453A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1786872785.000000000451E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.0000000003505000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.00000000034CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003565000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.000000000359C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1786872785.000000000453A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1786872785.000000000451E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.0000000003505000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.00000000034CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003565000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.000000000359C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1786872785.000000000453A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1786872785.000000000451E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.0000000003505000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.00000000034CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: RegAsm.exe, 00000003.00000002.1744442834.000000000359C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1786872785.000000000453A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.0000000003505000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003565000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1786872785.000000000451E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.00000000034CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabS
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003565000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.000000000359C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1786872785.000000000453A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1786872785.000000000451E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.0000000003505000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.00000000034CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003565000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.000000000359C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1786872785.000000000453A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1786872785.000000000451E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.0000000003505000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.00000000034CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                        Source: RegAsm.exe, 00000003.00000002.1744442834.0000000003565000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.000000000359C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1786872785.000000000453A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1786872785.000000000451E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.0000000003505000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.00000000034CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\TmpCD1A.tmpJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\TmpCD2B.tmpJump to dropped file
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0088CD800_2_0088CD80
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087EEF00_2_0087EEF0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008836630_2_00883663
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087BE7D0_2_0087BE7D
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00883F4F0_2_00883F4F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_013DDC743_2_013DDC74
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06A067D83_2_06A067D8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06A0A3E83_2_06A0A3E8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06A03F503_2_06A03F50
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06A0A3D83_2_06A0A3D8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06A06FE83_2_06A06FE8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06A06FF83_2_06A06FF8
                        Source: C:\Users\user\Desktop\file.exeCode function: String function: 00876C10 appears 49 times
                        Source: file.exeBinary or memory string: OriginalFilename vs file.exe
                        Source: file.exe, 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStoutest.exe8 vs file.exe
                        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: file.exeStatic PE information: Section: .Left ZLIB complexity 0.9980181055646481
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/5@0/1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7500:120:WilError_03
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\TmpCD1A.tmpJump to behavior
                        Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: esdsip.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: linkinfo.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
                        Source: Google Chrome.lnk.3.drLNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                        Source: file.exeStatic PE information: section name: .Left
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00875F0D push ecx; ret 0_2_00875F20
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_069E3BDC push E806BA4Ah; retf 3_2_069E3BE1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_069E1015 push FFFFFF8Bh; ret 3_2_069E101A
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06A0DFD1 push es; ret 3_2_06A0DFE6
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06A0ECF2 push eax; ret 3_2_06A0ED01
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06A03B4F push dword ptr [esp+ecx*2-75h]; ret 3_2_06A03B53
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06A049AB push FFFFFF8Bh; retf 3_2_06A049AD

                        Persistence and Installation Behavior

                        barindex
                        Installs new ROOT certificates
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 BlobJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 1380000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 3050000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 5050000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 1272Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeAPI coverage: 9.4 %
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7712Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7584Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00888F67 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00888F67
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: RegAsm.exe, 00000003.00000002.1790120525.0000000005AF1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008769EF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_008769EF
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0088A031 mov eax, dword ptr fs:[00000030h]0_2_0088A031
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008801B7 mov ecx, dword ptr fs:[00000030h]0_2_008801B7
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0088C630 GetProcessHeap,0_2_0088C630
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008769EF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_008769EF
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00876B4B SetUnhandledExceptionFilter,0_2_00876B4B
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008766E5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_008766E5
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087A723 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0087A723
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Allocates memory in foreign processes
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                        Writes to foreign memory regions
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: EEB008Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008764CC cpuid 0_2_008764CC
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_0088C0D0
                        Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00885032
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0088C1F9
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_0088C2FF
                        Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0088C3CE
                        Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_0088BDF2
                        Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_0088BD0C
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00885558
                        Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_0088BD57
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_0088BE7D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008768E2 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_008768E2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.file.exe.89f018.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.89f018.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.870000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1742509849.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 7492, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7564, type: MEMORYSTR
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Tries to steal Crypto Currency Wallets
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                        Source: Yara matchFile source: 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7564, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.file.exe.89f018.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.89f018.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.870000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1742509849.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 7492, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7564, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		311
                        Process Injection                        		1
                        Masquerading                        		1
                        OS Credential Dumping                        		1
                        System Time Discovery                        		Remote Services1
                        Archive Collected Data                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		LSASS Memory241
                        Security Software Discovery                        		Remote Desktop Protocol2
                        Data from Local System                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                        Virtualization/Sandbox Evasion                        		Security Account Manager1
                        Process Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive1
                        Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
                        Process Injection                        		NTDS241
                        Virtualization/Sandbox Evasion                        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Deobfuscate/Decode Files or Information                        		LSA Secrets1
                        Application Window Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                        Obfuscated Files or Information                        		Cached Domain Credentials2
                        File and Directory Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        Install Root Certificate                        		DCSync134
                        System Information Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        Software Packing                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                        DLL Side-Loading                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        file.exe100%AviraHEUR/AGEN.1317595
                        file.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        https://api.ip.sb/ip0%URL Reputationsafe
                        http://tempuri.org/Entity/Id14ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                        http://tempuri.org/0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id6ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id13ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id21ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id10ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id11ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id15ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id17ResponseD0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        No contacted domains info

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/02/sc/sctRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://duckduckgo.com/chrome_newtabRegAsm.exe, 00000003.00000002.1744442834.000000000359C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1786872785.000000000453A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.0000000003505000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://duckduckgo.com/ac/?q=RegAsm.exe, 00000003.00000002.1744442834.0000000003565000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.000000000359C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1786872785.000000000453A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1786872785.000000000451E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.0000000003505000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.00000000034CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id14ResponseDRegAsm.exe, 00000003.00000002.1744442834.0000000003134000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id23ResponseDRegAsm.exe, 00000003.00000002.1744442834.00000000032FE000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id12ResponseRegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://tempuri.org/RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id2ResponseRegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id21ResponseRegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id9RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id8RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://tempuri.org/Entity/Id6ResponseDRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://tempuri.org/Entity/Id5RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id4RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://tempuri.org/Entity/Id7RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://tempuri.org/Entity/Id6RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://tempuri.org/Entity/Id19ResponseRegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceRegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://tempuri.org/Entity/Id13ResponseDRegAsm.exe, 00000003.00000002.1744442834.0000000003134000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/faultRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2004/10/wsatRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://tempuri.org/Entity/Id15ResponseRegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://tempuri.org/Entity/Id5ResponseDRegAsm.exe, 00000003.00000002.1744442834.0000000003134000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000003.00000002.1744442834.0000000003134000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://tempuri.org/Entity/Id6ResponseRegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://api.ip.sb/ipfile.exe, file.exe, 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1742509849.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://schemas.xmlsoap.org/ws/2004/04/scRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id1ResponseDRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Entity/Id9ResponseRegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegAsm.exe, 00000003.00000002.1744442834.0000000003565000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.000000000359C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1786872785.000000000453A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1786872785.000000000451E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.0000000003505000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.00000000034CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://tempuri.org/Entity/Id20RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://tempuri.org/Entity/Id21RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://tempuri.org/Entity/Id22RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/Entity/Id23RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://tempuri.org/Entity/Id24RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://tempuri.org/Entity/Id24ResponseRegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://www.ecosia.org/newtab/RegAsm.exe, 00000003.00000002.1744442834.0000000003565000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.000000000359C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1786872785.000000000453A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1786872785.000000000451E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.0000000003505000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.00000000034CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://tempuri.org/Entity/Id1ResponseRegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedRegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://tempuri.org/Entity/Id21ResponseDRegAsm.exe, 00000003.00000002.1744442834.0000000003134000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://schemas.xmlsoap.org/ws/2004/08/addressingRegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/trustRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://tempuri.org/Entity/Id10RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id11RegAsm.exe, 00000003.00000002.1744442834.00000000032FE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id10ResponseDRegAsm.exe, 00000003.00000002.1744442834.0000000003134000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id12RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id16ResponseRegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id13RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id14RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id15RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id16RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/NonceRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id17RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://tempuri.org/Entity/Id18RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://tempuri.org/Entity/Id5ResponseRegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://tempuri.org/Entity/Id19RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsRegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://tempuri.org/Entity/Id15ResponseDRegAsm.exe, 00000003.00000002.1744442834.0000000003134000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://tempuri.org/Entity/Id10ResponseRegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RenewRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://tempuri.org/Entity/Id11ResponseDRegAsm.exe, 00000003.00000002.1744442834.00000000032FE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://tempuri.org/Entity/Id8ResponseRegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0RegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/ws/2006/02/addressingidentityRegAsm.exe, 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://tempuri.org/Entity/Id17ResponseDRegAsm.exe, 00000003.00000002.1744442834.0000000003134000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                http://schemas.xmlsoap.org/soap/envelope/RegAsm.exe, 00000003.00000002.1744442834.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high

                                                                                                                                  World Map of Contacted IPs

                                                                                                                                  • No. of IPs < 25%
                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                  • 75% < No. of IPs

                                                                                                                                  Public IPs

                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                  5.42.65.96
                                                                                                                                  		unknownRussian Federation
                                                                                                                                  		39493RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUtrue

                                                                                                                                  General Information

                                                                                                                                  Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                  Analysis ID:1435591
                                                                                                                                  Start date and time:2024-05-02 22:55:04 +02:00
                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                  Overall analysis duration:0h 5m 0s
                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                  Report type:full
                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                  Number of analysed new started processes analysed:9
                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                  Technologies:
                                                                                                                                  • HCA enabled
                                                                                                                                  • EGA enabled
                                                                                                                                  • AMSI enabled
                                                                                                                                  Analysis Mode:default
                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                  Sample name:file.exe
                                                                                                                                  Detection:MAL
                                                                                                                                  Classification:mal100.troj.spyw.evad.winEXE@6/5@0/1
                                                                                                                                  EGA Information:
                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                  HCA Information:
                                                                                                                                  • Successful, ratio: 92%
                                                                                                                                  • Number of executed functions: 96
                                                                                                                                  • Number of non-executed functions: 54
                                                                                                                                  Cookbook Comments:
                                                                                                                                  • Found application associated with file extension: .exe

                                                                                                                                  Warnings

                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                  • VT rate limit hit for: file.exe

                                                                                                                                  Simulations

                                                                                                                                  Behavior and APIs

                                                                                                                                  TimeTypeDescription
                                                                                                                                  22:56:00API Interceptor8x Sleep call for process: RegAsm.exe modified

                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                  IPs

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  5.42.65.96tZvjMg3Hw9.exeGet hashmaliciousPureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRATBrowse
                                                                                                                                    file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                      WlCIinu0yp.exeGet hashmaliciousLummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, Socks5Systemz, Vidar, zgRATBrowse
                                                                                                                                        file.exeGet hashmaliciousLummaC, GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLineBrowse
                                                                                                                                          file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                            file.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRATBrowse
                                                                                                                                              file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                  file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                    file.exeGet hashmaliciousRedLineBrowse

                                                                                                                                                      Domains

                                                                                                                                                      No context

                                                                                                                                                      ASNs

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                      RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUtZvjMg3Hw9.exeGet hashmaliciousPureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRATBrowse
                                                                                                                                                      • 5.42.66.10
                                                                                                                                                      [V2]launcher.exeGet hashmaliciousPureLog Stealer, RedLine, XmrigBrowse
                                                                                                                                                      • 45.15.156.167
                                                                                                                                                      SecuriteInfo.com.Trojan.PWS.Siggen3.32416.6905.9348.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                      • 5.42.65.101
                                                                                                                                                      file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                      • 5.42.65.96
                                                                                                                                                      VOrqSh1Fts.exeGet hashmaliciousNeoreklami, PureLog StealerBrowse
                                                                                                                                                      • 5.42.66.10
                                                                                                                                                      WlCIinu0yp.exeGet hashmaliciousLummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, Socks5Systemz, Vidar, zgRATBrowse
                                                                                                                                                      • 5.42.66.10
                                                                                                                                                      file.exeGet hashmaliciousLummaC, GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLineBrowse
                                                                                                                                                      • 5.42.65.64
                                                                                                                                                      file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                      • 5.42.65.96
                                                                                                                                                      file.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRATBrowse
                                                                                                                                                      • 5.42.65.64
                                                                                                                                                      file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                      • 5.42.65.96

                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                      No context

                                                                                                                                                      Dropped Files

                                                                                                                                                      No context

                                                                                                                                                      Created / dropped Files

                                                                                                                                                      C:\Users\Public\Desktop\Google Chrome.lnk

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 11:02:27 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):2104
                                                                                                                                                      Entropy (8bit):3.4559105390117493
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:48:8SSdqTWSxRYrnvPdAKRkdAGdAKRFdAKR/U:8S/e
                                                                                                                                                      MD5:B47525FBA312522F31864AFEE24F287E
                                                                                                                                                      SHA1:6AD22A5DD1CDD2DDEA11781A95C6232893DA97C7
                                                                                                                                                      SHA-256:D1C78896C87F51C874A35986B29F1C8B4B65F2079D4FDB18DD102D7B707FA55A
                                                                                                                                                      SHA-512:9B900C80EAAAD6890FF95AFCAEEBCDFB87FA5DBF08688EFAF51FAF2D11FFC518A4F00A86198D45AABD1C90ACDC18FB5417CB7D17DD27B51789DA2685EBAF7EB4
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:L..................F.@.. ......,....rx........q.... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IDW5`....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDWN`....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDWN`....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDWN`..........................."&.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.+ .chrome.exe..F......CW.VDWH`..........................,.6.c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):3274
                                                                                                                                                      Entropy (8bit):5.3318368586986695
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlqY
                                                                                                                                                      MD5:0B2E58EF6402AD69025B36C36D16B67F
                                                                                                                                                      SHA1:5ECC642327EF5E6A54B7918A4BD7B46A512BF926
                                                                                                                                                      SHA-256:4B0FB8EECEAD6C835CED9E06F47D9021C2BCDB196F2D60A96FEE09391752C2D7
                                                                                                                                                      SHA-512:1464106CEC5E264F8CEA7B7FF03C887DA5192A976FBC9369FC60A480A7B9DB0ED1956EFCE6FFAD2E40A790BD51FD27BB037256964BC7B4B2DA6D4D5C6B267FA1
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TmpCD1A.tmp

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):2662
                                                                                                                                                      Entropy (8bit):7.8230547059446645
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                                                      MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                                                      SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                                                      SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                                                      SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                                      Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TmpCD2B.tmp

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):2662
                                                                                                                                                      Entropy (8bit):7.8230547059446645
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                                                      MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                                                      SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                                                      SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                                                      SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                                      Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):2251
                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3::
                                                                                                                                                      MD5:0158FE9CEAD91D1B027B795984737614
                                                                                                                                                      SHA1:B41A11F909A7BDF1115088790A5680AC4E23031B
                                                                                                                                                      SHA-256:513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
                                                                                                                                                      SHA-512:C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      Static File Info

                                                                                                                                                      General

                                                                                                                                                      File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                      Entropy (8bit):7.6739546549390685
                                                                                                                                                      TrID:
                                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                      File name:file.exe
                                                                                                                                                      File size:502'272 bytes
                                                                                                                                                      MD5:b09b19c780bfaa784ccf35dc454f9326
                                                                                                                                                      SHA1:0efc9a13e26c279bcf9d07bdb62f928f19860c7a
                                                                                                                                                      SHA256:4bf00732a644554a0bef0eb0fa080a182a63b52eda03dd8d4df8704feebf20d2
                                                                                                                                                      SHA512:862ba80daa00c9402db064a028dd20c79afdda5fa0d7211319f1b84831a2b62023bd2e6ddcbb0367feb1afbe3d3c835a2c745d38a4e6a1953fa140e6c694c8bd
                                                                                                                                                      SSDEEP:12288:aW5NIYF4bnCv2clgw4exVxfY/pTiQwBNhKHo:F7IY+wh4eQpTiQwDW
                                                                                                                                                      TLSH:3EB4F10675C1C073E5B314310AF1DAB89EBEBDB00A65AADF67940F7E5F30142D631A6A
                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{.+z?.E)?.E)?.E)..F(3.E)..@(..E)..A(*.E)..A(-.E)..F(+.E)..D(:.E)?.D)e.E)..@(r.E)..@(>.E)...)>.E)..G(>.E)Rich?.E)........PE..L..

                                                                                                                                                      File Icon

                                                                                                                                                      Icon Hash:90cececece8e8eb0

                                                                                                                                                      Static PE Info

                                                                                                                                                      General

                                                                                                                                                      Entrypoint:0x406239
                                                                                                                                                      Entrypoint Section:.text
                                                                                                                                                      Digitally signed:false
                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                      Subsystem:windows cui
                                                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                      Time Stamp:0x6633D7BF [Thu May 2 18:13:19 2024 UTC]
                                                                                                                                                      TLS Callbacks:
                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                      OS Version Major:6
                                                                                                                                                      OS Version Minor:0
                                                                                                                                                      File Version Major:6
                                                                                                                                                      File Version Minor:0
                                                                                                                                                      Subsystem Version Major:6
                                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                                      Import Hash:ab27116ad46b656bb5d70aa3050a97a2

                                                                                                                                                      Entrypoint Preview

                                                                                                                                                      Instruction
                                                                                                                                                      call 00007F33D0CA8236h
                                                                                                                                                      jmp 00007F33D0CA79B9h
                                                                                                                                                      push ebp
                                                                                                                                                      mov ebp, esp
                                                                                                                                                      mov eax, dword ptr [ebp+08h]
                                                                                                                                                      push esi
                                                                                                                                                      mov ecx, dword ptr [eax+3Ch]
                                                                                                                                                      add ecx, eax
                                                                                                                                                      movzx eax, word ptr [ecx+14h]
                                                                                                                                                      lea edx, dword ptr [ecx+18h]
                                                                                                                                                      add edx, eax
                                                                                                                                                      movzx eax, word ptr [ecx+06h]
                                                                                                                                                      imul esi, eax, 28h
                                                                                                                                                      add esi, edx
                                                                                                                                                      cmp edx, esi
                                                                                                                                                      je 00007F33D0CA7B5Bh
                                                                                                                                                      mov ecx, dword ptr [ebp+0Ch]
                                                                                                                                                      cmp ecx, dword ptr [edx+0Ch]
                                                                                                                                                      jc 00007F33D0CA7B4Ch
                                                                                                                                                      mov eax, dword ptr [edx+08h]
                                                                                                                                                      add eax, dword ptr [edx+0Ch]
                                                                                                                                                      cmp ecx, eax
                                                                                                                                                      jc 00007F33D0CA7B4Eh
                                                                                                                                                      add edx, 28h
                                                                                                                                                      cmp edx, esi
                                                                                                                                                      jne 00007F33D0CA7B2Ch
                                                                                                                                                      xor eax, eax
                                                                                                                                                      pop esi
                                                                                                                                                      pop ebp
                                                                                                                                                      ret
                                                                                                                                                      mov eax, edx
                                                                                                                                                      jmp 00007F33D0CA7B3Bh
                                                                                                                                                      push esi
                                                                                                                                                      call 00007F33D0CA850Dh
                                                                                                                                                      test eax, eax
                                                                                                                                                      je 00007F33D0CA7B62h
                                                                                                                                                      mov eax, dword ptr fs:[00000018h]
                                                                                                                                                      mov esi, 0042E254h
                                                                                                                                                      mov edx, dword ptr [eax+04h]
                                                                                                                                                      jmp 00007F33D0CA7B46h
                                                                                                                                                      cmp edx, eax
                                                                                                                                                      je 00007F33D0CA7B52h
                                                                                                                                                      xor eax, eax
                                                                                                                                                      mov ecx, edx
                                                                                                                                                      lock cmpxchg dword ptr [esi], ecx
                                                                                                                                                      test eax, eax
                                                                                                                                                      jne 00007F33D0CA7B32h
                                                                                                                                                      xor al, al
                                                                                                                                                      pop esi
                                                                                                                                                      ret
                                                                                                                                                      mov al, 01h
                                                                                                                                                      pop esi
                                                                                                                                                      ret
                                                                                                                                                      push ebp
                                                                                                                                                      mov ebp, esp
                                                                                                                                                      cmp dword ptr [ebp+08h], 00000000h
                                                                                                                                                      jne 00007F33D0CA7B49h
                                                                                                                                                      mov byte ptr [0042E258h], 00000001h
                                                                                                                                                      call 00007F33D0CA7D43h
                                                                                                                                                      call 00007F33D0CAAAA0h
                                                                                                                                                      test al, al
                                                                                                                                                      jne 00007F33D0CA7B46h
                                                                                                                                                      xor al, al
                                                                                                                                                      pop ebp
                                                                                                                                                      ret
                                                                                                                                                      call 00007F33D0CB3740h
                                                                                                                                                      test al, al
                                                                                                                                                      jne 00007F33D0CA7B4Ch
                                                                                                                                                      push 00000000h
                                                                                                                                                      call 00007F33D0CAAAA7h
                                                                                                                                                      pop ecx
                                                                                                                                                      jmp 00007F33D0CA7B2Bh
                                                                                                                                                      mov al, 01h
                                                                                                                                                      pop ebp
                                                                                                                                                      ret
                                                                                                                                                      push ebp
                                                                                                                                                      mov ebp, esp
                                                                                                                                                      cmp byte ptr [0042E259h], 00000000h
                                                                                                                                                      je 00007F33D0CA7B46h
                                                                                                                                                      mov al, 01h

                                                                                                                                                      Data Directories

                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x2c5fc0x3c.rdata
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x7c0000x1e0.rsrc
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x7d0000x1a60.reloc
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x2aba80x1c.rdata
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2aae80x40.rdata
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x230000x140.rdata
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                      Sections

                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                      .text0x10000x2120f0x21400eea591e7044a57e321ef84feff1625ccFalse0.5809592340225563data6.627182847461709IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                      .rdata0x230000x9d300x9e00c10f3fb03e9a1ab0638518744af45fdaFalse0.43482990506329117data4.959860378128255IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                      .data0x2d0000x1d540x100096f6fc94400f9b3c80d126cafa6f2df3False0.190673828125data3.018020491461944IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                      .Left0x2f0000x4c4c40x4c60047cf34fa0aa3573e62d9e3071b564611False0.9980181055646481data7.998997410016008IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                      .rsrc0x7c0000x1e00x2005b005c249129c6a5b1fa0a8e8a6bce9eFalse0.53125data4.7176788329467545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                      .reloc0x7d0000x1a600x1c00ffa018fa0ff6a602e133d892d6803856False0.7205636160714286data6.362035067940247IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                      Resources

                                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                      RT_MANIFEST0x7c0600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                                                                                                                      Imports

                                                                                                                                                      DLLImport
                                                                                                                                                      USER32.dllOpenIcon
                                                                                                                                                      KERNEL32.dllLoadLibraryExW, CreateFileW, VirtualProtect, FreeConsole, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, HeapSize, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, WriteConsoleW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, GetFileType, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileSizeEx, SetFilePointerEx, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, ReadConsoleW

                                                                                                                                                      Possible Origin

                                                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                                                      EnglishUnited States

                                                                                                                                                      Network Behavior

                                                                                                                                                      Snort IDS Alerts

                                                                                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                      05/02/24-22:55:51.421922TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)4973028380192.168.2.45.42.65.96
                                                                                                                                                      05/02/24-22:55:56.823634TCP2046056ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)28380497305.42.65.96192.168.2.4
                                                                                                                                                      05/02/24-22:56:02.792026TCP2043231ET TROJAN Redline Stealer TCP CnC Activity4973028380192.168.2.45.42.65.96
                                                                                                                                                      05/02/24-22:55:51.596736TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response28380497305.42.65.96192.168.2.4

                                                                                                                                                      Network Port Distribution

                                                                                                                                                      TCP Packets

                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                      May 2, 2024 22:55:51.017730951 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:51.193145990 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:51.193259954 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:51.215416908 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:51.388891935 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:51.421921968 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:51.596735954 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:51.643204927 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:56.647295952 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:56.823633909 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:56.823676109 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:56.823720932 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:56.823735952 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:56.823801041 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:56.823832035 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:56.823839903 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:56.877466917 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:56.953830004 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:57.127950907 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:57.166790009 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:57.341685057 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:57.393079996 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:57.408817053 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:57.582168102 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:57.582269907 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:57.582612991 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:57.582652092 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:57.582817078 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:57.583018064 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:57.623779058 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:57.755727053 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:57.755868912 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:57.756592989 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:57.799316883 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:57.849701881 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:58.022964001 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.023035049 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:58.023047924 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.023112059 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:58.023241997 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.023307085 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:58.023439884 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.023598909 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.023610115 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.023619890 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.023667097 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:58.196268082 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.196357965 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:58.196521044 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.196557045 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.196583033 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:58.196604013 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:58.196619034 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.196697950 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.196829081 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.196857929 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.196942091 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.197067976 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.197076082 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:58.197114944 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:58.197244883 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.197308064 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:58.197447062 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.197494030 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:58.197566032 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.197608948 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:58.197737932 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.197947025 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.198071003 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.198323965 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.369921923 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.369940996 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.370053053 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.370193958 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.370450020 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.370584965 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.370690107 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.370842934 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.371001959 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.371139050 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:58.371216059 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:58.371366978 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.371546984 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.371556997 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.371639013 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.371903896 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.372148991 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.372391939 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.372669935 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:58.372730970 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:58.546720982 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.547205925 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.547835112 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.547983885 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.548276901 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.548420906 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.548574924 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.548854113 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.548999071 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.549325943 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.549487114 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.549796104 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.549958944 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.549969912 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.550106049 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.550263882 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.550422907 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.550591946 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.550888062 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.551024914 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.551034927 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.551045895 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.551054955 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.551064014 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.551346064 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.551408052 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:58.551486015 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:58.551640987 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.551923990 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.552194118 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.552494049 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.553088903 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.553540945 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.553883076 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.554009914 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.554228067 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.554641962 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.554925919 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.554977894 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.555217028 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.555398941 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.555749893 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.725425959 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.725442886 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.725452900 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.725531101 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.725533009 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:58.725544930 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.725590944 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:58.725629091 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.725651026 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.725661039 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.725707054 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.725801945 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.725893974 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.725928068 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.725984097 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.726099968 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.726161003 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.726208925 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.726370096 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.726421118 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.726468086 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.726511002 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.726563931 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.726628065 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.726669073 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.726726055 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.726871014 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.726886034 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.727260113 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.727274895 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.727296114 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.727356911 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.727384090 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.727428913 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.727662086 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.727715969 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.727757931 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.727817059 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.727833033 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.727900982 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.727948904 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.727992058 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.728096962 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.728131056 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.728295088 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.728347063 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.728400946 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.728521109 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.728585958 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.728629112 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.728693962 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.728878975 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.728897095 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.898814917 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.898833036 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.898938894 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.898979902 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.898989916 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.899147034 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:58.899429083 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:58.899553061 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:58.899553061 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:58.899616003 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:59.072952032 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.072968960 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.073129892 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.073285103 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.073347092 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.073384047 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.073609114 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.073719978 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.073935032 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.074179888 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.074300051 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.074506998 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.074601889 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.074731112 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.074790955 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:59.074883938 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:59.074893951 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.075166941 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.075241089 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.075501919 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.075618029 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.075788975 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.075953960 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.076122999 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.076267004 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.076438904 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:59.076498985 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:59.248224020 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.248411894 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.248461962 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.248472929 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.248560905 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.248770952 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.249284983 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.249449015 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.249711037 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.250046968 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.250057936 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.250106096 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.250168085 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.250211000 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.250391960 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.250443935 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:59.250564098 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.250719070 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.250904083 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.251049995 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.251243114 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.251466990 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.251513958 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.251693964 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.251987934 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.252053022 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.423950911 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.423969030 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.424348116 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.424442053 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.425806046 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.428405046 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:59.602973938 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.612109900 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:59.787134886 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.794013023 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:55:59.968051910 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:55:59.969198942 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:56:00.143498898 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:56:00.150090933 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:56:00.323596001 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:56:00.324331045 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:56:00.329181910 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:56:00.503541946 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:56:00.549340010 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:56:00.580075026 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:56:00.755806923 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:56:00.797420979 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:56:00.971322060 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:56:00.977446079 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:56:01.152591944 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:56:01.163758993 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:56:01.337809086 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:56:01.339976072 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:56:01.513891935 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:56:01.564973116 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:56:01.654443979 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:56:01.828315020 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:56:01.831315041 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:56:02.005290985 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:56:02.049335957 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:56:02.441504955 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:56:02.615081072 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:56:02.616664886 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:56:02.617150068 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:56:02.791130066 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:56:02.792026043 CEST4973028380192.168.2.45.42.65.96
                                                                                                                                                      May 2, 2024 22:56:02.968489885 CEST28380497305.42.65.96192.168.2.4
                                                                                                                                                      May 2, 2024 22:56:03.008491993 CEST4973028380192.168.2.45.42.65.96

                                                                                                                                                      Statistics

                                                                                                                                                      CPU Usage

                                                                                                                                                      Click to jump to process

                                                                                                                                                      Memory Usage

                                                                                                                                                      Click to jump to process

                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                      Behavior

                                                                                                                                                      Click to jump to process

                                                                                                                                                      System Behavior

                                                                                                                                                      General

                                                                                                                                                      Target ID:0
                                                                                                                                                      Start time:22:55:48
                                                                                                                                                      Start date:02/05/2024
                                                                                                                                                      Path:C:\Users\user\Desktop\file.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                                                                      Imagebase:0x870000
                                                                                                                                                      File size:502'272 bytes
                                                                                                                                                      MD5 hash:B09B19C780BFAA784CCF35DC454F9326
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                      Reputation:low
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:1
                                                                                                                                                      Start time:22:55:48
                                                                                                                                                      Start date:02/05/2024
                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:2
                                                                                                                                                      Start time:22:55:48
                                                                                                                                                      Start date:02/05/2024
                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                                      Imagebase:0x90000
                                                                                                                                                      File size:65'440 bytes
                                                                                                                                                      MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:3
                                                                                                                                                      Start time:22:55:48
                                                                                                                                                      Start date:02/05/2024
                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                                      Imagebase:0xce0000
                                                                                                                                                      File size:65'440 bytes
                                                                                                                                                      MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.1744442834.00000000030F7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.1742509849.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      Reputation:high
                                                                                                                                                      Has exited:true

                                                                                                                                                      Disassembly

                                                                                                                                                      Reset < >

                                                                                                                                                        Execution Graph

                                                                                                                                                        Execution Coverage:3.1%
                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                        Signature Coverage:3.3%
                                                                                                                                                        Total number of Nodes:2000
                                                                                                                                                        Total number of Limit Nodes:50
                                                                                                                                                        execution_graph 18052 88b48e 18053 88b4a3 18052->18053 18056 885405 18053->18056 18057 885111 std::_Lockit::_Lockit 5 API calls 18056->18057 18058 885413 18057->18058 18060 885419 18058->18060 18061 885032 18058->18061 18062 88503e __FrameHandler3::FrameUnwindToState 18061->18062 18068 87cd14 EnterCriticalSection 18062->18068 18064 88504c std::_Lockit::_Lockit 18065 88505d EnumSystemLocalesW 18064->18065 18069 8850a2 18065->18069 18068->18064 18072 87cd5c LeaveCriticalSection 18069->18072 18071 88508b 18071->18060 18072->18071 20068 886580 20069 88658d 20068->20069 20073 8865a5 20068->20073 20070 87d610 __strnicoll 14 API calls 20069->20070 20071 886592 20070->20071 20072 87a91f __strnicoll 41 API calls 20071->20072 20082 88659d 20072->20082 20074 886604 20073->20074 20075 886d25 _Ungetc 14 API calls 20073->20075 20073->20082 20076 884ca2 _Ungetc 41 API calls 20074->20076 20075->20074 20077 88661d 20076->20077 20088 88ece9 20077->20088 20080 884ca2 _Ungetc 41 API calls 20081 886656 20080->20081 20081->20082 20083 884ca2 _Ungetc 41 API calls 20081->20083 20084 886664 20083->20084 20084->20082 20085 884ca2 _Ungetc 41 API calls 20084->20085 20086 886672 20085->20086 20087 884ca2 _Ungetc 41 API calls 20086->20087 20087->20082 20089 88ecf5 __FrameHandler3::FrameUnwindToState 20088->20089 20090 88ecfd 20089->20090 20091 88ed15 20089->20091 20092 87d5fd __dosmaperr 14 API calls 20090->20092 20093 88edd2 20091->20093 20098 88ed4b 20091->20098 20095 88ed02 20092->20095 20094 87d5fd __dosmaperr 14 API calls 20093->20094 20096 88edd7 20094->20096 20097 87d610 __strnicoll 14 API calls 20095->20097 20099 87d610 __strnicoll 14 API calls 20096->20099 20117 886625 20097->20117 20100 88ed69 20098->20100 20101 88ed54 20098->20101 20104 88ed61 20099->20104 20118 88a1b0 EnterCriticalSection 20100->20118 20102 87d5fd __dosmaperr 14 API calls 20101->20102 20105 88ed59 20102->20105 20110 87a91f __strnicoll 41 API calls 20104->20110 20107 87d610 __strnicoll 14 API calls 20105->20107 20106 88ed6f 20108 88ed8b 20106->20108 20109 88eda0 20106->20109 20107->20104 20111 87d610 __strnicoll 14 API calls 20108->20111 20119 88edfd 20109->20119 20110->20117 20113 88ed90 20111->20113 20115 87d5fd __dosmaperr 14 API calls 20113->20115 20114 88ed9b 20182 88edca 20114->20182 20115->20114 20117->20080 20117->20082 20118->20106 20120 88ee0f 20119->20120 20121 88ee27 20119->20121 20122 87d5fd __dosmaperr 14 API calls 20120->20122 20123 88f17d 20121->20123 20128 88ee6d 20121->20128 20124 88ee14 20122->20124 20125 87d5fd __dosmaperr 14 API calls 20123->20125 20126 87d610 __strnicoll 14 API calls 20124->20126 20127 88f182 20125->20127 20130 88ee1c 20126->20130 20131 87d610 __strnicoll 14 API calls 20127->20131 20129 88ee78 20128->20129 20128->20130 20137 88eea8 20128->20137 20132 87d5fd __dosmaperr 14 API calls 20129->20132 20130->20114 20133 88ee85 20131->20133 20134 88ee7d 20132->20134 20135 87a91f __strnicoll 41 API calls 20133->20135 20136 87d610 __strnicoll 14 API calls 20134->20136 20135->20130 20136->20133 20138 88eec1 20137->20138 20139 88eedb 20137->20139 20140 88ef0c 20137->20140 20138->20139 20141 88eec6 20138->20141 20142 87d5fd __dosmaperr 14 API calls 20139->20142 20143 883d40 std::_Locinfo::_Locinfo_ctor 15 API calls 20140->20143 20145 88e4e0 ___scrt_uninitialize_crt 41 API calls 20141->20145 20144 88eee0 20142->20144 20146 88ef1d 20143->20146 20147 87d610 __strnicoll 14 API calls 20144->20147 20149 88f059 20145->20149 20150 883d06 ___free_lconv_mon 14 API calls 20146->20150 20148 88eee7 20147->20148 20151 87a91f __strnicoll 41 API calls 20148->20151 20152 88f0cd 20149->20152 20155 88f072 GetConsoleMode 20149->20155 20153 88ef26 20150->20153 20181 88eef2 20151->20181 20154 88f0d1 ReadFile 20152->20154 20156 883d06 ___free_lconv_mon 14 API calls 20153->20156 20157 88f0e9 20154->20157 20158 88f145 GetLastError 20154->20158 20155->20152 20159 88f083 20155->20159 20160 88ef2d 20156->20160 20157->20158 20162 88f0c2 20157->20162 20161 88f152 20158->20161 20169 88f0a9 20158->20169 20159->20154 20163 88f089 ReadConsoleW 20159->20163 20164 88ef52 20160->20164 20165 88ef37 20160->20165 20166 87d610 __strnicoll 14 API calls 20161->20166 20177 88f10e 20162->20177 20178 88f125 20162->20178 20162->20181 20163->20162 20168 88f0a3 GetLastError 20163->20168 20167 888398 43 API calls 20164->20167 20171 87d610 __strnicoll 14 API calls 20165->20171 20173 88f157 20166->20173 20167->20141 20168->20169 20174 87d5b6 __dosmaperr 14 API calls 20169->20174 20169->20181 20170 883d06 ___free_lconv_mon 14 API calls 20170->20130 20172 88ef3c 20171->20172 20175 87d5fd __dosmaperr 14 API calls 20172->20175 20176 87d5fd __dosmaperr 14 API calls 20173->20176 20174->20181 20175->20181 20176->20181 20185 88eb17 20177->20185 20178->20181 20198 88e96f 20178->20198 20181->20170 20210 88a1d3 LeaveCriticalSection 20182->20210 20184 88edd0 20184->20117 20204 88e823 20185->20204 20187 8887db std::_Locinfo::_Locinfo_ctor MultiByteToWideChar 20189 88ec2b 20187->20189 20191 88ec34 GetLastError 20189->20191 20195 88eb5f 20189->20195 20190 88eba9 20192 87d610 __strnicoll 14 API calls 20190->20192 20194 87d5b6 __dosmaperr 14 API calls 20191->20194 20192->20195 20193 88ebb9 20196 888398 43 API calls 20193->20196 20197 88eb73 20193->20197 20194->20195 20195->20181 20196->20197 20197->20187 20199 88e9a6 20198->20199 20200 88ea3b ReadFile 20199->20200 20202 88ea36 20199->20202 20201 88ea58 20200->20201 20200->20202 20201->20202 20203 888398 43 API calls 20201->20203 20202->20181 20203->20202 20205 88e857 20204->20205 20206 88e8c6 ReadFile 20205->20206 20207 88e8c1 20205->20207 20206->20207 20208 88e8df 20206->20208 20207->20190 20207->20193 20207->20195 20207->20197 20208->20207 20209 888398 43 API calls 20208->20209 20209->20207 20210->20184 20290 884f96 20291 884fa2 __FrameHandler3::FrameUnwindToState 20290->20291 20302 87cd14 EnterCriticalSection 20291->20302 20293 884fa9 20303 88a112 20293->20303 20300 884ee6 2 API calls 20301 884fc7 20300->20301 20322 884fed 20301->20322 20302->20293 20304 88a11e __FrameHandler3::FrameUnwindToState 20303->20304 20305 88a148 20304->20305 20306 88a127 20304->20306 20325 87cd14 EnterCriticalSection 20305->20325 20307 87d610 __strnicoll 14 API calls 20306->20307 20309 88a12c 20307->20309 20310 87a91f __strnicoll 41 API calls 20309->20310 20312 884fb8 20310->20312 20311 88a180 20333 88a1a7 20311->20333 20312->20301 20316 884e30 GetStartupInfoW 20312->20316 20313 88a154 20313->20311 20326 88a062 20313->20326 20317 884e4d 20316->20317 20318 884ee1 20316->20318 20317->20318 20319 88a112 42 API calls 20317->20319 20318->20300 20320 884e75 20319->20320 20320->20318 20321 884ea5 GetFileType 20320->20321 20321->20320 20337 87cd5c LeaveCriticalSection 20322->20337 20324 884fd8 20325->20313 20327 883ca9 __Getctype 14 API calls 20326->20327 20329 88a074 20327->20329 20328 88a081 20330 883d06 ___free_lconv_mon 14 API calls 20328->20330 20329->20328 20331 8855d3 6 API calls 20329->20331 20332 88a0d6 20330->20332 20331->20329 20332->20313 20336 87cd5c LeaveCriticalSection 20333->20336 20335 88a1ae 20335->20312 20336->20335 20337->20324 18405 87e2ab 18406 87e2bd 18405->18406 18410 87e2c6 ___scrt_uninitialize_crt 18405->18410 18407 87e12f ___scrt_uninitialize_crt 70 API calls 18406->18407 18408 87e2c3 18407->18408 18409 87e2d7 18410->18409 18413 87e0cf 18410->18413 18414 87e0db __FrameHandler3::FrameUnwindToState 18413->18414 18421 87d747 EnterCriticalSection 18414->18421 18416 87e0e9 18417 87e23d ___scrt_uninitialize_crt 70 API calls 18416->18417 18418 87e0fa 18417->18418 18422 87e123 18418->18422 18421->18416 18425 87d75b LeaveCriticalSection 18422->18425 18424 87e10c 18425->18424 18426 8756a9 18427 8756cb 18426->18427 18431 8756e0 18426->18431 18432 874d58 18427->18432 18435 874d73 18432->18435 18437 874dc4 18432->18437 18433 875eff __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 18434 874ddc 18433->18434 18434->18431 18438 87e4ae 18434->18438 18436 87eac6 69 API calls 18435->18436 18435->18437 18436->18437 18437->18433 18439 87e4ce 18438->18439 18440 87e4b9 18438->18440 18439->18440 18442 87e4d5 18439->18442 18441 87d610 __strnicoll 14 API calls 18440->18441 18443 87e4be 18441->18443 18448 87e7c4 18442->18448 18445 87a91f __strnicoll 41 API calls 18443->18445 18447 87e4c9 18445->18447 18447->18431 18449 87e7d7 _Fputc 18448->18449 18454 87e563 18449->18454 18452 87a65b _Fputc 41 API calls 18453 87e4e4 18452->18453 18453->18431 18455 87e56f __FrameHandler3::FrameUnwindToState 18454->18455 18456 87e575 18455->18456 18458 87e5a9 18455->18458 18457 87a8a2 __strnicoll 29 API calls 18456->18457 18460 87e590 18457->18460 18465 87d747 EnterCriticalSection 18458->18465 18460->18452 18461 87e5b5 18466 87e6d8 18461->18466 18463 87e5cc 18475 87e5f5 18463->18475 18465->18461 18467 87e6fe 18466->18467 18468 87e6eb 18466->18468 18478 87e5ff 18467->18478 18468->18463 18470 87e7af 18470->18463 18471 87e721 18471->18470 18472 87e1d4 ___scrt_uninitialize_crt 66 API calls 18471->18472 18473 87e74f 18472->18473 18482 8883d8 18473->18482 18491 87d75b LeaveCriticalSection 18475->18491 18477 87e5fd 18477->18460 18479 87e610 18478->18479 18481 87e668 18478->18481 18479->18481 18485 888398 18479->18485 18481->18471 18483 8882b7 ___scrt_uninitialize_crt 43 API calls 18482->18483 18484 8883f1 18483->18484 18484->18470 18486 8883ac _Fputc 18485->18486 18487 8882b7 ___scrt_uninitialize_crt 43 API calls 18486->18487 18488 8883c1 18487->18488 18489 87a65b _Fputc 41 API calls 18488->18489 18490 8883d0 18489->18490 18490->18481 18491->18477 16233 8760b7 16234 8760c3 __FrameHandler3::FrameUnwindToState 16233->16234 16259 8762b9 16234->16259 16236 8760ca 16237 876223 16236->16237 16247 8760f4 ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState ___scrt_release_startup_lock 16236->16247 16300 8769ef IsProcessorFeaturePresent 16237->16300 16239 87622a 16279 8802c4 16239->16279 16244 876113 16245 876194 16270 87ff02 16245->16270 16247->16244 16247->16245 16282 88029e 16247->16282 16249 87619a 16274 873d0a VirtualProtect FreeConsole 16249->16274 16254 8761bf 16255 8761c8 16254->16255 16291 880279 16254->16291 16294 87642a 16255->16294 16260 8762c2 16259->16260 16307 8764cc IsProcessorFeaturePresent 16260->16307 16264 8762d3 16265 8762d7 16264->16265 16317 881edb 16264->16317 16265->16236 16268 8762ee 16268->16236 16271 87ff10 16270->16271 16272 87ff0b 16270->16272 16271->16249 16389 87fc5c 16272->16389 17042 873062 16274->17042 17556 8800ac 16279->17556 16283 881f7c __FrameHandler3::FrameUnwindToState 16282->16283 16284 8802b4 std::_Lockit::_Lockit 16282->16284 16285 882a50 __Getctype 41 API calls 16283->16285 16284->16245 16286 881f8d 16285->16286 16287 87f409 __purecall 41 API calls 16286->16287 16288 881fb7 16287->16288 16289 876b09 GetModuleHandleW 16290 8761bb 16289->16290 16290->16239 16290->16254 16292 8800ac __FrameHandler3::FrameUnwindToState 23 API calls 16291->16292 16293 880284 16292->16293 16293->16255 16295 876436 16294->16295 16296 8761d1 16295->16296 17633 881eed 16295->17633 16296->16244 16298 876444 16299 87924d ___scrt_uninitialize_crt 7 API calls 16298->16299 16299->16296 16301 876a05 __FrameHandler3::FrameUnwindToState codecvt 16300->16301 16302 876ab0 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16301->16302 16303 876af4 __FrameHandler3::FrameUnwindToState 16302->16303 16303->16239 16304 880288 16305 8800ac __FrameHandler3::FrameUnwindToState 23 API calls 16304->16305 16306 876238 16305->16306 16308 8762ce 16307->16308 16309 87922e 16308->16309 16326 87a307 16309->16326 16313 87923f 16314 87924a 16313->16314 16340 87a343 16313->16340 16314->16264 16316 879237 16316->16264 16380 88c64b 16317->16380 16320 87924d 16321 879256 16320->16321 16322 879260 16320->16322 16323 8793c6 ___vcrt_uninitialize_ptd 6 API calls 16321->16323 16322->16265 16324 87925b 16323->16324 16325 87a343 ___vcrt_uninitialize_locks DeleteCriticalSection 16324->16325 16325->16322 16328 87a310 16326->16328 16329 87a339 16328->16329 16330 879233 16328->16330 16344 87a54c 16328->16344 16331 87a343 ___vcrt_uninitialize_locks DeleteCriticalSection 16329->16331 16330->16316 16332 879393 16330->16332 16331->16330 16361 87a45d 16332->16361 16335 8793a8 16335->16313 16338 8793c3 16338->16313 16341 87a36d 16340->16341 16342 87a34e 16340->16342 16341->16316 16343 87a358 DeleteCriticalSection 16342->16343 16343->16341 16343->16343 16349 87a372 16344->16349 16347 87a584 InitializeCriticalSectionAndSpinCount 16348 87a56f 16347->16348 16348->16328 16350 87a38f 16349->16350 16353 87a393 16349->16353 16350->16347 16350->16348 16352 87a3fb GetProcAddress 16352->16350 16353->16350 16353->16352 16354 87a3ec 16353->16354 16356 87a412 LoadLibraryExW 16353->16356 16354->16352 16355 87a3f4 FreeLibrary 16354->16355 16355->16352 16357 87a459 16356->16357 16358 87a429 GetLastError 16356->16358 16357->16353 16358->16357 16359 87a434 ___vcrt_FlsGetValue 16358->16359 16359->16357 16360 87a44a LoadLibraryExW 16359->16360 16360->16353 16362 87a372 ___vcrt_FlsGetValue 5 API calls 16361->16362 16363 87a477 16362->16363 16364 87a490 TlsAlloc 16363->16364 16365 87939d 16363->16365 16365->16335 16366 87a50e 16365->16366 16367 87a372 ___vcrt_FlsGetValue 5 API calls 16366->16367 16368 87a528 16367->16368 16369 87a543 TlsSetValue 16368->16369 16370 8793b6 16368->16370 16369->16370 16370->16338 16371 8793c6 16370->16371 16372 8793d0 16371->16372 16373 8793d6 16371->16373 16375 87a498 16372->16375 16373->16335 16376 87a372 ___vcrt_FlsGetValue 5 API calls 16375->16376 16377 87a4b2 16376->16377 16378 87a4ca TlsFree 16377->16378 16379 87a4be 16377->16379 16378->16379 16379->16373 16381 88c65b 16380->16381 16382 8762e0 16380->16382 16381->16382 16384 884ee6 16381->16384 16382->16268 16382->16320 16386 884eed 16384->16386 16385 884f30 GetStdHandle 16385->16386 16386->16385 16387 884f92 16386->16387 16388 884f43 GetFileType 16386->16388 16387->16381 16388->16386 16390 87fc7b 16389->16390 16391 87fc65 16389->16391 16390->16271 16391->16390 16395 87fc88 16391->16395 16393 87fc72 16393->16390 16412 87fdf3 16393->16412 16396 87fc94 16395->16396 16397 87fc91 16395->16397 16420 889907 16396->16420 16397->16393 16402 87fca5 16447 883d06 16402->16447 16403 87fcb1 16453 87fce2 16403->16453 16408 883d06 ___free_lconv_mon 14 API calls 16409 87fcd5 16408->16409 16410 883d06 ___free_lconv_mon 14 API calls 16409->16410 16411 87fcdb 16410->16411 16411->16393 16413 87fe64 16412->16413 16418 87fe02 16412->16418 16413->16390 16414 883ca9 __Getctype 14 API calls 16414->16418 16415 87fe68 16416 883d06 ___free_lconv_mon 14 API calls 16415->16416 16416->16413 16417 888857 WideCharToMultiByte _Fputc 16417->16418 16418->16413 16418->16414 16418->16415 16418->16417 16419 883d06 ___free_lconv_mon 14 API calls 16418->16419 16419->16418 16421 889910 16420->16421 16425 87fc9a 16420->16425 16475 882b0b 16421->16475 16426 889c09 GetEnvironmentStringsW 16425->16426 16427 889c21 16426->16427 16440 87fc9f 16426->16440 16428 888857 _Fputc WideCharToMultiByte 16427->16428 16429 889c3e 16428->16429 16430 889c48 FreeEnvironmentStringsW 16429->16430 16431 889c53 16429->16431 16430->16440 16432 883d40 std::_Locinfo::_Locinfo_ctor 15 API calls 16431->16432 16433 889c5a 16432->16433 16434 889c62 16433->16434 16435 889c73 16433->16435 16436 883d06 ___free_lconv_mon 14 API calls 16434->16436 16437 888857 _Fputc WideCharToMultiByte 16435->16437 16438 889c67 FreeEnvironmentStringsW 16436->16438 16439 889c83 16437->16439 16438->16440 16441 889c8a 16439->16441 16442 889c92 16439->16442 16440->16402 16440->16403 16443 883d06 ___free_lconv_mon 14 API calls 16441->16443 16444 883d06 ___free_lconv_mon 14 API calls 16442->16444 16445 889c90 FreeEnvironmentStringsW 16443->16445 16444->16445 16445->16440 16448 87fcab 16447->16448 16449 883d11 HeapFree 16447->16449 16448->16393 16449->16448 16450 883d26 GetLastError 16449->16450 16451 883d33 __dosmaperr 16450->16451 16452 87d610 __strnicoll 12 API calls 16451->16452 16452->16448 16454 87fcf7 16453->16454 16455 883ca9 __Getctype 14 API calls 16454->16455 16456 87fd1e 16455->16456 16457 87fd26 16456->16457 16458 87fd30 16456->16458 16459 883d06 ___free_lconv_mon 14 API calls 16457->16459 16460 87fd8d 16458->16460 16463 883ca9 __Getctype 14 API calls 16458->16463 16464 87fd9c 16458->16464 16469 87fdb7 16458->16469 16471 883d06 ___free_lconv_mon 14 API calls 16458->16471 17023 881fb8 16458->17023 16462 87fcb8 16459->16462 16461 883d06 ___free_lconv_mon 14 API calls 16460->16461 16461->16462 16462->16408 16463->16458 17032 87fdc4 16464->17032 16468 883d06 ___free_lconv_mon 14 API calls 16470 87fda9 16468->16470 17038 87a94c IsProcessorFeaturePresent 16469->17038 16473 883d06 ___free_lconv_mon 14 API calls 16470->16473 16471->16458 16473->16462 16474 87fdc3 16476 882b1c 16475->16476 16477 882b16 16475->16477 16497 882b22 16476->16497 16528 885516 16476->16528 16523 8854d7 16477->16523 16483 882b46 16485 882b4e 16483->16485 16486 882b63 16483->16486 16487 885516 __Getctype 6 API calls 16485->16487 16488 885516 __Getctype 6 API calls 16486->16488 16492 882b5a 16487->16492 16489 882b6f 16488->16489 16490 882b82 16489->16490 16491 882b73 16489->16491 16540 88287e 16490->16540 16493 885516 __Getctype 6 API calls 16491->16493 16495 883d06 ___free_lconv_mon 14 API calls 16492->16495 16493->16492 16495->16497 16499 882b27 16497->16499 16545 87f409 16497->16545 16500 889712 16499->16500 16828 889867 16500->16828 16506 889766 16507 88977c 16506->16507 16508 88976e 16506->16508 16853 889962 16507->16853 16509 883d06 ___free_lconv_mon 14 API calls 16508->16509 16511 889755 16509->16511 16511->16425 16556 8852c6 16523->16556 16526 8854fc 16526->16476 16527 88550e TlsGetValue 16529 8852c6 std::_Lockit::_Lockit 5 API calls 16528->16529 16530 885532 16529->16530 16531 882b36 16530->16531 16532 885550 TlsSetValue 16530->16532 16531->16497 16533 883ca9 16531->16533 16539 883cb6 __Getctype 16533->16539 16534 883cf6 16574 87d610 16534->16574 16535 883ce1 HeapAlloc 16536 883cf4 16535->16536 16535->16539 16536->16483 16539->16534 16539->16535 16571 87f6e0 16539->16571 16611 882712 16540->16611 16713 8885a3 16545->16713 16549 87f423 IsProcessorFeaturePresent 16552 87f42f 16549->16552 16550 880288 __FrameHandler3::FrameUnwindToState 23 API calls 16553 87f44c 16550->16553 16551 87f419 16551->16549 16555 87f442 16551->16555 16743 87a723 16552->16743 16555->16550 16557 8852f0 16556->16557 16558 8852f4 16556->16558 16557->16526 16557->16527 16558->16557 16563 8851fb 16558->16563 16561 88530e GetProcAddress 16561->16557 16562 88531e std::_Lockit::_Lockit 16561->16562 16562->16557 16569 88520c ___vcrt_FlsGetValue 16563->16569 16564 8852a2 16564->16557 16564->16561 16565 88522a LoadLibraryExW 16566 8852a9 16565->16566 16567 885245 GetLastError 16565->16567 16566->16564 16568 8852bb FreeLibrary 16566->16568 16567->16569 16568->16564 16569->16564 16569->16565 16570 885278 LoadLibraryExW 16569->16570 16570->16566 16570->16569 16577 87f70d 16571->16577 16588 882ba1 GetLastError 16574->16588 16576 87d615 16576->16536 16578 87f719 __FrameHandler3::FrameUnwindToState 16577->16578 16583 87cd14 EnterCriticalSection 16578->16583 16580 87f724 16584 87f760 16580->16584 16583->16580 16587 87cd5c LeaveCriticalSection 16584->16587 16586 87f6eb 16586->16539 16587->16586 16589 882bbd 16588->16589 16590 882bb7 16588->16590 16592 885516 __Getctype 6 API calls 16589->16592 16594 882bc1 SetLastError 16589->16594 16591 8854d7 __Getctype 6 API calls 16590->16591 16591->16589 16593 882bd9 16592->16593 16593->16594 16596 883ca9 __Getctype 12 API calls 16593->16596 16594->16576 16597 882bee 16596->16597 16598 882bf6 16597->16598 16599 882c07 16597->16599 16600 885516 __Getctype 6 API calls 16598->16600 16601 885516 __Getctype 6 API calls 16599->16601 16602 882c04 16600->16602 16603 882c13 16601->16603 16608 883d06 ___free_lconv_mon 12 API calls 16602->16608 16604 882c2e 16603->16604 16605 882c17 16603->16605 16606 88287e __Getctype 12 API calls 16604->16606 16607 885516 __Getctype 6 API calls 16605->16607 16609 882c39 16606->16609 16607->16602 16608->16594 16610 883d06 ___free_lconv_mon 12 API calls 16609->16610 16610->16594 16612 88271e __FrameHandler3::FrameUnwindToState 16611->16612 16625 87cd14 EnterCriticalSection 16612->16625 16614 882728 16626 882758 16614->16626 16617 882824 16618 882830 __FrameHandler3::FrameUnwindToState 16617->16618 16630 87cd14 EnterCriticalSection 16618->16630 16625->16614 16629 87cd5c LeaveCriticalSection 16626->16629 16628 882746 16628->16617 16629->16628 16749 8884d5 16713->16749 16716 8885e8 16717 8885f4 __FrameHandler3::FrameUnwindToState 16716->16717 16718 882ba1 __dosmaperr 14 API calls 16717->16718 16720 88861b __FrameHandler3::FrameUnwindToState 16717->16720 16725 888621 __FrameHandler3::FrameUnwindToState 16717->16725 16718->16720 16719 888668 16721 87d610 __strnicoll 14 API calls 16719->16721 16720->16719 16720->16725 16742 888652 16720->16742 16722 88866d 16721->16722 16760 87a91f 16722->16760 16724 888694 16728 8886d6 16724->16728 16729 8887c7 16724->16729 16739 888705 16724->16739 16725->16724 16763 87cd14 EnterCriticalSection 16725->16763 16728->16739 16764 882a50 GetLastError 16728->16764 16730 8887d2 16729->16730 16797 87cd5c LeaveCriticalSection 16729->16797 16733 880288 __FrameHandler3::FrameUnwindToState 23 API calls 16730->16733 16735 8887da 16733->16735 16736 882a50 __Getctype 41 API calls 16740 88875a 16736->16740 16738 882a50 __Getctype 41 API calls 16738->16739 16793 888774 16739->16793 16741 882a50 __Getctype 41 API calls 16740->16741 16740->16742 16741->16742 16742->16551 16744 87a73f __FrameHandler3::FrameUnwindToState codecvt 16743->16744 16745 87a76b IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16744->16745 16746 87a83c __FrameHandler3::FrameUnwindToState 16745->16746 16820 875eff 16746->16820 16748 87a85a 16748->16555 16750 8884e1 __FrameHandler3::FrameUnwindToState 16749->16750 16755 87cd14 EnterCriticalSection 16750->16755 16752 8884ef 16756 88852d 16752->16756 16755->16752 16759 87cd5c LeaveCriticalSection 16756->16759 16758 87f40e 16758->16551 16758->16716 16759->16758 16798 87a86b 16760->16798 16763->16724 16765 882a6c 16764->16765 16766 882a66 16764->16766 16768 885516 __Getctype 6 API calls 16765->16768 16770 882a70 16765->16770 16767 8854d7 __Getctype 6 API calls 16766->16767 16767->16765 16769 882a88 16768->16769 16769->16770 16771 882a90 16769->16771 16772 882af5 SetLastError 16770->16772 16773 883ca9 __Getctype 14 API calls 16771->16773 16775 882b00 16772->16775 16776 882b05 16772->16776 16774 882a9d 16773->16774 16777 882aa5 16774->16777 16778 882ab6 16774->16778 16775->16738 16779 87f409 __purecall 39 API calls 16776->16779 16780 885516 __Getctype 6 API calls 16777->16780 16781 885516 __Getctype 6 API calls 16778->16781 16782 882b0a 16779->16782 16794 88877a 16793->16794 16795 88874b 16793->16795 16819 87cd5c LeaveCriticalSection 16794->16819 16795->16736 16795->16740 16795->16742 16797->16730 16799 87a87d _Fputc 16798->16799 16804 87a8a2 16799->16804 16805 87a8b2 16804->16805 16806 87a8b9 16804->16806 16807 87a6c0 __strnicoll 16 API calls 16805->16807 16808 87a895 16806->16808 16809 87a697 __strnicoll GetLastError SetLastError 16806->16809 16807->16806 16813 87a65b 16808->16813 16810 87a8ee 16809->16810 16810->16808 16811 87a94c _Deallocate 11 API calls 16810->16811 16814 87a667 16813->16814 16819->16795 16821 875f07 16820->16821 16822 875f08 IsProcessorFeaturePresent 16820->16822 16821->16748 16824 876722 16822->16824 16827 8766e5 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 16824->16827 16826 876805 16826->16748 16827->16826 16829 889873 __FrameHandler3::FrameUnwindToState 16828->16829 16835 88988d 16829->16835 16872 87cd14 EnterCriticalSection 16829->16872 16831 88989d 16837 883d06 ___free_lconv_mon 14 API calls 16831->16837 16838 8898c9 16831->16838 16833 87f409 __purecall 41 API calls 16836 889906 16833->16836 16834 88973c 16839 889492 16834->16839 16835->16833 16835->16834 16837->16838 16873 8898e6 16838->16873 16877 87ee6a 16839->16877 16842 8894b3 GetOEMCP 16845 8894dc 16842->16845 16843 8894c5 16844 8894ca GetACP 16843->16844 16843->16845 16844->16845 16845->16511 16846 883d40 16845->16846 16847 883d7e 16846->16847 16851 883d4e __Getctype 16846->16851 16848 87d610 __strnicoll 14 API calls 16847->16848 16850 883d7c 16848->16850 16849 883d69 HeapAlloc 16849->16850 16849->16851 16850->16506 16851->16847 16851->16849 16852 87f6e0 codecvt 2 API calls 16851->16852 16852->16851 16854 889492 43 API calls 16853->16854 16855 889982 16854->16855 16857 8899bf IsValidCodePage 16855->16857 16862 8899fb codecvt 16855->16862 16856 875eff __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 16858 8897a9 16856->16858 16859 8899d1 16857->16859 16857->16862 16860 889a00 GetCPInfo 16859->16860 16863 8899da codecvt 16859->16863 16860->16862 16860->16863 16862->16856 16872->16831 16876 87cd5c LeaveCriticalSection 16873->16876 16875 8898ed 16875->16835 16876->16875 16878 87ee81 16877->16878 16879 87ee88 16877->16879 16878->16842 16878->16843 16879->16878 16880 882a50 __Getctype 41 API calls 16879->16880 16881 87eea9 16880->16881 16885 883d8e 16881->16885 16886 87eebf 16885->16886 16887 883da1 16885->16887 16889 883dec 16886->16889 16887->16886 16893 88b29d 16887->16893 16890 883dff 16889->16890 16891 883e14 16889->16891 16890->16891 16914 88994f 16890->16914 16891->16878 16894 88b2a9 __FrameHandler3::FrameUnwindToState 16893->16894 16895 882a50 __Getctype 41 API calls 16894->16895 16896 88b2b2 16895->16896 16903 88b2f8 16896->16903 16906 87cd14 EnterCriticalSection 16896->16906 16898 88b2d0 16907 88b31e 16898->16907 16903->16886 16906->16898 16908 88b2e1 16907->16908 16909 88b32c __Getctype 16907->16909 16911 88b2fd 16908->16911 16909->16908 16910 88b051 __Getctype 14 API calls 16909->16910 16910->16908 16912 87cd5c std::_Lockit::~_Lockit LeaveCriticalSection 16911->16912 16915 882a50 __Getctype 41 API calls 16914->16915 16916 889954 16915->16916 16917 889867 __strnicoll 41 API calls 16916->16917 16918 88995f 16917->16918 16918->16891 17024 881fc6 17023->17024 17025 881fd4 17023->17025 17024->17025 17030 881fec 17024->17030 17026 87d610 __strnicoll 14 API calls 17025->17026 17027 881fdc 17026->17027 17028 87a91f __strnicoll 41 API calls 17027->17028 17029 881fe6 17028->17029 17029->16458 17030->17029 17031 87d610 __strnicoll 14 API calls 17030->17031 17031->17027 17033 87fdd1 17032->17033 17034 87fda2 17032->17034 17035 87fde8 17033->17035 17036 883d06 ___free_lconv_mon 14 API calls 17033->17036 17034->16468 17037 883d06 ___free_lconv_mon 14 API calls 17035->17037 17036->17033 17037->17034 17039 87a958 17038->17039 17040 87a723 __FrameHandler3::FrameUnwindToState 8 API calls 17039->17040 17041 87a96d GetCurrentProcess TerminateProcess 17040->17041 17041->16474 17043 873070 OpenIcon 17042->17043 17044 87309f 17042->17044 17043->17043 17043->17044 17045 873048 17044->17045 17048 87238f 17045->17048 17053 8723c2 17048->17053 17049 872494 17050 875eff __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 17049->17050 17051 8724a6 17050->17051 17051->16289 17053->17049 17055 872081 17053->17055 17065 8719ae 17053->17065 17056 87208d __EH_prolog3_catch 17055->17056 17072 871e9a 17056->17072 17062 8720c6 std::ios_base::_Ios_base_dtor 17091 872fa9 17062->17091 17064 87217e codecvt 17064->17053 17403 873c9b 17065->17403 17067 8719c1 17407 873b67 17067->17407 17069 8719cc 17070 8739ed 51 API calls 17069->17070 17073 871ea9 17072->17073 17075 871ec7 17073->17075 17103 8739ed 17073->17103 17075->17062 17076 871a50 17075->17076 17111 873dcc 17076->17111 17080 871a87 17134 873e24 17080->17134 17081 871a74 17081->17080 17123 8726f3 17081->17123 17084 871abd 17084->17062 17086 871ac3 17141 872e36 17086->17141 17087 871a9e 17131 87411a 17087->17131 17092 872176 17091->17092 17095 872fc0 std::ios_base::_Init 17091->17095 17098 872040 17092->17098 17093 87741c Concurrency::cancel_current_task RaiseException 17094 873012 17093->17094 17097 872ff9 17095->17097 17294 871e40 17095->17294 17097->17093 17385 873fb3 17098->17385 17100 872048 17101 872001 17100->17101 17389 872d13 17100->17389 17101->17064 17104 8739f9 __EH_prolog3_catch 17103->17104 17105 873a9e codecvt 17104->17105 17106 871e9a 51 API calls 17104->17106 17105->17075 17108 873a18 17106->17108 17107 873a96 17109 872040 51 API calls 17107->17109 17108->17107 17110 872fa9 std::ios_base::_Init 43 API calls 17108->17110 17109->17105 17110->17107 17112 873de2 17111->17112 17113 873ddb 17111->17113 17116 871a61 17112->17116 17150 875c73 EnterCriticalSection 17112->17150 17145 87cd73 17113->17145 17117 8721b2 17116->17117 17118 8721e2 17117->17118 17119 8721be 17117->17119 17118->17081 17120 873dcc std::_Lockit::_Lockit 7 API calls 17119->17120 17121 8721c8 17120->17121 17122 873e24 std::_Lockit::~_Lockit 2 API calls 17121->17122 17122->17118 17124 871a97 17123->17124 17125 872707 17123->17125 17124->17086 17124->17087 17125->17124 17202 875ec1 17125->17202 17127 87272b 17127->17124 17224 871f84 17127->17224 17128 872713 codecvt 17128->17127 17215 871c4c 17128->17215 17132 875ec1 codecvt 43 API calls 17131->17132 17133 874125 17132->17133 17133->17080 17135 87cd81 17134->17135 17137 873e2e 17134->17137 17293 87cd5c LeaveCriticalSection 17135->17293 17138 873e41 17137->17138 17292 875c81 LeaveCriticalSection 17137->17292 17138->17084 17139 87cd88 17139->17084 17142 872e44 17141->17142 17143 87741c Concurrency::cancel_current_task RaiseException 17142->17143 17144 872e52 17143->17144 17151 88572e 17145->17151 17150->17116 17172 8850dd 17151->17172 17173 8852c6 std::_Lockit::_Lockit 5 API calls 17172->17173 17174 8850f3 17173->17174 17175 8850f7 17174->17175 17176 8852c6 std::_Lockit::_Lockit 5 API calls 17175->17176 17177 88510d 17176->17177 17178 885111 17177->17178 17179 8852c6 std::_Lockit::_Lockit 5 API calls 17178->17179 17180 885127 17179->17180 17181 88512b 17180->17181 17182 8852c6 std::_Lockit::_Lockit 5 API calls 17181->17182 17183 885141 17182->17183 17184 885145 17183->17184 17185 8852c6 std::_Lockit::_Lockit 5 API calls 17184->17185 17186 88515b 17185->17186 17204 875ec6 17202->17204 17205 875ee0 17204->17205 17206 87f6e0 codecvt 2 API calls 17204->17206 17208 872e19 Concurrency::cancel_current_task 17204->17208 17242 87cd8a 17204->17242 17205->17128 17206->17204 17207 875eec 17207->17207 17208->17207 17239 87741c 17208->17239 17210 872e35 17211 87a86b __strnicoll 41 API calls 17210->17211 17212 87a93e 17211->17212 17213 87a94c _Deallocate 11 API calls 17212->17213 17214 87a94b 17213->17214 17216 873dcc std::_Lockit::_Lockit 7 API calls 17215->17216 17217 871c58 17216->17217 17218 871c86 17217->17218 17219 871c99 17217->17219 17249 87424a 17218->17249 17258 873f93 17219->17258 17288 874295 17224->17288 17227 871f9d 17229 871fb0 17227->17229 17230 87ab4a ___std_exception_destroy 14 API calls 17227->17230 17228 87ab4a ___std_exception_destroy 14 API calls 17228->17227 17231 871fc1 17229->17231 17232 87ab4a ___std_exception_destroy 14 API calls 17229->17232 17230->17229 17232->17231 17240 877436 17239->17240 17241 877463 RaiseException 17239->17241 17240->17241 17241->17210 17247 883d40 __Getctype 17242->17247 17243 883d7e 17244 87d610 __strnicoll 14 API calls 17243->17244 17246 883d7c 17244->17246 17245 883d69 HeapAlloc 17245->17246 17245->17247 17246->17204 17247->17243 17247->17245 17248 87f6e0 codecvt 2 API calls 17247->17248 17248->17247 17263 87cfea 17249->17263 17282 873eea 17258->17282 17285 871df3 17282->17285 17289 8742a1 17288->17289 17290 871f8e 17288->17290 17291 87cfea std::_Locinfo::_Locinfo_ctor 63 API calls 17289->17291 17290->17227 17290->17228 17291->17290 17292->17138 17293->17139 17297 871efa 17294->17297 17306 871b9a 17297->17306 17307 871bb7 _strlen 17306->17307 17325 87114d 17307->17325 17309 871bc4 17310 871cc5 17309->17310 17343 871b66 17310->17343 17326 8711b8 17325->17326 17329 87115e std::ios_base::_Init 17325->17329 17340 872ec2 17326->17340 17331 871165 std::ios_base::_Init 17329->17331 17332 871100 17329->17332 17331->17309 17333 871113 17332->17333 17334 87110b 17332->17334 17336 87111f 17333->17336 17338 875ec1 codecvt 43 API calls 17333->17338 17335 871122 std::ios_base::_Init 43 API calls 17334->17335 17337 871111 17335->17337 17336->17331 17337->17331 17339 87111d 17338->17339 17339->17331 17341 873f53 std::ios_base::_Init 43 API calls 17340->17341 17342 872ecc 17341->17342 17344 871b86 17343->17344 17363 871239 17344->17363 17346 871b93 17347 872c91 17346->17347 17348 872cc2 17347->17348 17349 872cab _strlen 17347->17349 17364 87129b 17363->17364 17365 87124a std::ios_base::_Init 17363->17365 17366 872ec2 std::ios_base::_Init 43 API calls 17364->17366 17368 871100 std::ios_base::_Init 43 API calls 17365->17368 17369 871251 std::ios_base::_Init codecvt 17365->17369 17367 8712a0 17366->17367 17368->17369 17369->17346 17385->17100 17386 877837 17385->17386 17393 87935c 17386->17393 17388 87783c 17388->17100 17391 872d1f __EH_prolog3_catch 17389->17391 17390 872d5b codecvt 17390->17101 17391->17390 17392 872fa9 std::ios_base::_Init 43 API calls 17391->17392 17392->17390 17394 879365 17393->17394 17395 879368 GetLastError 17393->17395 17394->17388 17398 87a4d3 17395->17398 17399 87a372 ___vcrt_FlsGetValue 5 API calls 17398->17399 17400 87a4ed 17399->17400 17401 87a505 TlsGetValue 17400->17401 17402 87937d SetLastError 17400->17402 17401->17402 17402->17388 17404 873caf 17403->17404 17417 8719d7 17404->17417 17406 873cb8 std::ios_base::_Ios_base_dtor 17406->17067 17408 873b73 __EH_prolog3_catch 17407->17408 17409 871e9a 51 API calls 17408->17409 17410 873b85 17409->17410 17413 873b8b 17410->17413 17498 873c59 17410->17498 17412 872fa9 std::ios_base::_Init 43 API calls 17414 873c18 17412->17414 17413->17412 17415 872040 51 API calls 17414->17415 17416 873c20 codecvt 17415->17416 17416->17069 17418 873dcc std::_Lockit::_Lockit 7 API calls 17417->17418 17419 8719e8 17418->17419 17420 8721b2 int 9 API calls 17419->17420 17421 8719fb 17420->17421 17422 871a0e 17421->17422 17432 87268e 17421->17432 17423 873e24 std::_Lockit::~_Lockit 2 API calls 17422->17423 17425 871a44 17423->17425 17425->17406 17427 871a25 17430 87411a std::_Facet_Register 43 API calls 17427->17430 17428 871a4a 17429 872e36 RaiseException 17428->17429 17431 871a4f 17429->17431 17430->17422 17433 871a1e 17432->17433 17434 8726a2 17432->17434 17433->17427 17433->17428 17434->17433 17435 875ec1 codecvt 43 API calls 17434->17435 17437 8726ae codecvt 17435->17437 17436 8726d7 17436->17433 17438 871f84 std::_Locinfo::~_Locinfo 63 API calls 17436->17438 17437->17436 17439 871c4c codecvt 66 API calls 17437->17439 17438->17433 17440 8726c6 17439->17440 17442 87286f 17440->17442 17447 87435f 17442->17447 17469 87d046 17447->17469 17449 874368 __Getctype 17450 874382 17449->17450 17451 8743a0 17449->17451 17474 87d022 17450->17474 17453 87d022 __Getctype 41 API calls 17451->17453 17454 874389 17453->17454 17470 882a50 __Getctype 41 API calls 17469->17470 17471 87d051 17470->17471 17472 883d8e __Getctype 41 API calls 17471->17472 17473 87d061 17472->17473 17473->17449 17475 882a50 __Getctype 41 API calls 17474->17475 17499 873c61 17498->17499 17500 873c69 17499->17500 17502 8753c9 17499->17502 17500->17413 17503 8753f4 17502->17503 17508 8753eb 17502->17508 17505 875434 17503->17505 17503->17508 17510 87545a 17503->17510 17504 875eff __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 17506 875456 17504->17506 17514 87474c 17505->17514 17506->17500 17508->17504 17509 8754b5 17509->17508 17517 87eac6 17509->17517 17510->17509 17511 875496 17510->17511 17511->17508 17513 87474c _Fputc 45 API calls 17511->17513 17513->17508 17523 87db52 17514->17523 17518 87ead9 _Fputc 17517->17518 17557 8800d9 17556->17557 17558 8800eb 17556->17558 17583 880174 GetModuleHandleW 17557->17583 17568 87ff74 17558->17568 17563 876230 17563->16304 17569 87ff80 __FrameHandler3::FrameUnwindToState 17568->17569 17591 87cd14 EnterCriticalSection 17569->17591 17571 87ff8a 17592 87ffc1 17571->17592 17573 87ff97 17596 87ffb5 17573->17596 17576 880143 17621 8801b7 17576->17621 17579 880161 17581 8801d9 __FrameHandler3::FrameUnwindToState 3 API calls 17579->17581 17580 880151 GetCurrentProcess TerminateProcess 17580->17579 17582 880169 ExitProcess 17581->17582 17584 8800de 17583->17584 17584->17558 17585 8801d9 GetModuleHandleExW 17584->17585 17586 880218 GetProcAddress 17585->17586 17587 880239 17585->17587 17586->17587 17588 88022c 17586->17588 17589 8800ea 17587->17589 17590 88023f FreeLibrary 17587->17590 17588->17587 17589->17558 17590->17589 17591->17571 17593 87ffcd __FrameHandler3::FrameUnwindToState 17592->17593 17595 880034 __FrameHandler3::FrameUnwindToState 17593->17595 17599 881d46 17593->17599 17595->17573 17620 87cd5c LeaveCriticalSection 17596->17620 17598 87ffa3 17598->17563 17598->17576 17600 881d52 __EH_prolog3 17599->17600 17603 881a9e 17600->17603 17602 881d79 codecvt 17602->17595 17604 881aaa __FrameHandler3::FrameUnwindToState 17603->17604 17611 87cd14 EnterCriticalSection 17604->17611 17606 881ab8 17612 881c56 17606->17612 17611->17606 17613 881ac5 17612->17613 17614 881c75 17612->17614 17616 881aed 17613->17616 17614->17613 17615 883d06 ___free_lconv_mon 14 API calls 17614->17615 17615->17613 17619 87cd5c LeaveCriticalSection 17616->17619 17618 881ad6 17618->17602 17619->17618 17620->17598 17626 88a031 GetPEB 17621->17626 17624 8801c1 GetPEB 17625 88014d 17624->17625 17625->17579 17625->17580 17627 8801bc 17626->17627 17628 88a04b 17626->17628 17627->17624 17627->17625 17630 885349 17628->17630 17631 8852c6 std::_Lockit::_Lockit 5 API calls 17630->17631 17632 885365 17631->17632 17632->17627 17634 881ef8 17633->17634 17635 881f0a ___scrt_uninitialize_crt 17633->17635 17636 881f06 17634->17636 17638 87e2a2 17634->17638 17635->16298 17636->16298 17641 87e12f 17638->17641 17644 87e023 17641->17644 17645 87e02f __FrameHandler3::FrameUnwindToState 17644->17645 17652 87cd14 EnterCriticalSection 17645->17652 17647 87e0a5 17661 87e0c3 17647->17661 17649 87e039 ___scrt_uninitialize_crt 17649->17647 17653 87df97 17649->17653 17652->17649 17654 87dfa3 __FrameHandler3::FrameUnwindToState 17653->17654 17664 87d747 EnterCriticalSection 17654->17664 17656 87dfad ___scrt_uninitialize_crt 17660 87dfe6 17656->17660 17665 87e23d 17656->17665 17678 87e017 17660->17678 17782 87cd5c LeaveCriticalSection 17661->17782 17663 87e0b1 17663->17636 17664->17656 17666 87e252 _Fputc 17665->17666 17667 87e264 17666->17667 17668 87e259 17666->17668 17681 87e1d4 17667->17681 17669 87e12f ___scrt_uninitialize_crt 70 API calls 17668->17669 17781 87d75b LeaveCriticalSection 17678->17781 17782->17663 18771 87ecc4 18772 87ecd7 _Fputc 18771->18772 18777 87ebfb 18772->18777 18774 87ecec 18775 87a65b _Fputc 41 API calls 18774->18775 18776 87ecf9 18775->18776 18778 87ec30 18777->18778 18779 87ec0d 18777->18779 18778->18779 18782 87ec57 18778->18782 18780 87a8a2 __strnicoll 29 API calls 18779->18780 18781 87ec28 18780->18781 18781->18774 18785 87eb00 18782->18785 18786 87eb0c __FrameHandler3::FrameUnwindToState 18785->18786 18793 87d747 EnterCriticalSection 18786->18793 18788 87eb1a 18794 87eb5b 18788->18794 18790 87eb27 18803 87eb4f 18790->18803 18793->18788 18795 87e1d4 ___scrt_uninitialize_crt 66 API calls 18794->18795 18796 87eb76 18795->18796 18806 886540 18796->18806 18799 883ca9 __Getctype 14 API calls 18800 87ebbf 18799->18800 18801 883d06 ___free_lconv_mon 14 API calls 18800->18801 18802 87eb9b 18801->18802 18802->18790 18810 87d75b LeaveCriticalSection 18803->18810 18805 87eb38 18805->18774 18807 886557 18806->18807 18809 87eb80 18806->18809 18808 883d06 ___free_lconv_mon 14 API calls 18807->18808 18807->18809 18808->18809 18809->18799 18809->18802 18810->18805 20659 874fd3 20660 874fdf 20659->20660 20661 874fda 20659->20661 20663 87d747 EnterCriticalSection 20661->20663 20663->20660 18901 8710da 18906 873d9f 18901->18906 18907 873daf 18906->18907 18908 8710df 18906->18908 18907->18908 18913 875c5e InitializeCriticalSectionEx 18907->18913 18910 87647f 18908->18910 18914 876452 18910->18914 18913->18907 18915 876461 18914->18915 18916 876468 18914->18916 18920 881d30 18915->18920 18923 881dad 18916->18923 18919 8710e9 18921 881dad 44 API calls 18920->18921 18922 881d42 18921->18922 18922->18919 18926 881af9 18923->18926 18927 881b05 __FrameHandler3::FrameUnwindToState 18926->18927 18934 87cd14 EnterCriticalSection 18927->18934 18929 881b13 18935 881b54 18929->18935 18931 881b20 18945 881b48 18931->18945 18934->18929 18936 881b6f 18935->18936 18937 881be2 std::_Lockit::_Lockit 18935->18937 18936->18937 18938 881bc2 18936->18938 18940 88c5c3 44 API calls 18936->18940 18937->18931 18938->18937 18939 88c5c3 44 API calls 18938->18939 18941 881bd8 18939->18941 18942 881bb8 18940->18942 18943 883d06 ___free_lconv_mon 14 API calls 18941->18943 18944 883d06 ___free_lconv_mon 14 API calls 18942->18944 18943->18937 18944->18938 18948 87cd5c LeaveCriticalSection 18945->18948 18947 881b31 18947->18919 18948->18947 18972 8754f6 18973 875510 18972->18973 18974 875522 18973->18974 18976 874823 18973->18976 18979 87ddc4 18976->18979 18980 87ddd0 __FrameHandler3::FrameUnwindToState 18979->18980 18981 87ddd7 18980->18981 18982 87ddee 18980->18982 18983 87d610 __strnicoll 14 API calls 18981->18983 18992 87d747 EnterCriticalSection 18982->18992 18985 87dddc 18983->18985 18987 87a91f __strnicoll 41 API calls 18985->18987 18986 87ddfd 18993 87dd0e 18986->18993 18989 874835 18987->18989 18989->18974 18990 87de0b 19005 87de3a 18990->19005 18992->18986 18995 87dd24 18993->18995 18999 87dd87 _Ungetc 18993->18999 18994 87dd52 18997 884ca2 _Ungetc 41 API calls 18994->18997 18994->18999 18995->18994 18996 886d25 _Ungetc 14 API calls 18995->18996 18995->18999 18996->18994 18998 87dd64 18997->18998 18998->18999 19000 884ca2 _Ungetc 41 API calls 18998->19000 18999->18990 19001 87dd70 19000->19001 19001->18999 19002 884ca2 _Ungetc 41 API calls 19001->19002 19003 87dd7c 19002->19003 19004 884ca2 _Ungetc 41 API calls 19003->19004 19004->18999 19008 87d75b LeaveCriticalSection 19005->19008 19007 87de40 19007->18989 19008->19007 19009 884afe 19010 884b11 _Fputc 19009->19010 19015 884994 19010->19015 19012 884b26 19013 87a65b _Fputc 41 API calls 19012->19013 19014 884b33 19013->19014 19017 8849a9 19015->19017 19016 8849ea 19020 888857 _Fputc WideCharToMultiByte 19016->19020 19023 8849ad codecvt _Fputc 19016->19023 19024 8849d6 codecvt 19016->19024 19017->19016 19018 87c660 _Fputc 41 API calls 19017->19018 19017->19023 19017->19024 19018->19016 19019 87a8a2 __strnicoll 29 API calls 19019->19023 19021 884aa5 19020->19021 19022 884abb GetLastError 19021->19022 19021->19023 19022->19023 19022->19024 19023->19012 19024->19019 19024->19023 17783 8868f4 17784 884ca2 _Ungetc 41 API calls 17783->17784 17787 886901 17784->17787 17785 88690d 17786 886959 17786->17785 17789 8869bb 17786->17789 17814 884d0b 17786->17814 17787->17785 17787->17786 17806 886c8a 17787->17806 17795 886ae4 17789->17795 17796 884ca2 _Ungetc 41 API calls 17795->17796 17797 886af3 17796->17797 17798 886b99 17797->17798 17799 886b06 17797->17799 17800 88785d ___scrt_uninitialize_crt 66 API calls 17798->17800 17801 886b4a 17799->17801 17802 886b23 17799->17802 17804 8869cc 17800->17804 17801->17804 17825 88833a 17801->17825 17803 88785d ___scrt_uninitialize_crt 66 API calls 17802->17803 17803->17804 17807 886ca0 17806->17807 17808 886ca4 17806->17808 17807->17786 17809 88a287 ___scrt_uninitialize_crt 41 API calls 17808->17809 17813 886cf3 17808->17813 17810 886cc5 17809->17810 17811 886ccd SetFilePointerEx 17810->17811 17810->17813 17812 886ce4 GetFileSizeEx 17811->17812 17811->17813 17812->17813 17813->17786 17816 884d17 17814->17816 17815 884d38 17815->17789 17820 886d25 17815->17820 17816->17815 17817 884ca2 _Ungetc 41 API calls 17816->17817 17818 884d32 17817->17818 17853 88e4e0 17818->17853 17821 883ca9 __Getctype 14 API calls 17820->17821 17822 886d42 17821->17822 17823 883d06 ___free_lconv_mon 14 API calls 17822->17823 17824 886d4c 17823->17824 17824->17789 17826 88834e _Fputc 17825->17826 17831 888191 17826->17831 17829 87a65b _Fputc 41 API calls 17830 888372 17829->17830 17830->17804 17833 88819d __FrameHandler3::FrameUnwindToState 17831->17833 17832 8881a5 17832->17829 17833->17832 17834 88827b 17833->17834 17836 8881f9 17833->17836 17835 87a8a2 __strnicoll 29 API calls 17834->17835 17835->17832 17842 88a1b0 EnterCriticalSection 17836->17842 17838 8881ff 17839 888224 17838->17839 17843 8882b7 17838->17843 17849 888273 17839->17849 17842->17838 17844 88a287 ___scrt_uninitialize_crt 41 API calls 17843->17844 17845 8882c9 17844->17845 17846 8882e5 SetFilePointerEx 17845->17846 17848 8882d1 ___scrt_uninitialize_crt 17845->17848 17847 8882fd GetLastError 17846->17847 17846->17848 17847->17848 17848->17839 17852 88a1d3 LeaveCriticalSection 17849->17852 17851 888279 17851->17832 17852->17851 17854 88e4fa 17853->17854 17855 88e4ed 17853->17855 17857 88e506 17854->17857 17858 87d610 __strnicoll 14 API calls 17854->17858 17856 87d610 __strnicoll 14 API calls 17855->17856 17859 88e4f2 17856->17859 17857->17815 17860 88e527 17858->17860 17859->17815 17861 87a91f __strnicoll 41 API calls 17860->17861 17861->17859 19091 87d6fb 19092 87e2a2 ___scrt_uninitialize_crt 70 API calls 19091->19092 19093 87d703 19092->19093 19101 886495 19093->19101 19095 87d708 19096 886540 14 API calls 19095->19096 19097 87d717 DeleteCriticalSection 19096->19097 19097->19095 19098 87d732 19097->19098 19099 883d06 ___free_lconv_mon 14 API calls 19098->19099 19100 87d73d 19099->19100 19102 8864a1 __FrameHandler3::FrameUnwindToState 19101->19102 19111 87cd14 EnterCriticalSection 19102->19111 19104 886518 19118 886537 19104->19118 19106 8864ac 19106->19104 19107 8864ec DeleteCriticalSection 19106->19107 19112 87df67 19106->19112 19110 883d06 ___free_lconv_mon 14 API calls 19107->19110 19110->19106 19111->19106 19113 87df7a _Fputc 19112->19113 19121 87de42 19113->19121 19115 87df86 19116 87a65b _Fputc 41 API calls 19115->19116 19117 87df92 19116->19117 19117->19106 19193 87cd5c LeaveCriticalSection 19118->19193 19120 886524 19120->19095 19122 87de4e __FrameHandler3::FrameUnwindToState 19121->19122 19123 87de58 19122->19123 19125 87de7b 19122->19125 19124 87a8a2 __strnicoll 29 API calls 19123->19124 19131 87de73 19124->19131 19125->19131 19132 87d747 EnterCriticalSection 19125->19132 19127 87de99 19133 87ded9 19127->19133 19129 87dea6 19147 87ded1 19129->19147 19131->19115 19132->19127 19134 87dee6 19133->19134 19135 87df09 19133->19135 19136 87a8a2 __strnicoll 29 API calls 19134->19136 19137 87df01 19135->19137 19138 87e1d4 ___scrt_uninitialize_crt 66 API calls 19135->19138 19136->19137 19137->19129 19139 87df21 19138->19139 19140 886540 14 API calls 19139->19140 19141 87df29 19140->19141 19142 884ca2 _Ungetc 41 API calls 19141->19142 19143 87df35 19142->19143 19150 886e12 19143->19150 19146 883d06 ___free_lconv_mon 14 API calls 19146->19137 19192 87d75b LeaveCriticalSection 19147->19192 19149 87ded7 19149->19131 19152 886e3b 19150->19152 19156 87df3c 19150->19156 19151 886e8a 19153 87a8a2 __strnicoll 29 API calls 19151->19153 19152->19151 19154 886e62 19152->19154 19153->19156 19157 886d81 19154->19157 19156->19137 19156->19146 19158 886d8d __FrameHandler3::FrameUnwindToState 19157->19158 19165 88a1b0 EnterCriticalSection 19158->19165 19160 886d9b 19161 886dcc 19160->19161 19166 886eb5 19160->19166 19179 886e06 19161->19179 19165->19160 19167 88a287 ___scrt_uninitialize_crt 41 API calls 19166->19167 19170 886ec5 19167->19170 19168 886ecb 19182 88a1f6 19168->19182 19170->19168 19172 88a287 ___scrt_uninitialize_crt 41 API calls 19170->19172 19178 886efd 19170->19178 19171 88a287 ___scrt_uninitialize_crt 41 API calls 19174 886f09 CloseHandle 19171->19174 19173 886ef4 19172->19173 19175 88a287 ___scrt_uninitialize_crt 41 API calls 19173->19175 19174->19168 19176 886f15 GetLastError 19174->19176 19175->19178 19176->19168 19177 886f23 ___scrt_uninitialize_crt 19177->19161 19178->19168 19178->19171 19191 88a1d3 LeaveCriticalSection 19179->19191 19181 886def 19181->19156 19183 88a26c 19182->19183 19184 88a205 19182->19184 19185 87d610 __strnicoll 14 API calls 19183->19185 19184->19183 19190 88a22f 19184->19190 19186 88a271 19185->19186 19187 87d5fd __dosmaperr 14 API calls 19186->19187 19188 88a25c 19187->19188 19188->19177 19189 88a256 SetStdHandle 19189->19188 19190->19188 19190->19189 19191->19181 19192->19149 19193->19120 20857 8757f8 20858 875804 __EH_prolog3_GS 20857->20858 20860 875853 20858->20860 20864 87581b 20858->20864 20866 87586d 20858->20866 20871 874725 20860->20871 20898 875f21 20864->20898 20868 87591c 20866->20868 20870 875957 20866->20870 20874 875582 20866->20874 20878 87e347 20866->20878 20867 872e73 std::ios_base::_Init 41 API calls 20867->20864 20868->20867 20870->20868 20901 87edf7 20870->20901 20914 87d8df 20871->20914 20875 8755b6 20874->20875 20877 875592 20874->20877 20998 874769 20875->20998 20877->20866 20879 87e353 __FrameHandler3::FrameUnwindToState 20878->20879 20880 87e375 20879->20880 20881 87e35d 20879->20881 21007 87d747 EnterCriticalSection 20880->21007 20882 87d610 __strnicoll 14 API calls 20881->20882 20884 87e362 20882->20884 20887 87a91f __strnicoll 41 API calls 20884->20887 20885 87e37f 20886 87e41b 20885->20886 20888 884ca2 _Ungetc 41 API calls 20885->20888 21008 87e300 20886->21008 20892 87e36d 20887->20892 20894 87e39c 20888->20894 20890 87e421 21015 87e44b 20890->21015 20892->20866 20893 87e3f3 20895 87d610 __strnicoll 14 API calls 20893->20895 20894->20886 20894->20893 20896 87e3f8 20895->20896 20897 87a91f __strnicoll 41 API calls 20896->20897 20897->20892 20899 875eff __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 20898->20899 20900 875f2b 20899->20900 20900->20900 20902 87ee03 __FrameHandler3::FrameUnwindToState 20901->20902 20903 87ee1f 20902->20903 20904 87ee0a 20902->20904 21019 87d747 EnterCriticalSection 20903->21019 20905 87d610 __strnicoll 14 API calls 20904->20905 20907 87ee0f 20905->20907 20909 87a91f __strnicoll 41 API calls 20907->20909 20908 87ee29 21020 87ecfe 20908->21020 20912 87ee1a 20909->20912 20912->20870 20915 87d8eb __FrameHandler3::FrameUnwindToState 20914->20915 20916 87d8f2 20915->20916 20917 87d909 20915->20917 20918 87d610 __strnicoll 14 API calls 20916->20918 20927 87d747 EnterCriticalSection 20917->20927 20920 87d8f7 20918->20920 20922 87a91f __strnicoll 41 API calls 20920->20922 20921 87d915 20928 87d76f 20921->20928 20924 874730 20922->20924 20924->20864 20925 87d920 20962 87d94e 20925->20962 20927->20921 20929 87d78c 20928->20929 20931 87d7f2 20928->20931 20930 884ca2 _Ungetc 41 API calls 20929->20930 20932 87d792 20930->20932 20933 884ca2 _Ungetc 41 API calls 20931->20933 20961 87d7e9 20931->20961 20934 87d7b5 20932->20934 20936 884ca2 _Ungetc 41 API calls 20932->20936 20935 87d807 20933->20935 20934->20931 20945 87d7d0 20934->20945 20937 87d82a 20935->20937 20939 884ca2 _Ungetc 41 API calls 20935->20939 20938 87d79e 20936->20938 20940 87e33c 41 API calls 20937->20940 20937->20961 20938->20934 20944 884ca2 _Ungetc 41 API calls 20938->20944 20941 87d813 20939->20941 20943 87d84a 20940->20943 20941->20937 20947 884ca2 _Ungetc 41 API calls 20941->20947 20948 87d022 __Getctype 41 API calls 20943->20948 20943->20961 20946 87d7aa 20944->20946 20945->20961 20965 87e33c 20945->20965 20949 884ca2 _Ungetc 41 API calls 20946->20949 20950 87d81f 20947->20950 20951 87d862 20948->20951 20949->20934 20952 884ca2 _Ungetc 41 API calls 20950->20952 20953 87d88c 20951->20953 20955 87e33c 41 API calls 20951->20955 20952->20937 20972 884c6b 20953->20972 20957 87d873 20955->20957 20957->20953 20958 87d879 20957->20958 20960 87edf7 43 API calls 20958->20960 20959 87d610 __strnicoll 14 API calls 20959->20961 20960->20961 20961->20925 20997 87d75b LeaveCriticalSection 20962->20997 20964 87d954 20964->20924 20966 87e300 20965->20966 20967 87d610 __strnicoll 14 API calls 20966->20967 20970 87e321 20966->20970 20968 87e311 20967->20968 20969 87a91f __strnicoll 41 API calls 20968->20969 20971 87e31c 20969->20971 20970->20945 20971->20945 20973 884c7e _Fputc 20972->20973 20978 884b38 20973->20978 20976 87a65b _Fputc 41 API calls 20977 87d8a0 20976->20977 20977->20959 20977->20961 20979 884b4c 20978->20979 20988 884b5c 20978->20988 20980 884b81 20979->20980 20981 87c660 _Fputc 41 API calls 20979->20981 20979->20988 20982 884b92 20980->20982 20983 884bb5 20980->20983 20981->20980 20990 88e395 20982->20990 20985 884bdd 20983->20985 20986 884c31 20983->20986 20983->20988 20985->20988 20989 8887db std::_Locinfo::_Locinfo_ctor MultiByteToWideChar 20985->20989 20987 8887db std::_Locinfo::_Locinfo_ctor MultiByteToWideChar 20986->20987 20987->20988 20988->20976 20989->20988 20993 890053 20990->20993 20994 89007e _Fputc 20993->20994 20995 875eff __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 20994->20995 20996 88e3b0 20995->20996 20996->20988 20997->20964 20999 87481d 20998->20999 21000 87478d std::ios_base::_Init 20998->21000 21001 872ec2 std::ios_base::_Init 43 API calls 20999->21001 21003 871100 std::ios_base::_Init 43 API calls 21000->21003 21002 874822 21001->21002 21004 8747aa codecvt 21003->21004 21005 87131c _Deallocate 41 API calls 21004->21005 21006 8747eb codecvt 21004->21006 21005->21006 21006->20877 21007->20885 21009 87e30c 21008->21009 21013 87e321 21008->21013 21010 87d610 __strnicoll 14 API calls 21009->21010 21011 87e311 21010->21011 21012 87a91f __strnicoll 41 API calls 21011->21012 21014 87e31c 21012->21014 21013->20890 21014->20890 21018 87d75b LeaveCriticalSection 21015->21018 21017 87e451 21017->20892 21018->21017 21019->20908 21021 87ed16 21020->21021 21023 87ed86 21020->21023 21022 884ca2 _Ungetc 41 API calls 21021->21022 21026 87ed1c 21022->21026 21024 886d25 _Ungetc 14 API calls 21023->21024 21025 87ed7e 21023->21025 21024->21025 21031 87ee62 21025->21031 21026->21023 21027 87ed6e 21026->21027 21028 87d610 __strnicoll 14 API calls 21027->21028 21029 87ed73 21028->21029 21030 87a91f __strnicoll 41 API calls 21029->21030 21030->21025 21034 87d75b LeaveCriticalSection 21031->21034 21033 87ee68 21033->20912 21034->21033 21068 880702 21071 8803ce 21068->21071 21072 8803da __FrameHandler3::FrameUnwindToState 21071->21072 21079 87cd14 EnterCriticalSection 21072->21079 21074 8803e4 21075 880412 21074->21075 21077 88b31e __Getctype 14 API calls 21074->21077 21080 880430 21075->21080 21077->21074 21079->21074 21083 87cd5c LeaveCriticalSection 21080->21083 21082 88041e 21083->21082 21102 882917 21103 882922 21102->21103 21107 882932 21102->21107 21108 882938 21103->21108 21106 883d06 ___free_lconv_mon 14 API calls 21106->21107 21109 88294d 21108->21109 21110 882953 21108->21110 21111 883d06 ___free_lconv_mon 14 API calls 21109->21111 21112 883d06 ___free_lconv_mon 14 API calls 21110->21112 21111->21110 21113 88295f 21112->21113 21114 883d06 ___free_lconv_mon 14 API calls 21113->21114 21115 88296a 21114->21115 21116 883d06 ___free_lconv_mon 14 API calls 21115->21116 21117 882975 21116->21117 21118 883d06 ___free_lconv_mon 14 API calls 21117->21118 21119 882980 21118->21119 21120 883d06 ___free_lconv_mon 14 API calls 21119->21120 21121 88298b 21120->21121 21122 883d06 ___free_lconv_mon 14 API calls 21121->21122 21123 882996 21122->21123 21124 883d06 ___free_lconv_mon 14 API calls 21123->21124 21125 8829a1 21124->21125 21126 883d06 ___free_lconv_mon 14 API calls 21125->21126 21127 8829ac 21126->21127 21128 883d06 ___free_lconv_mon 14 API calls 21127->21128 21129 8829ba 21128->21129 21134 882764 21129->21134 21135 882770 __FrameHandler3::FrameUnwindToState 21134->21135 21150 87cd14 EnterCriticalSection 21135->21150 21137 88277a 21140 883d06 ___free_lconv_mon 14 API calls 21137->21140 21141 8827a4 21137->21141 21140->21141 21151 8827c3 21141->21151 21142 8827cf 21143 8827db __FrameHandler3::FrameUnwindToState 21142->21143 21155 87cd14 EnterCriticalSection 21143->21155 21145 8827e5 21146 882a05 __Getctype 14 API calls 21145->21146 21147 8827f8 21146->21147 21156 882818 21147->21156 21150->21137 21154 87cd5c LeaveCriticalSection 21151->21154 21153 8827b1 21153->21142 21154->21153 21155->21145 21159 87cd5c LeaveCriticalSection 21156->21159 21158 882806 21158->21106 21159->21158 19352 873222 19355 87326e 19352->19355 19354 8732fc 19378 873d59 19354->19378 19357 8732cf 19355->19357 19366 87aa45 19355->19366 19374 873c2f 19357->19374 19359 87333b 19381 871379 19359->19381 19362 875eff __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 19364 8733d6 19362->19364 19363 8724ad _Deallocate 41 API calls 19365 8733b2 _Deallocate 19363->19365 19365->19362 19367 87aa54 19366->19367 19371 87aa6b __floor_pentium4 19366->19371 19368 87d610 __strnicoll 14 API calls 19367->19368 19369 87aa59 19368->19369 19370 87a91f __strnicoll 41 API calls 19369->19370 19372 87aa64 __floor_pentium4 19370->19372 19371->19372 19415 8832f9 19371->19415 19372->19357 19375 873c49 19374->19375 19376 873c38 19374->19376 19445 872ef5 19375->19445 19376->19354 19457 873cdc 19378->19457 19382 8713b6 _strcspn 19381->19382 19383 87ccab 41 API calls 19382->19383 19384 871416 _strcspn 19383->19384 19385 8719d7 67 API calls 19384->19385 19386 871447 std::ios_base::_Ios_base_dtor 19385->19386 19387 871bf3 43 API calls 19386->19387 19388 871462 19387->19388 19389 871ac9 69 API calls 19388->19389 19396 87149d std::ios_base::_Ios_base_dtor 19389->19396 19390 871541 19391 87157d 19390->19391 19392 871628 19390->19392 19394 8715d6 19391->19394 19395 871584 19391->19395 19393 872d70 70 API calls 19392->19393 19405 8715d1 19393->19405 19399 872d70 70 API calls 19394->19399 19397 872da5 70 API calls 19395->19397 19396->19390 19398 873aab 43 API calls 19396->19398 19400 87159f 19397->19400 19398->19396 19401 8715f9 19399->19401 19403 872d70 70 API calls 19400->19403 19404 872da5 70 API calls 19401->19404 19402 872d70 70 API calls 19406 871682 19402->19406 19403->19405 19404->19405 19405->19402 19407 872da5 70 API calls 19406->19407 19408 8716b2 19407->19408 19409 872e73 std::ios_base::_Init 41 API calls 19408->19409 19410 8716be 19409->19410 19411 872e99 41 API calls 19410->19411 19412 8716c7 19411->19412 19413 875eff __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 19412->19413 19414 8716d8 19413->19414 19414->19363 19414->19365 19416 883332 __floor_pentium4 19415->19416 19418 883359 __floor_pentium4 19416->19418 19426 883663 19416->19426 19419 88339c 19418->19419 19420 883377 19418->19420 19438 883959 19419->19438 19430 883988 19420->19430 19423 883397 __floor_pentium4 19424 875eff __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 19423->19424 19425 8833c0 19424->19425 19425->19372 19427 88368e __raise_exc 19426->19427 19428 883887 RaiseException 19427->19428 19429 8838a0 19428->19429 19429->19418 19431 883995 19430->19431 19432 8839a4 __floor_pentium4 19431->19432 19434 8839d3 __startOneArgErrorHandling __floor_pentium4 19431->19434 19433 883959 __floor_pentium4 14 API calls 19432->19433 19435 8839bd 19433->19435 19436 883a21 19434->19436 19437 883959 __floor_pentium4 14 API calls 19434->19437 19435->19423 19436->19423 19437->19436 19439 88397b 19438->19439 19440 883966 19438->19440 19442 87d610 __strnicoll 14 API calls 19439->19442 19441 883980 19440->19441 19443 87d610 __strnicoll 14 API calls 19440->19443 19441->19423 19442->19441 19444 883973 19443->19444 19444->19423 19446 872f37 19445->19446 19448 87191f 19446->19448 19449 8719a8 19448->19449 19450 871938 std::ios_base::_Init 19448->19450 19451 872ec2 std::ios_base::_Init 43 API calls 19449->19451 19453 871100 std::ios_base::_Init 43 API calls 19450->19453 19452 8719ad 19451->19452 19454 871957 std::ios_base::_Init 19453->19454 19455 87131c _Deallocate 41 API calls 19454->19455 19456 87198d std::ios_base::_Init 19454->19456 19455->19456 19458 873cf3 _swprintf 19457->19458 19461 87c790 19458->19461 19462 87c7a4 _Fputc 19461->19462 19467 87acd9 19462->19467 19465 87a65b _Fputc 41 API calls 19466 873cfd 19465->19466 19466->19359 19468 87ace5 19467->19468 19469 87ad08 19467->19469 19470 87a8a2 __strnicoll 29 API calls 19468->19470 19473 87ad2f 19469->19473 19475 87ab65 19469->19475 19474 87ad00 19470->19474 19472 87a8a2 __strnicoll 29 API calls 19472->19474 19473->19472 19473->19474 19474->19465 19476 87abb4 19475->19476 19477 87ab91 19475->19477 19476->19477 19481 87abbc _swprintf 19476->19481 19478 87a8a2 __strnicoll 29 API calls 19477->19478 19479 87aba9 19478->19479 19480 875eff __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 19479->19480 19482 87acd7 19480->19482 19486 87ba3f 19481->19486 19482->19473 19503 87c6d6 19486->19503 19488 87ac3d 19500 87b890 19488->19500 19489 87ba66 19490 87a8a2 __strnicoll 29 API calls 19489->19490 19490->19488 19493 87c660 _Fputc 41 API calls 19495 87ba58 _swprintf 19493->19495 19495->19488 19495->19489 19495->19493 19496 87bca7 19495->19496 19507 87b9c7 19495->19507 19510 87bd1f 19495->19510 19544 87be7d 19495->19544 19497 87a8a2 __strnicoll 29 API calls 19496->19497 19498 87bcc3 19497->19498 19499 87a8a2 __strnicoll 29 API calls 19498->19499 19499->19488 19501 883d06 ___free_lconv_mon 14 API calls 19500->19501 19502 87b8a0 19501->19502 19502->19479 19504 87c6fa 19503->19504 19505 87c6e1 19503->19505 19504->19495 19506 87a8a2 __strnicoll 29 API calls 19505->19506 19506->19504 19573 87ae73 19507->19573 19509 87ba02 19509->19495 19511 87bd26 19510->19511 19512 87bd3d 19510->19512 19514 87bd7c 19511->19514 19515 87bf15 19511->19515 19516 87bea4 19511->19516 19513 87a8a2 __strnicoll 29 API calls 19512->19513 19512->19514 19517 87bd71 19513->19517 19514->19495 19518 87bf1a 19515->19518 19519 87bf68 19515->19519 19520 87bf42 19516->19520 19521 87beaa 19516->19521 19517->19495 19522 87bf5c 19518->19522 19523 87bf1c 19518->19523 19519->19520 19524 87bee7 19519->19524 19542 87becc _swprintf 19519->19542 19608 87b21d 19520->19608 19521->19524 19529 87beb0 19521->19529 19625 87c579 19522->19625 19527 87bf21 19523->19527 19528 87bebe 19523->19528 19543 87bee0 _swprintf 19524->19543 19589 87b39a 19524->19589 19527->19520 19532 87bf26 19527->19532 19528->19542 19528->19543 19615 87c2b9 19528->19615 19529->19528 19531 87befc 19529->19531 19529->19542 19531->19543 19596 87c443 19531->19596 19534 87bf2b 19532->19534 19535 87bf39 19532->19535 19534->19543 19600 87c55c 19534->19600 19604 87c4d8 19535->19604 19538 875eff __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 19539 87c209 19538->19539 19539->19495 19541 884994 _Fputc 43 API calls 19541->19542 19542->19541 19542->19543 19543->19538 19545 87bf15 19544->19545 19546 87bea4 19544->19546 19547 87bf1a 19545->19547 19548 87bf68 19545->19548 19549 87bf42 19546->19549 19550 87beaa 19546->19550 19551 87bf5c 19547->19551 19552 87bf1c 19547->19552 19548->19549 19557 87bee7 19548->19557 19572 87becc _swprintf 19548->19572 19553 87b21d _swprintf 30 API calls 19549->19553 19550->19557 19559 87beb0 19550->19559 19556 87c579 _swprintf 30 API calls 19551->19556 19554 87bf21 19552->19554 19555 87bebe 19552->19555 19553->19572 19554->19549 19561 87bf26 19554->19561 19560 87c2b9 _swprintf 44 API calls 19555->19560 19571 87bee0 _swprintf 19555->19571 19555->19572 19556->19572 19562 87b39a _swprintf 30 API calls 19557->19562 19557->19571 19558 87befc 19566 87c443 _swprintf 43 API calls 19558->19566 19558->19571 19559->19555 19559->19558 19559->19572 19560->19572 19563 87bf2b 19561->19563 19564 87bf39 19561->19564 19562->19572 19569 87c55c _swprintf 30 API calls 19563->19569 19563->19571 19565 87c4d8 _swprintf 29 API calls 19564->19565 19565->19572 19566->19572 19567 875eff __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 19568 87c209 19567->19568 19568->19495 19569->19572 19570 884994 _Fputc 43 API calls 19570->19572 19571->19567 19572->19570 19572->19571 19574 87c6bb _swprintf 41 API calls 19573->19574 19575 87ae85 19574->19575 19576 87ae9a 19575->19576 19579 87aecd 19575->19579 19582 87aeb5 _swprintf 19575->19582 19577 87a8a2 __strnicoll 29 API calls 19576->19577 19577->19582 19578 87af64 19580 87c600 _swprintf 41 API calls 19578->19580 19579->19578 19583 87c600 19579->19583 19580->19582 19582->19509 19584 87c625 19583->19584 19585 87c611 19583->19585 19584->19578 19585->19584 19586 87d610 __strnicoll 14 API calls 19585->19586 19587 87c61a 19586->19587 19588 87a91f __strnicoll 41 API calls 19587->19588 19588->19584 19591 87b3ae _swprintf 19589->19591 19590 87b3f7 19595 87b3ed _swprintf 19590->19595 19628 87ad90 19590->19628 19591->19590 19592 87b3d0 19591->19592 19593 87a8a2 __strnicoll 29 API calls 19592->19593 19593->19595 19595->19542 19597 87c45e _swprintf 19596->19597 19598 87c495 19597->19598 19599 884994 _Fputc 43 API calls 19597->19599 19598->19542 19599->19598 19601 87c568 19600->19601 19642 87b0a0 19601->19642 19603 87c578 19603->19542 19606 87c4ed _swprintf 19604->19606 19605 87a8a2 __strnicoll 29 API calls 19607 87c50e 19605->19607 19606->19605 19606->19607 19607->19542 19609 87b231 _swprintf 19608->19609 19610 87b253 19609->19610 19612 87b27a 19609->19612 19611 87a8a2 __strnicoll 29 API calls 19610->19611 19614 87b270 _swprintf 19611->19614 19613 87ad90 _swprintf 15 API calls 19612->19613 19612->19614 19613->19614 19614->19542 19616 87c2d3 19615->19616 19617 87ad90 _swprintf 15 API calls 19616->19617 19618 87c314 _swprintf 19617->19618 19649 884813 19618->19649 19621 87c660 _Fputc 41 API calls 19622 87c3c2 _swprintf 19621->19622 19623 87c660 _Fputc 41 API calls 19622->19623 19624 87c3f5 _swprintf 19622->19624 19623->19624 19624->19542 19624->19624 19626 87b39a _swprintf 30 API calls 19625->19626 19627 87c58e 19626->19627 19627->19542 19629 87adb7 19628->19629 19630 87ada5 19628->19630 19629->19630 19631 883d40 std::_Locinfo::_Locinfo_ctor 15 API calls 19629->19631 19630->19595 19632 87addb 19631->19632 19633 87ade3 19632->19633 19634 87adee 19632->19634 19635 883d06 ___free_lconv_mon 14 API calls 19633->19635 19639 87b8aa 19634->19639 19635->19630 19638 883d06 ___free_lconv_mon 14 API calls 19638->19630 19640 883d06 ___free_lconv_mon 14 API calls 19639->19640 19641 87adf9 19640->19641 19641->19638 19643 87b0b4 _swprintf 19642->19643 19644 87b0d6 19643->19644 19646 87b0fd 19643->19646 19645 87a8a2 __strnicoll 29 API calls 19644->19645 19647 87b0f3 _swprintf 19645->19647 19646->19647 19648 87ad90 _swprintf 15 API calls 19646->19648 19647->19603 19648->19647 19650 884848 19649->19650 19652 884824 19649->19652 19650->19652 19654 88487b _swprintf 19650->19654 19651 87a8a2 __strnicoll 29 API calls 19653 87c39e 19651->19653 19652->19651 19653->19621 19653->19622 19655 8848b4 19654->19655 19658 8848e3 19654->19658 19668 8846b7 19655->19668 19656 88490c 19661 884939 19656->19661 19662 884973 19656->19662 19657 884911 19676 883f4f 19657->19676 19658->19656 19658->19657 19664 884959 19661->19664 19665 88493e 19661->19665 19703 88427b 19662->19703 19696 884464 19664->19696 19686 8845e8 19665->19686 19669 8846d8 19668->19669 19670 8846cd 19668->19670 19671 881fb8 ___std_exception_copy 41 API calls 19669->19671 19670->19653 19672 884733 19671->19672 19673 88473d 19672->19673 19674 87a94c _Deallocate 11 API calls 19672->19674 19673->19653 19675 88474b 19674->19675 19677 883f62 19676->19677 19678 883f71 19677->19678 19679 883f93 19677->19679 19681 87a8a2 __strnicoll 29 API calls 19678->19681 19680 883fad 19679->19680 19683 884002 19679->19683 19682 88427b _swprintf 43 API calls 19680->19682 19685 883f89 _swprintf __alldvrm codecvt _strrchr 19681->19685 19682->19685 19684 87c660 _Fputc 41 API calls 19683->19684 19683->19685 19684->19685 19685->19653 19687 88cd80 _swprintf 43 API calls 19686->19687 19688 884618 19687->19688 19689 88cc86 _swprintf 29 API calls 19688->19689 19690 884656 19689->19690 19691 88465d 19690->19691 19692 884696 19690->19692 19693 88466f 19690->19693 19691->19653 19694 88431f _swprintf 41 API calls 19692->19694 19695 8844fa _swprintf 41 API calls 19693->19695 19694->19691 19695->19691 19697 88cd80 _swprintf 43 API calls 19696->19697 19698 884493 19697->19698 19699 88cc86 _swprintf 29 API calls 19698->19699 19700 8844d4 19699->19700 19701 8844db 19700->19701 19702 8844fa _swprintf 41 API calls 19700->19702 19701->19653 19702->19701 19704 88cd80 _swprintf 43 API calls 19703->19704 19705 8842a5 19704->19705 19706 88cc86 _swprintf 29 API calls 19705->19706 19707 8842f3 19706->19707 19708 8842fa 19707->19708 19709 88431f _swprintf 41 API calls 19707->19709 19708->19653 19709->19708 19878 88c642 19879 88c65b 19878->19879 19880 88c679 19878->19880 19879->19880 19881 884ee6 2 API calls 19879->19881 19881->19879 19882 87e453 19883 87e473 19882->19883 19884 87e45e 19882->19884 19886 87e490 19883->19886 19887 87e47b 19883->19887 19885 87d610 __strnicoll 14 API calls 19884->19885 19889 87e463 19885->19889 19896 888150 19886->19896 19890 87d610 __strnicoll 14 API calls 19887->19890 19892 87a91f __strnicoll 41 API calls 19889->19892 19893 87e480 19890->19893 19891 87e48b 19894 87e46e 19892->19894 19895 87a91f __strnicoll 41 API calls 19893->19895 19895->19891 19897 888164 _Fputc 19896->19897 19902 887b65 19897->19902 19900 87a65b _Fputc 41 API calls 19901 88817e 19900->19901 19901->19891 19903 887b71 __FrameHandler3::FrameUnwindToState 19902->19903 19904 887b78 19903->19904 19905 887b9b 19903->19905 19906 87a8a2 __strnicoll 29 API calls 19904->19906 19913 87d747 EnterCriticalSection 19905->19913 19909 887b91 19906->19909 19908 887ba9 19914 887bf4 19908->19914 19909->19900 19911 887bb8 19927 887bea 19911->19927 19913->19908 19915 887c2b 19914->19915 19916 887c03 19914->19916 19918 884ca2 _Ungetc 41 API calls 19915->19918 19917 87a8a2 __strnicoll 29 API calls 19916->19917 19926 887c1e __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19917->19926 19919 887c34 19918->19919 19930 88837a 19919->19930 19922 887cde 19933 887f54 19922->19933 19924 887cf5 19924->19926 19945 887d95 19924->19945 19926->19911 19952 87d75b LeaveCriticalSection 19927->19952 19929 887bf2 19929->19909 19931 888191 45 API calls 19930->19931 19932 887c52 19931->19932 19932->19922 19932->19924 19932->19926 19934 887f63 ___scrt_uninitialize_crt 19933->19934 19935 884ca2 _Ungetc 41 API calls 19934->19935 19937 887f7f __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19935->19937 19936 875eff __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 19938 8880fd 19936->19938 19939 88837a 45 API calls 19937->19939 19944 887f8b 19937->19944 19938->19926 19940 887fdf 19939->19940 19941 888011 ReadFile 19940->19941 19940->19944 19942 888038 19941->19942 19941->19944 19943 88837a 45 API calls 19942->19943 19943->19944 19944->19936 19946 884ca2 _Ungetc 41 API calls 19945->19946 19947 887da8 19946->19947 19948 88837a 45 API calls 19947->19948 19951 887df0 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19947->19951 19949 887e43 19948->19949 19950 88837a 45 API calls 19949->19950 19949->19951 19950->19951 19951->19926 19952->19929 17862 873c59 17863 873c61 17862->17863 17864 873c69 17863->17864 17865 8753c9 70 API calls 17863->17865 17865->17864 17866 871379 17867 8713b6 _strcspn 17866->17867 17900 87ccab 17867->17900 17869 871416 _strcspn 17870 8719d7 67 API calls 17869->17870 17871 871447 std::ios_base::_Ios_base_dtor 17870->17871 17905 871bf3 17871->17905 17875 871541 17876 87157d 17875->17876 17877 871628 17875->17877 17879 8715d6 17876->17879 17880 871584 17876->17880 17878 872d70 70 API calls 17877->17878 17890 8715d1 17878->17890 17884 872d70 70 API calls 17879->17884 17934 872da5 17880->17934 17881 87149d std::ios_base::_Ios_base_dtor 17881->17875 17927 873aab 17881->17927 17886 8715f9 17884->17886 17889 872da5 70 API calls 17886->17889 17888 872d70 70 API calls 17888->17890 17889->17890 17923 872d70 17890->17923 17892 872da5 70 API calls 17893 8716b2 17892->17893 17894 872e73 std::ios_base::_Init 41 API calls 17893->17894 17895 8716be 17894->17895 17938 872e99 17895->17938 17898 875eff __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 17899 8716d8 17898->17899 17901 882a50 __Getctype 41 API calls 17900->17901 17902 87ccb6 17901->17902 17903 883d8e __Getctype 41 API calls 17902->17903 17904 87ccc6 17903->17904 17904->17869 17942 8712a1 17905->17942 17907 871462 17908 871ac9 17907->17908 17909 873dcc std::_Lockit::_Lockit 7 API calls 17908->17909 17910 871ada 17909->17910 17911 8721b2 int 9 API calls 17910->17911 17913 871aed 17911->17913 17912 871b00 17914 873e24 std::_Lockit::~_Lockit 2 API calls 17912->17914 17913->17912 17961 872750 17913->17961 17915 871b36 17914->17915 17915->17881 17918 871b17 17920 87411a std::_Facet_Register 43 API calls 17918->17920 17919 871b3c 17921 872e36 RaiseException 17919->17921 17920->17912 17922 871b41 17921->17922 17924 871682 17923->17924 17925 872d7b 17923->17925 17924->17892 17925->17924 18022 87205b 17925->18022 17928 873b16 17927->17928 17929 873abc 17927->17929 18035 872ecd 17928->18035 17932 873ac8 17929->17932 18026 8717fc 17929->18026 17932->17881 17935 87159f 17934->17935 17936 872db0 17934->17936 17935->17888 17936->17935 17937 87205b 70 API calls 17936->17937 17937->17936 17939 872ea2 17938->17939 17940 8716c7 17938->17940 17941 872549 41 API calls 17939->17941 17940->17898 17941->17940 17943 871316 17942->17943 17946 8712b2 17942->17946 17944 872ec2 std::ios_base::_Init 43 API calls 17943->17944 17945 87131b 17944->17945 17948 8712b9 17946->17948 17949 872ed8 17946->17949 17948->17907 17950 872eef 17949->17950 17953 872e19 17950->17953 17954 872e27 Concurrency::cancel_current_task 17953->17954 17955 87741c Concurrency::cancel_current_task RaiseException 17954->17955 17956 872e35 17955->17956 17957 87a86b __strnicoll 41 API calls 17956->17957 17958 87a93e 17957->17958 17959 87a94c _Deallocate 11 API calls 17958->17959 17960 87a94b 17959->17960 17962 872764 17961->17962 17963 871b10 17961->17963 17962->17963 17964 875ec1 codecvt 43 API calls 17962->17964 17963->17918 17963->17919 17966 872770 codecvt 17964->17966 17965 87279b 17965->17963 17967 871f84 std::_Locinfo::~_Locinfo 63 API calls 17965->17967 17966->17965 17968 871c4c codecvt 66 API calls 17966->17968 17967->17963 17969 872788 17968->17969 17971 8728a8 17969->17971 17972 87ccab 41 API calls 17971->17972 17973 8728c7 17972->17973 17974 8743ca codecvt 41 API calls 17973->17974 17975 8728d3 17974->17975 17976 8743ca codecvt 41 API calls 17975->17976 17977 872906 17976->17977 17990 87170f 17977->17990 17979 872912 17995 87174b 17979->17995 17982 87174b 17 API calls 17983 87293b 17982->17983 17989 872969 17983->17989 18005 8716de 17983->18005 17986 875eff __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 17988 872997 17986->17988 17987 8716de 16 API calls 17987->17989 17988->17965 17989->17986 17991 87171a __Getctype _strlen 17990->17991 17992 87172e codecvt 17991->17992 18008 873f36 17991->18008 17992->17979 17998 871765 _strlen 17995->17998 17996 871799 __Getctype 17999 8717f6 17996->17999 18004 8717ae 17996->18004 17998->17996 18012 874499 17998->18012 18001 873f36 Concurrency::cancel_current_task RaiseException 17999->18001 18000 8717e3 18000->17982 18002 8717fb 18001->18002 18003 874499 16 API calls 18003->18004 18004->18000 18004->18003 18006 874499 16 API calls 18005->18006 18007 871706 18006->18007 18007->17987 18009 873f44 Concurrency::cancel_current_task 18008->18009 18010 87741c Concurrency::cancel_current_task RaiseException 18009->18010 18011 873f52 18010->18011 18013 8744a3 18012->18013 18015 8744a7 18012->18015 18013->17998 18014 874593 MultiByteToWideChar 18018 8744b1 18014->18018 18019 8744ed 18014->18019 18015->18014 18016 8744e3 18015->18016 18017 874550 18015->18017 18015->18018 18016->18014 18016->18019 18017->18018 18021 874579 MultiByteToWideChar 18017->18021 18018->17998 18019->18018 18020 87d610 __strnicoll 14 API calls 18019->18020 18020->18018 18021->18018 18021->18019 18023 872065 18022->18023 18025 87206e 18022->18025 18024 873c59 70 API calls 18023->18024 18024->18025 18025->17925 18027 871815 18026->18027 18028 87188a 18026->18028 18031 872ed8 42 API calls 18027->18031 18029 872ec2 std::ios_base::_Init 43 API calls 18028->18029 18030 87188f 18029->18030 18032 871839 18031->18032 18033 87186e 18032->18033 18038 872549 18032->18038 18033->17932 18041 873f73 18035->18041 18039 87131c _Deallocate 41 API calls 18038->18039 18040 87255e 18039->18040 18040->18033 18046 873ecb 18041->18046 18044 87741c Concurrency::cancel_current_task RaiseException 18045 873f92 18044->18045 18047 871df3 std::exception::exception 42 API calls 18046->18047 18048 873edd 18047->18048 18048->18044

                                                                                                                                                        Executed Functions

                                                                                                                                                        Function 0088A031 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 9395896353acccf952a291b6f0163853f95de6a84289665eef3950dd9f5b70ca
                                                                                                                                                        • Instruction ID: 73c3b951916dc8d015affbd374d053575319ccf6c5a695364e5ac85d6ff6dc21
                                                                                                                                                        • Opcode Fuzzy Hash: 9395896353acccf952a291b6f0163853f95de6a84289665eef3950dd9f5b70ca
                                                                                                                                                        • Instruction Fuzzy Hash: F8E08C32911628EBCB18EB8CC94498AF7ECFB45B40B11449BB501E3240C270DE00C7D2
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 008801B7 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: a6c70af4465b51eee87a21b9394eca4da2bf3182d56390a37949a0b0cf79ca84
                                                                                                                                                        • Instruction ID: 1c73cf16610ceab0d9f00667bd88a40025dbf9c4a56bfa40735c30b3866c7064
                                                                                                                                                        • Opcode Fuzzy Hash: a6c70af4465b51eee87a21b9394eca4da2bf3182d56390a37949a0b0cf79ca84
                                                                                                                                                        • Instruction Fuzzy Hash: 61C08C3C0019088BCE2DA91487753AA3364F3A17D2F80048CDC028B693D55E9C8ADB02
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 008851FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 0 8851fb-885207 1 885299-88529c 0->1 2 88520c-88521d 1->2 3 8852a2 1->3 5 88522a-885243 LoadLibraryExW 2->5 6 88521f-885222 2->6 4 8852a4-8852a8 3->4 9 8852a9-8852b9 5->9 10 885245-88524e GetLastError 5->10 7 885228 6->7 8 8852c2-8852c4 6->8 12 885296 7->12 8->4 9->8 11 8852bb-8852bc FreeLibrary 9->11 13 885250-885262 call 8826d8 10->13 14 885287-885294 10->14 11->8 12->1 13->14 17 885264-885276 call 8826d8 13->17 14->12 17->14 20 885278-885285 LoadLibraryExW 17->20 20->9 20->14
                                                                                                                                                        APIs
                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,8F8D4C53,?,00885308,?,?,00000000,00000000), ref: 008852BC
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: FreeLibrary
                                                                                                                                                        • String ID: api-ms-$ext-ms-
                                                                                                                                                        • API String ID: 3664257935-537541572
                                                                                                                                                        • Opcode ID: 24d888c8dbafc35b3b0172efef016c02f0bc439b5e8f19ed395234c902dab451
                                                                                                                                                        • Instruction ID: 789cdb2ff7d90c74a9b487119322dfd5cee670a587b9420b7ec96e6eee3e72a2
                                                                                                                                                        • Opcode Fuzzy Hash: 24d888c8dbafc35b3b0172efef016c02f0bc439b5e8f19ed395234c902dab451
                                                                                                                                                        • Instruction Fuzzy Hash: 7021B471A01A15ABDB21BB65AC45A5A3B68FF41774F280221E916E7291EF30ED00C7D0
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 00880143 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        APIs
                                                                                                                                                        • GetCurrentProcess.KERNEL32(?,?,0088013D,00000000,0087A722,?,?,8F8D4C53,0087A722,?), ref: 00880154
                                                                                                                                                        • TerminateProcess.KERNEL32(00000000,?,0088013D,00000000,0087A722,?,?,8F8D4C53,0087A722,?), ref: 0088015B
                                                                                                                                                        • ExitProcess.KERNEL32 ref: 0088016D
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Process$CurrentExitTerminate
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 1703294689-0
                                                                                                                                                        • Opcode ID: 8164e52909e64f1a1d916213b1163b00794032b9f173d6c3c83375be2d5486e5
                                                                                                                                                        • Instruction ID: 546f508822ddf0d2faec459dc545167047be93b5b5d44f0fb0c92dbcc33bc3a3
                                                                                                                                                        • Opcode Fuzzy Hash: 8164e52909e64f1a1d916213b1163b00794032b9f173d6c3c83375be2d5486e5
                                                                                                                                                        • Instruction Fuzzy Hash: 8ED09E35000508BFCF413F65DC0D94D3F2AFF407517084011B90995431DB759A599F51
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 00871379 Relevance: 3.3, APIs: 2, Instructions: 287COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 28 871379-8713b4 29 8713b6-8713ba 28->29 30 8713c5 28->30 32 8713c0-8713c3 29->32 33 8713bc-8713be 29->33 31 8713c7-8713d3 30->31 34 8713d5-8713da 31->34 35 8713dc-8713e6 31->35 32->31 33->30 33->32 36 8713fe-8714c9 call 87cbd0 call 87ccab call 87cbd0 call 8719d7 call 872027 call 871bf3 call 871ac9 call 872027 34->36 35->36 37 8713e8-8713ec 35->37 62 8714eb-8714f3 36->62 63 8714cb-8714e7 36->63 37->36 38 8713ee-8713f5 37->38 40 8713f7-8713fa 38->40 41 8713fc 38->41 40->36 40->41 41->36 64 871545-871551 62->64 65 8714f5-87150e 62->65 63->62 66 871566 64->66 67 871553 64->67 65->64 69 871510 65->69 72 871568-871577 66->72 70 871555-871559 67->70 71 87155b-871560 67->71 73 871514-871516 69->73 70->66 70->71 71->66 74 871562-871564 71->74 75 87157d-871582 72->75 76 871628-87164b call 872d70 72->76 77 871541 73->77 78 871518-871521 73->78 74->72 80 8715d6-871626 call 872d70 call 872da5 75->80 81 871584-8715d4 call 872da5 call 872d70 75->81 87 87164e-87167d call 872d70 76->87 77->64 78->77 82 871523-87153f call 873aab 78->82 80->87 81->87 82->73 82->77 95 871682-8716db call 872da5 call 872e73 call 872e99 call 875eff 87->95
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: _strcspn
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3709121408-0
                                                                                                                                                        • Opcode ID: cf218804e5d80d41d9d0d59ca86979c6c9779419ae4ec1d557f9a3805fbe2600
                                                                                                                                                        • Instruction ID: 196175d9f4830d3c90254b58e2942f5c4031843b0e279736b21f0f90c94c481e
                                                                                                                                                        • Opcode Fuzzy Hash: cf218804e5d80d41d9d0d59ca86979c6c9779419ae4ec1d557f9a3805fbe2600
                                                                                                                                                        • Instruction Fuzzy Hash: C4B18771508344AFDB24DF28C884A6BBBE9FF88300F54891EF999C7665D730E944CB52
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 00887965 Relevance: 3.2, APIs: 2, Instructions: 191fileCOMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 105 887965-887984 106 88798a-88798c 105->106 107 887b5e 105->107 108 8879b8-8879de 106->108 109 88798e-8879ad call 87a8a2 106->109 110 887b60-887b64 107->110 112 8879e0-8879e2 108->112 113 8879e4-8879ea 108->113 116 8879b0-8879b3 109->116 112->113 115 8879ec-8879f6 112->115 113->109 113->115 117 8879f8-887a03 call 8883d8 115->117 118 887a06-887a11 call 8874e9 115->118 116->110 117->118 123 887a53-887a65 118->123 124 887a13-887a18 118->124 127 887ab6-887ad6 WriteFile 123->127 128 887a67-887a6d 123->128 125 887a1a-887a1e 124->125 126 887a3d-887a51 call 8870af 124->126 129 887a24-887a33 call 887481 125->129 130 887b26-887b38 125->130 147 887a36-887a38 126->147 132 887ad8-887ade GetLastError 127->132 133 887ae1 127->133 134 887a6f-887a72 128->134 135 887aa4-887aaf call 887567 128->135 129->147 136 887b3a-887b40 130->136 137 887b42-887b54 130->137 132->133 141 887ae4-887aef 133->141 142 887a92-887aa2 call 88772b 134->142 143 887a74-887a77 134->143 146 887ab4 135->146 136->107 136->137 137->116 148 887b59-887b5c 141->148 149 887af1-887af6 141->149 152 887a8d-887a90 142->152 143->130 150 887a7d-887a88 call 887642 143->150 146->152 147->141 148->110 153 887af8-887afd 149->153 154 887b24 149->154 150->152 152->147 156 887aff-887b11 153->156 157 887b16-887b1f call 87d5d9 153->157 154->130 156->116 157->116
                                                                                                                                                        APIs
                                                                                                                                                          • Part of subcall function 008870AF: GetConsoleOutputCP.KERNEL32(8F8D4C53,00000000,00000000,00000000), ref: 00887112
                                                                                                                                                        • WriteFile.KERNEL32(?,00000000,?,0089C4A0,00000000,0000000C,00000000,00000000,?,00000000,0089C4A0,00000010,0087EA3D,00000000,00000000,00000000), ref: 00887ACE
                                                                                                                                                        • GetLastError.KERNEL32(?,00000000), ref: 00887AD8
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ConsoleErrorFileLastOutputWrite
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2915228174-0
                                                                                                                                                        • Opcode ID: 5c81233acd360429f416d4392dd46e157012be862c077d9c8e2926375fd06a91
                                                                                                                                                        • Instruction ID: 8588444d01c0018d1036ad74b865b53c43fea3349e5a806f429afa0d265e13bb
                                                                                                                                                        • Opcode Fuzzy Hash: 5c81233acd360429f416d4392dd46e157012be862c077d9c8e2926375fd06a91
                                                                                                                                                        • Instruction Fuzzy Hash: 74619E71D08159AEDF15EFA8C884EEEBFB9FF09318F244085E814E7252D335DA018B61
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 008753C9 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 160 8753c9-8753e9 161 8753f4-8753fb 160->161 162 8753eb-8753f2 call 8753af 160->162 164 87541d-875421 161->164 165 8753fd-875407 161->165 170 875449-875457 call 875eff 162->170 168 875446 164->168 169 875423-875432 call 875025 164->169 165->164 167 875409-87541b 165->167 167->170 168->170 174 875434-875438 call 87474c 169->174 175 87545a-87548f 169->175 178 87543d-875441 174->178 182 8754b5-8754bd 175->182 183 875491-875494 175->183 178->168 180 875443 178->180 180->168 184 8754d6-8754e0 182->184 185 8754bf-8754d0 call 87eac6 182->185 183->182 186 875496-87549a 183->186 184->168 188 8754e6-8754e9 184->188 185->168 185->184 186->168 189 87549c-8754ab call 87474c 186->189 188->170 189->168 193 8754ad-8754b3 189->193 193->168
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Fputc
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3078413507-0
                                                                                                                                                        • Opcode ID: 77f559f2ca54f8efed91a67dc1a2cb426649763dd1ffe481756a33c688efc58e
                                                                                                                                                        • Instruction ID: a83e84bbe967a2963a7cad11b4fdb9fa17c481b81653e850818b9676e95d1175
                                                                                                                                                        • Opcode Fuzzy Hash: 77f559f2ca54f8efed91a67dc1a2cb426649763dd1ffe481756a33c688efc58e
                                                                                                                                                        • Instruction Fuzzy Hash: 4941B5B2900A1EAFCF14DF68C4808EEB7B9FF08355B148026E409E7654EB71ED80CB95
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 00887567 Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 194 887567-8875bc call 876c70 197 8875be 194->197 198 887631-887641 call 875eff 194->198 200 8875c4 197->200 202 8875ca-8875cc 200->202 203 8875ce-8875d3 202->203 204 8875e6-88760b WriteFile 202->204 205 8875dc-8875e4 203->205 206 8875d5-8875db 203->206 207 887629-88762f GetLastError 204->207 208 88760d-887618 204->208 205->202 205->204 206->205 207->198 208->198 209 88761a-887625 208->209 209->200 210 887627 209->210 210->198
                                                                                                                                                        APIs
                                                                                                                                                        • WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,00000000,?,00887AB4,00000000,00000000,00000000,?,0000000C,00000000), ref: 00887603
                                                                                                                                                        • GetLastError.KERNEL32(?,00887AB4,00000000,00000000,00000000,?,0000000C,00000000,00000000,?,00000000,0089C4A0,00000010,0087EA3D,00000000,00000000), ref: 00887629
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ErrorFileLastWrite
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 442123175-0
                                                                                                                                                        • Opcode ID: c01c1a59a4c6375b0637fe3146c16b3a0618d7491f57f6acecccbd4980d74705
                                                                                                                                                        • Instruction ID: fadbc1258eb3dbc7ef0e3613eba8697a6179436622e2afce056648f624ac4a47
                                                                                                                                                        • Opcode Fuzzy Hash: c01c1a59a4c6375b0637fe3146c16b3a0618d7491f57f6acecccbd4980d74705
                                                                                                                                                        • Instruction Fuzzy Hash: 71219F31A00619DFCB19DF29DC809EDB7B9FB98301F2440AAE906D7251E630DE42CF60
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 00884EE6 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 211 884ee6-884eeb 212 884eed-884f05 211->212 213 884f13-884f1c 212->213 214 884f07-884f0b 212->214 216 884f2e 213->216 217 884f1e-884f21 213->217 214->213 215 884f0d-884f11 214->215 219 884f88-884f8c 215->219 218 884f30-884f3d GetStdHandle 216->218 220 884f2a-884f2c 217->220 221 884f23-884f28 217->221 222 884f6a-884f7c 218->222 223 884f3f-884f41 218->223 219->212 224 884f92-884f95 219->224 220->218 221->218 222->219 226 884f7e-884f81 222->226 223->222 225 884f43-884f4c GetFileType 223->225 225->222 227 884f4e-884f57 225->227 226->219 228 884f59-884f5d 227->228 229 884f5f-884f62 227->229 228->219 229->219 230 884f64-884f68 229->230 230->219
                                                                                                                                                        APIs
                                                                                                                                                        • GetStdHandle.KERNEL32(000000F6), ref: 00884F32
                                                                                                                                                        • GetFileType.KERNELBASE(00000000), ref: 00884F44
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: FileHandleType
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3000768030-0
                                                                                                                                                        • Opcode ID: 7f4c9d182e9112a57f9f2c1d846b378086c9b18d2aa83f7b910db23e92efe240
                                                                                                                                                        • Instruction ID: 061278ff811b1eac96aa0133b4d1a411f0447db1e9dc942a56999c4fc4459458
                                                                                                                                                        • Opcode Fuzzy Hash: 7f4c9d182e9112a57f9f2c1d846b378086c9b18d2aa83f7b910db23e92efe240
                                                                                                                                                        • Instruction Fuzzy Hash: B01196735047534AC7306E3D9C88A267A94FB96334B39271ED2B6C61F1CA30D986D751
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 00873D0A Relevance: 3.0, APIs: 2, Instructions: 31memoryCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 231 873d0a-873d34 VirtualProtect FreeConsole call 873062 233 873d39-873d58 call 873048 231->233
                                                                                                                                                        APIs
                                                                                                                                                        • VirtualProtect.KERNELBASE(008EB018,000004AC,00000040,00000000), ref: 00873D26
                                                                                                                                                        • FreeConsole.KERNELBASE ref: 00873D2C
                                                                                                                                                          • Part of subcall function 00873062: OpenIcon.USER32(00000000), ref: 0087307C
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ConsoleFreeIconOpenProtectVirtual
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3161549936-0
                                                                                                                                                        • Opcode ID: 227f7b816b6045c556a0834f77931de714192848445df3c66e20d1f2ca0cfa76
                                                                                                                                                        • Instruction ID: da6ce7cbf7131d52be0f9f7b56fc46251fb37264cfea0bdef4f219db155776f5
                                                                                                                                                        • Opcode Fuzzy Hash: 227f7b816b6045c556a0834f77931de714192848445df3c66e20d1f2ca0cfa76
                                                                                                                                                        • Instruction Fuzzy Hash: 5CE02263A01910B7D310F3A69C0AE8F3A6CEBC3721F048075F204E6041CB288F0993FA
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 008852C6 Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 237 8852c6-8852ee 238 8852f0-8852f2 237->238 239 8852f4-8852f6 237->239 240 885345-885348 238->240 241 8852f8-8852fa 239->241 242 8852fc-885303 call 8851fb 239->242 241->240 244 885308-88530c 242->244 245 88532b-885342 244->245 246 88530e-88531c GetProcAddress 244->246 247 885344 245->247 246->245 248 88531e-885329 call 87f8c4 246->248 247->240 248->247
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 4de07456cf9051390bcf3d3c9dd1e80e560f38cdc53dc62de0df293cbf7340c1
                                                                                                                                                        • Instruction ID: 52cc7716c731db10588eac59b8833acb3b60081007b6a9f2dc61cbb44cf42226
                                                                                                                                                        • Opcode Fuzzy Hash: 4de07456cf9051390bcf3d3c9dd1e80e560f38cdc53dc62de0df293cbf7340c1
                                                                                                                                                        • Instruction Fuzzy Hash: 3B01D837704A156FDF25FE6DEC44A5A3796FBC53647184121F904DB299EA30D8018791
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Non-executed Functions

                                                                                                                                                        Function 0088CD80 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: __floor_pentium4
                                                                                                                                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                        • API String ID: 4168288129-2761157908
                                                                                                                                                        • Opcode ID: a5b852517cf7f271291659343b5ccba9b187846fc323495e8787abe2913ce76c
                                                                                                                                                        • Instruction ID: da0929739d98acf7fa558c1e856220cd7dbcf00b405aff9f1994cf914ba23d20
                                                                                                                                                        • Opcode Fuzzy Hash: a5b852517cf7f271291659343b5ccba9b187846fc323495e8787abe2913ce76c
                                                                                                                                                        • Instruction Fuzzy Hash: CED22871E082298FDB65EE28DD407EAB7B5FB44315F1445EAD40DE7280EB78AE818F41
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 0088C1F9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • GetLocaleInfoW.KERNEL32(?,2000000B,0088C517,00000002,00000000,?,?,?,0088C517,?,00000000), ref: 0088C292
                                                                                                                                                        • GetLocaleInfoW.KERNEL32(?,20001004,0088C517,00000002,00000000,?,?,?,0088C517,?,00000000), ref: 0088C2BB
                                                                                                                                                        • GetACP.KERNEL32(?,?,0088C517,?,00000000), ref: 0088C2D0
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InfoLocale
                                                                                                                                                        • String ID: ACP$OCP
                                                                                                                                                        • API String ID: 2299586839-711371036
                                                                                                                                                        • Opcode ID: 01324eec825d9d46f9430862babe3207fba80e97e8a7879d5f25d9cb413c924a
                                                                                                                                                        • Instruction ID: cd583f701affad61905c92dafa08dcb564cd513f627359322289c0556b006361
                                                                                                                                                        • Opcode Fuzzy Hash: 01324eec825d9d46f9430862babe3207fba80e97e8a7879d5f25d9cb413c924a
                                                                                                                                                        • Instruction Fuzzy Hash: BD21B332B40104ABDB30BFD4C905A9772A6FF54B64B5A8464F90AD719CEB32DE40C370
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 0088C3CE Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                          • Part of subcall function 00882A50: GetLastError.KERNEL32(?,00000008,008887AF,00000000,0087A8A0), ref: 00882A54
                                                                                                                                                          • Part of subcall function 00882A50: SetLastError.KERNEL32(00000000,00000005,000000FF), ref: 00882AF6
                                                                                                                                                        • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0088C4DA
                                                                                                                                                        • IsValidCodePage.KERNEL32(00000000), ref: 0088C523
                                                                                                                                                        • IsValidLocale.KERNEL32(?,00000001), ref: 0088C532
                                                                                                                                                        • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0088C57A
                                                                                                                                                        • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0088C599
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 415426439-0
                                                                                                                                                        • Opcode ID: 8a31fb52e9254c818ac64db8bce5192999413a80845763079fe1db19cd31b915
                                                                                                                                                        • Instruction ID: ab4511fd87ff831c06a5e4176e9b2c8b0ab164d0c9e44ea257f6839447d33700
                                                                                                                                                        • Opcode Fuzzy Hash: 8a31fb52e9254c818ac64db8bce5192999413a80845763079fe1db19cd31b915
                                                                                                                                                        • Instruction Fuzzy Hash: 32516C71A00209ABDB20FFA8CC51ABA77B8FF48700F19446AE910E7155EB709A848B75
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 00883F4F Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: _strrchr
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3213747228-0
                                                                                                                                                        • Opcode ID: 3b77efa88b360e3b2f44fc598f2baa6fe67a69f1edf31522626998ca8dd4c5a1
                                                                                                                                                        • Instruction ID: e297da0ec19987b202eadb47d0b91364c015234d1382b1130e9446b7f7783403
                                                                                                                                                        • Opcode Fuzzy Hash: 3b77efa88b360e3b2f44fc598f2baa6fe67a69f1edf31522626998ca8dd4c5a1
                                                                                                                                                        • Instruction Fuzzy Hash: 44B16533A082479FDF11AF68C8817EEBBA5FF65304F24916AE905EB241D3359D41C7A1
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 00888F67 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 00889057
                                                                                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0088914B
                                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0088918A
                                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 008891BD
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Find$CloseFile$FirstNext
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 1164774033-0
                                                                                                                                                        • Opcode ID: bbc10f8360f0489256deedc20119053aa1ee146cae76875fd886f9bd02714d78
                                                                                                                                                        • Instruction ID: 9d3c0b28a8ff355c3cd66276d7d0282ef65c9fddfc4b951722b07472db5157ee
                                                                                                                                                        • Opcode Fuzzy Hash: bbc10f8360f0489256deedc20119053aa1ee146cae76875fd886f9bd02714d78
                                                                                                                                                        • Instruction Fuzzy Hash: 1571B0759091699FDB20FF288C8DABABBB9FF05300F5841D9E049E7211EE358E818F15
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 008769EF Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 008769FB
                                                                                                                                                        • IsDebuggerPresent.KERNEL32 ref: 00876AC7
                                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00876AE0
                                                                                                                                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 00876AEA
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 254469556-0
                                                                                                                                                        • Opcode ID: 15802ff166929af0b7752659763d524fc38a85dce39e7361e65880b55289a1e2
                                                                                                                                                        • Instruction ID: 16cc706b5f7596120393ecc286adf1e1b41315758d35eda67e3e140b010f7bf1
                                                                                                                                                        • Opcode Fuzzy Hash: 15802ff166929af0b7752659763d524fc38a85dce39e7361e65880b55289a1e2
                                                                                                                                                        • Instruction Fuzzy Hash: 0831E575D052189ADF21EFA4D949BCDBBB8FF08300F1081AAE50DAB254EB719B85CF45
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 0088BE7D Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                          • Part of subcall function 00882A50: GetLastError.KERNEL32(?,00000008,008887AF,00000000,0087A8A0), ref: 00882A54
                                                                                                                                                          • Part of subcall function 00882A50: SetLastError.KERNEL32(00000000,00000005,000000FF), ref: 00882AF6
                                                                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0088BED1
                                                                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0088BF1B
                                                                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0088BFE1
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InfoLocale$ErrorLast
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 661929714-0
                                                                                                                                                        • Opcode ID: fb4fb2a4e2fc5f4c937e6b4215fec2265cc722e2947e9275f0f0d2fb65c0e94b
                                                                                                                                                        • Instruction ID: f57b26a5676a7babdfea5e2d5a77722e806cd9cd8124f631b6c3fb6695ee0c3b
                                                                                                                                                        • Opcode Fuzzy Hash: fb4fb2a4e2fc5f4c937e6b4215fec2265cc722e2947e9275f0f0d2fb65c0e94b
                                                                                                                                                        • Instruction Fuzzy Hash: 0161BF71510607DFDB28AF28CE82BBAB7A8FF04340F14416AED15C6189EB74D991DF61
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 0087A723 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0087A81B
                                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0087A825
                                                                                                                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0087A832
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3906539128-0
                                                                                                                                                        • Opcode ID: 97466acecb5b3443ddc236ffcd80ecbae18f787e8cd678c124912867c295cd3f
                                                                                                                                                        • Instruction ID: e5a80d97efd2e765f79ad9f2792c67e6d724351637b6a605e94bedec26d861c4
                                                                                                                                                        • Opcode Fuzzy Hash: 97466acecb5b3443ddc236ffcd80ecbae18f787e8cd678c124912867c295cd3f
                                                                                                                                                        • Instruction Fuzzy Hash: 0031C27590122C9BCB21DF68D989B8DBBB8FF48710F5081EAE41CA7251EB749F818F45
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 0087EEF0 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: b918ce5ba07d05ff1d573fb676ebfcada0811aa90aede51354a3873ecbe237d1
                                                                                                                                                        • Instruction ID: 1f4d99a1475b29214bc66b209f4dac09fe8b408c80270b396d5796cbc28dce0a
                                                                                                                                                        • Opcode Fuzzy Hash: b918ce5ba07d05ff1d573fb676ebfcada0811aa90aede51354a3873ecbe237d1
                                                                                                                                                        • Instruction Fuzzy Hash: 26F12F75E002199FDF14CFA9C8806ADB7B1FF89324F258269E919E7396D7309D41CB90
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 00883663 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0088365E,?,?,00000008,?,?,00891615,00000000), ref: 00883890
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ExceptionRaise
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3997070919-0
                                                                                                                                                        • Opcode ID: e744213cc903d9f4044d86aea55aec265bbbbb32e018d93ffa16d51c3c2ecce9
                                                                                                                                                        • Instruction ID: d95bb2c769cdb5503e6798a28c2e1d8c9eb69a2f7a58f32b77648b64cd5dd27c
                                                                                                                                                        • Opcode Fuzzy Hash: e744213cc903d9f4044d86aea55aec265bbbbb32e018d93ffa16d51c3c2ecce9
                                                                                                                                                        • Instruction Fuzzy Hash: 2DB14B75210609DFDB19DF2CC486B657BE0FF45764F258668E89ACF2A1C335EA82CB40
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 008764CC Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 008764E2
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: FeaturePresentProcessor
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2325560087-0
                                                                                                                                                        • Opcode ID: 5282b758b9f85af4ad3e10c50223dc58bea0490892890e2db28f6a1b49584b69
                                                                                                                                                        • Instruction ID: 219dcbce7683f8ced880ca9fe9c8b4e5eb06c5342dc883d889d01177be47efda
                                                                                                                                                        • Opcode Fuzzy Hash: 5282b758b9f85af4ad3e10c50223dc58bea0490892890e2db28f6a1b49584b69
                                                                                                                                                        • Instruction Fuzzy Hash: A7516DB1A01B15CFEB14CFA4D9817AABBF5FB58310F18852AD409EB254E375E950CF50
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 0087BE7D Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: 0
                                                                                                                                                        • API String ID: 0-4108050209
                                                                                                                                                        • Opcode ID: 98495ada3929799c871665d4ef4f155b92d44effc4ecd1d3fbae98988406a257
                                                                                                                                                        • Instruction ID: 179f93510b090326b0a91ac89fd02bb0ea93a6213ee7253ba204417967e7ca1d
                                                                                                                                                        • Opcode Fuzzy Hash: 98495ada3929799c871665d4ef4f155b92d44effc4ecd1d3fbae98988406a257
                                                                                                                                                        • Instruction Fuzzy Hash: D7C1AD74600A4A8FCB24CE28C8947BAB7A2FF05314F54C62DD55AD739AC731ED85CBA1
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 0088C0D0 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                          • Part of subcall function 00882A50: GetLastError.KERNEL32(?,00000008,008887AF,00000000,0087A8A0), ref: 00882A54
                                                                                                                                                          • Part of subcall function 00882A50: SetLastError.KERNEL32(00000000,00000005,000000FF), ref: 00882AF6
                                                                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0088C124
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ErrorLast$InfoLocale
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3736152602-0
                                                                                                                                                        • Opcode ID: 466db7b21e91f629c8a11fcefafcc31ae7695678c1d5143b4d1744c72e8e51fa
                                                                                                                                                        • Instruction ID: e4981beb0c41ecaa1dd2a6f35c3c743c3b96ab221678188d4d495086ad5c05fd
                                                                                                                                                        • Opcode Fuzzy Hash: 466db7b21e91f629c8a11fcefafcc31ae7695678c1d5143b4d1744c72e8e51fa
                                                                                                                                                        • Instruction Fuzzy Hash: 6B21CF36614206ABDB28BA29CD86ABB77E8FF44314F14407AFD06D6146EB34ED018B61
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 0088BD57 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                          • Part of subcall function 00882A50: GetLastError.KERNEL32(?,00000008,008887AF,00000000,0087A8A0), ref: 00882A54
                                                                                                                                                          • Part of subcall function 00882A50: SetLastError.KERNEL32(00000000,00000005,000000FF), ref: 00882AF6
                                                                                                                                                        • EnumSystemLocalesW.KERNEL32(0088BE7D,00000001,00000000,?,-00000050,?,0088C4AE,00000000,?,?,?,00000055,?), ref: 0088BDC9
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2417226690-0
                                                                                                                                                        • Opcode ID: d5408f27d19690b94b961c40aa277c1319b8072e8dd6ce24c19f9a15cb7b68c0
                                                                                                                                                        • Instruction ID: 10e66bc05f61fba8f324298ce6795a86d131b096fdc5285bb40b7e0fe19358b8
                                                                                                                                                        • Opcode Fuzzy Hash: d5408f27d19690b94b961c40aa277c1319b8072e8dd6ce24c19f9a15cb7b68c0
                                                                                                                                                        • Instruction Fuzzy Hash: 1611E53A2007059FDB28AF39C8A16BAB792FFC4358B18442DE98787A40D771A942C740
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 0088C2FF Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                          • Part of subcall function 00882A50: GetLastError.KERNEL32(?,00000008,008887AF,00000000,0087A8A0), ref: 00882A54
                                                                                                                                                          • Part of subcall function 00882A50: SetLastError.KERNEL32(00000000,00000005,000000FF), ref: 00882AF6
                                                                                                                                                        • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0088C099,00000000,00000000,?), ref: 0088C32B
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ErrorLast$InfoLocale
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3736152602-0
                                                                                                                                                        • Opcode ID: f7642eee9a6db0345435043eee7a2357a387651d3d4569c03bc5bd3bc90db0dc
                                                                                                                                                        • Instruction ID: 0fb17065b95b2c6a7555171b2ec9785b4488a15e43bfbc124055c52fc661aac5
                                                                                                                                                        • Opcode Fuzzy Hash: f7642eee9a6db0345435043eee7a2357a387651d3d4569c03bc5bd3bc90db0dc
                                                                                                                                                        • Instruction Fuzzy Hash: 12F0A932A00215ABDB287B648845ABBB7A8FB40B54F158425ED16E3244DA74FE42D7A1
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 0088BDF2 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                          • Part of subcall function 00882A50: GetLastError.KERNEL32(?,00000008,008887AF,00000000,0087A8A0), ref: 00882A54
                                                                                                                                                          • Part of subcall function 00882A50: SetLastError.KERNEL32(00000000,00000005,000000FF), ref: 00882AF6
                                                                                                                                                        • EnumSystemLocalesW.KERNEL32(0088C0D0,00000001,?,?,-00000050,?,0088C472,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0088BE3C
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2417226690-0
                                                                                                                                                        • Opcode ID: 39729b1768fc86d56c3a5bf8b8dedfd6d642767f18783c41474392e1e8ac87c7
                                                                                                                                                        • Instruction ID: 920fef0ed3abca3e1f627c2cc299c2c82593f12ce17f90a82603868e1edf1624
                                                                                                                                                        • Opcode Fuzzy Hash: 39729b1768fc86d56c3a5bf8b8dedfd6d642767f18783c41474392e1e8ac87c7
                                                                                                                                                        • Instruction Fuzzy Hash: B3F0C2362007085FDB247F399881AAB7B91FF80768F15842DFA468B680C7B19C028750
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 00885032 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                          • Part of subcall function 0087CD14: EnterCriticalSection.KERNEL32(?,?,00882728,?,0089C360,00000008,008828EC,?,?,?), ref: 0087CD23
                                                                                                                                                        • EnumSystemLocalesW.KERNEL32(Function_00015025,00000001,0089C420,0000000C,00885454,?), ref: 0088506A
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 1272433827-0
                                                                                                                                                        • Opcode ID: 2d2c22d07edd369addef1f5a3dac456b1ae1d26972eb6251c5edb2c07d9827b7
                                                                                                                                                        • Instruction ID: ab5ac98100c1f72b4d7084c759f9ebdc2423c817e6378c8b184b4677cb806634
                                                                                                                                                        • Opcode Fuzzy Hash: 2d2c22d07edd369addef1f5a3dac456b1ae1d26972eb6251c5edb2c07d9827b7
                                                                                                                                                        • Instruction Fuzzy Hash: 27F04972A10604DFDB00EF98E842B9C7BF0FB44725F14812BF414DB2A1DB798900CB41
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 0088BD0C Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                          • Part of subcall function 00882A50: GetLastError.KERNEL32(?,00000008,008887AF,00000000,0087A8A0), ref: 00882A54
                                                                                                                                                          • Part of subcall function 00882A50: SetLastError.KERNEL32(00000000,00000005,000000FF), ref: 00882AF6
                                                                                                                                                        • EnumSystemLocalesW.KERNEL32(0088BC65,00000001,?,?,?,0088C4D0,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0088BD43
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2417226690-0
                                                                                                                                                        • Opcode ID: 6c06e8c2d5344deaaa9cb8f2cede8a3ff57831f159631ac73ac957673d24c295
                                                                                                                                                        • Instruction ID: 2c0c6c141c5d896a542490355377def74627e06192cd95fcf2271a6e9d678ee1
                                                                                                                                                        • Opcode Fuzzy Hash: 6c06e8c2d5344deaaa9cb8f2cede8a3ff57831f159631ac73ac957673d24c295
                                                                                                                                                        • Instruction Fuzzy Hash: 14F0E536300209A7CB14BF79D845B6A7F95FFC1760B0A4059EA1ACB250C775A942C790
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 00885558 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,0088165C,?,20001004,00000000,00000002,?,?,00880C5E), ref: 0088558C
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InfoLocale
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2299586839-0
                                                                                                                                                        • Opcode ID: f3a2e6ab7ab1fc12c0eda7f1d060773fce9eadc16e213680c054bcf93e3f8989
                                                                                                                                                        • Instruction ID: 0d96b31e4eaaf4e11cb20afb46e4444450d15902527b32c29112320586d93703
                                                                                                                                                        • Opcode Fuzzy Hash: f3a2e6ab7ab1fc12c0eda7f1d060773fce9eadc16e213680c054bcf93e3f8989
                                                                                                                                                        • Instruction Fuzzy Hash: EFE04F31500A28BBCF123F61EC08AAE7F16FF44750F048011FD15A6120CB718E21AB95
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 00876B4B Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_00006B57,008760AA), ref: 00876B50
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3192549508-0
                                                                                                                                                        • Opcode ID: b3fbe6848968770520b792b0cb8b1168848f85ff79f29894e2e8373c1d502cff
                                                                                                                                                        • Instruction ID: 38d9d9541f253fe2daa7e1b01b4e20b08f2e2fb47c37ddc0052b2fbe7b6d1a95
                                                                                                                                                        • Opcode Fuzzy Hash: b3fbe6848968770520b792b0cb8b1168848f85ff79f29894e2e8373c1d502cff
                                                                                                                                                        • Instruction Fuzzy Hash:
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 0088C630 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: HeapProcess
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 54951025-0
                                                                                                                                                        • Opcode ID: d25fcda261d7228d20a22084380e2a4952bba86bd42f1fd39a80e31eb78de744
                                                                                                                                                        • Instruction ID: 8eebdd9018b781ec471663490e3749a3f59dc3710b7bfcd76573bf8ce81d5e0c
                                                                                                                                                        • Opcode Fuzzy Hash: d25fcda261d7228d20a22084380e2a4952bba86bd42f1fd39a80e31eb78de744
                                                                                                                                                        • Instruction Fuzzy Hash: 05A001746022058B9740AF3AAA096093AE9BA4A691709806AA945D5274EA3895509A06
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 00879638 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • type_info::operator==.LIBVCRUNTIME ref: 00879757
                                                                                                                                                        • ___TypeMatch.LIBVCRUNTIME ref: 00879865
                                                                                                                                                        • _UnwindNestedFrames.LIBCMT ref: 008799B7
                                                                                                                                                        • CallUnexpected.LIBVCRUNTIME ref: 008799D2
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                                                                                        • String ID: csm$csm$csm
                                                                                                                                                        • API String ID: 2751267872-393685449
                                                                                                                                                        • Opcode ID: 2cf1c5aa2a7dd17a4d6abf704c6c6482bfb639ce75b4fa78e25ec61ef0e5bc82
                                                                                                                                                        • Instruction ID: 7f8daea6919b0724f82145c69c96e2b31f33555a0ec53dfe841ea9af2c7f588f
                                                                                                                                                        • Opcode Fuzzy Hash: 2cf1c5aa2a7dd17a4d6abf704c6c6482bfb639ce75b4fa78e25ec61ef0e5bc82
                                                                                                                                                        • Instruction Fuzzy Hash: BBB1A371800209EFCF19DF98C8819AEBBB5FF05310F148169E999EB21AD730DA51CB92
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 008904DA Relevance: 12.2, APIs: 8, Instructions: 248COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: __freea$__alloca_probe_16$Info
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 127012223-0
                                                                                                                                                        • Opcode ID: 543df10a1236f09ad96dc5d1bce9e2386bfa408602669617b3df7a03eb2e5082
                                                                                                                                                        • Instruction ID: 7e0ed1d8107e2636ead0c582585781b6dd375fbfe3668400f4efdc26e77b5f9e
                                                                                                                                                        • Opcode Fuzzy Hash: 543df10a1236f09ad96dc5d1bce9e2386bfa408602669617b3df7a03eb2e5082
                                                                                                                                                        • Instruction Fuzzy Hash: 5B71D372900209AFDF21BE988C41BAE7BB9FF45724F2D0015E905F7282DA75DC408F62
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 0088EDFD Relevance: 9.3, APIs: 6, Instructions: 298COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: a3c3565c5f2b03be0f679944db45a15bcf4e911c42197d484a31bf70d0f9ceb5
                                                                                                                                                        • Instruction ID: eadc774647d61c697c844c8249cfeca3bf865a780fe19a7e43f7abc458bef64e
                                                                                                                                                        • Opcode Fuzzy Hash: a3c3565c5f2b03be0f679944db45a15bcf4e911c42197d484a31bf70d0f9ceb5
                                                                                                                                                        • Instruction Fuzzy Hash: D8B1B074A04649EFDB11EF98C880BAD7BB1FF49304F188169EA15EB293CB719D41CB61
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 00874844 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • __EH_prolog3.LIBCMT ref: 0087484B
                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00874855
                                                                                                                                                        • int.LIBCPMT ref: 0087486C
                                                                                                                                                          • Part of subcall function 008721B2: std::_Lockit::_Lockit.LIBCPMT ref: 008721C3
                                                                                                                                                          • Part of subcall function 008721B2: std::_Lockit::~_Lockit.LIBCPMT ref: 008721DD
                                                                                                                                                        • codecvt.LIBCPMT ref: 0087488F
                                                                                                                                                        • std::_Facet_Register.LIBCPMT ref: 008748A6
                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 008748C6
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 712880209-0
                                                                                                                                                        • Opcode ID: ddc91b4372cf3304a17b0a487fa103acbbed2a29ae2018a204b167fc63d580a4
                                                                                                                                                        • Instruction ID: 94e16bf4c4806a3f6c75959d6f2b6a0c874cac35485453dbccb57b6bbff6b887
                                                                                                                                                        • Opcode Fuzzy Hash: ddc91b4372cf3304a17b0a487fa103acbbed2a29ae2018a204b167fc63d580a4
                                                                                                                                                        • Instruction Fuzzy Hash: 3E11E7319106199BCB14FBA8C8057ADB7B4FF44720F18950EF509E7295DFB0DE018792
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 008792CA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • GetLastError.KERNEL32(?,?,008792C1,008779F7,00876B9B), ref: 008792D8
                                                                                                                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 008792E6
                                                                                                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008792FF
                                                                                                                                                        • SetLastError.KERNEL32(00000000,008792C1,008779F7,00876B9B), ref: 00879351
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ErrorLastValue___vcrt_
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3852720340-0
                                                                                                                                                        • Opcode ID: a68a386ba9e067dbba73aeb5249c3ba7174b52b7f04ba867d94d5c37e372b495
                                                                                                                                                        • Instruction ID: 27400e6bd44145459c676cc9aee8422857ac46332c37fae3374444014a1c0511
                                                                                                                                                        • Opcode Fuzzy Hash: a68a386ba9e067dbba73aeb5249c3ba7174b52b7f04ba867d94d5c37e372b495
                                                                                                                                                        • Instruction Fuzzy Hash: 22014C3210CB11AEAB1837B97C8566F2745FB82334734832AF92CC51E8EF52CC11954A
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 008801D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,8F8D4C53,?,?,00000000,008920E7,000000FF,?,00880169,?,?,0088013D,00000000), ref: 0088020E
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00880220
                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,00000000,008920E7,000000FF,?,00880169,?,?,0088013D,00000000), ref: 00880242
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                        • API String ID: 4061214504-1276376045
                                                                                                                                                        • Opcode ID: 464516abceb57b5c571cb69b1a612f4c0ccc5a883276e3616a0ac35029bb3e94
                                                                                                                                                        • Instruction ID: 3f4a2551d8c04fbaf49814cdfc7a0f6397c9fc2c0e9f82667a2f6ae972155ae6
                                                                                                                                                        • Opcode Fuzzy Hash: 464516abceb57b5c571cb69b1a612f4c0ccc5a883276e3616a0ac35029bb3e94
                                                                                                                                                        • Instruction Fuzzy Hash: E5016735A54A15EFDB11AF50DC09FAEBBB8FB44B15F040526F825E22A0D7759904CF90
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 008861FA Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • __alloca_probe_16.LIBCMT ref: 00886281
                                                                                                                                                        • __alloca_probe_16.LIBCMT ref: 00886342
                                                                                                                                                        • __freea.LIBCMT ref: 008863A9
                                                                                                                                                          • Part of subcall function 00883D40: HeapAlloc.KERNEL32(00000000,0074FB58,00000000,?,00875EDB,0074FB58,?,008726AE,00000044,00000000,0074FB58), ref: 00883D72
                                                                                                                                                        • __freea.LIBCMT ref: 008863BE
                                                                                                                                                        • __freea.LIBCMT ref: 008863CE
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 1096550386-0
                                                                                                                                                        • Opcode ID: 6047e6ec2b278b05e3c097395c10730eac1fc2e5aedac0a92a4769510cb0bc14
                                                                                                                                                        • Instruction ID: 2e341a13cc4468ed1558d612e52d2ba8fe5617dd0ebeb3650dd56f6a3ba49845
                                                                                                                                                        • Opcode Fuzzy Hash: 6047e6ec2b278b05e3c097395c10730eac1fc2e5aedac0a92a4769510cb0bc14
                                                                                                                                                        • Instruction Fuzzy Hash: B951B37260020AAFEF21AFA4CC85DBB77A9FF44754B154168FD08D6241FB71CD209761
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 0087414C Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • __EH_prolog3.LIBCMT ref: 00874153
                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0087415E
                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 008741CC
                                                                                                                                                          • Part of subcall function 008742AF: std::locale::_Locimp::_Locimp.LIBCPMT ref: 008742C7
                                                                                                                                                        • std::locale::_Setgloballocale.LIBCPMT ref: 00874179
                                                                                                                                                        • _Yarn.LIBCPMT ref: 0087418F
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 1088826258-0
                                                                                                                                                        • Opcode ID: f4b4688596ee026259fe64b5fc059b1e79c9bd851c892d655060a3a9155cfc88
                                                                                                                                                        • Instruction ID: 9c2aa93d180126c984950a52fb6ca641f33669ec14673f9e6802f37d3674edd7
                                                                                                                                                        • Opcode Fuzzy Hash: f4b4688596ee026259fe64b5fc059b1e79c9bd851c892d655060a3a9155cfc88
                                                                                                                                                        • Instruction Fuzzy Hash: FC01BC35A009219BDB05FB64D84553C7BA1FF80700B18800AE90997399CFB4EE46CB92
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 0087A412 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,0087A3C3,00000000,00000000,?,?,?,?,0087A4ED,00000002,FlsGetValue,00894CC8,FlsGetValue), ref: 0087A41F
                                                                                                                                                        • GetLastError.KERNEL32(?,0087A3C3,00000000,00000000,?,?,?,?,0087A4ED,00000002,FlsGetValue,00894CC8,FlsGetValue,00000000,?,0087937D), ref: 0087A429
                                                                                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000000,00894CC8,FlsGetValue,00000000,?,0087937D), ref: 0087A451
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: LibraryLoad$ErrorLast
                                                                                                                                                        • String ID: api-ms-
                                                                                                                                                        • API String ID: 3177248105-2084034818
                                                                                                                                                        • Opcode ID: 454c2cbec27d72d907b6e47af7ac95e4905f8b495611f29985bba52e72fca268
                                                                                                                                                        • Instruction ID: b639906c740239bfea7fb6df3a9b5217777e355c841a5014b990a1f36ddb2540
                                                                                                                                                        • Opcode Fuzzy Hash: 454c2cbec27d72d907b6e47af7ac95e4905f8b495611f29985bba52e72fca268
                                                                                                                                                        • Instruction Fuzzy Hash: 2BE04F30284208BBEF206B60EC0AB1C3F54FB50B54F188021FA0DE80E1E7A3D9619689
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 008870AF Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • GetConsoleOutputCP.KERNEL32(8F8D4C53,00000000,00000000,00000000), ref: 00887112
                                                                                                                                                          • Part of subcall function 00888857: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,0088639F,?,00000000,-00000008), ref: 00888903
                                                                                                                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0088736D
                                                                                                                                                        • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 008873B5
                                                                                                                                                        • GetLastError.KERNEL32 ref: 00887458
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2112829910-0
                                                                                                                                                        • Opcode ID: a2d9a7680099ac06e8c06571ee6d5d12bb7b0bdace91d4b99a3aed42087373a6
                                                                                                                                                        • Instruction ID: 86ad1e16ec8a32b561ed3e71b0325a70f83931cc84b21b3f1befdaab34d5baff
                                                                                                                                                        • Opcode Fuzzy Hash: a2d9a7680099ac06e8c06571ee6d5d12bb7b0bdace91d4b99a3aed42087373a6
                                                                                                                                                        • Instruction Fuzzy Hash: 3CD17BB5E042489FCF15EFA8D8809ADBBB4FF49304F28452AE866E7352D730E945CB50
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 008793E1 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AdjustPointer
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 1740715915-0
                                                                                                                                                        • Opcode ID: d684bf4e0af3fb19773b3d546b589712e73769ed05aa1e458fbf4a3748ad8bc8
                                                                                                                                                        • Instruction ID: 3ae4c14b6410b5857e21bf491aac83aefd7f443ee60cea63e13fd74685608bd1
                                                                                                                                                        • Opcode Fuzzy Hash: d684bf4e0af3fb19773b3d546b589712e73769ed05aa1e458fbf4a3748ad8bc8
                                                                                                                                                        • Instruction Fuzzy Hash: 33510172600616DFEB2A9F18D841BBA77A5FF44314F18C029E89DC72A9E731EC81C791
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 00888C73 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                          • Part of subcall function 00888857: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,0088639F,?,00000000,-00000008), ref: 00888903
                                                                                                                                                        • GetLastError.KERNEL32 ref: 00888CD7
                                                                                                                                                        • __dosmaperr.LIBCMT ref: 00888CDE
                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?), ref: 00888D18
                                                                                                                                                        • __dosmaperr.LIBCMT ref: 00888D1F
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 1913693674-0
                                                                                                                                                        • Opcode ID: 78a869e83460130fc43906bd566851409528329e46d2bb3c9fe326466fccd8c4
                                                                                                                                                        • Instruction ID: 4c9acb3822ca766d0ea0d9b12aa684c76a97f5dff3fdb19488db0f411670e62c
                                                                                                                                                        • Opcode Fuzzy Hash: 78a869e83460130fc43906bd566851409528329e46d2bb3c9fe326466fccd8c4
                                                                                                                                                        • Instruction Fuzzy Hash: E821A731600605EFDB20BF79CC8196BB7A9FF243687508929F919D7255EF31ED0087A1
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 0087F51B Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 0a60a3e8b7012ae55a252660cd76a90ecd48474a1f00befd4bceec09e1f13f3c
                                                                                                                                                        • Instruction ID: 310659b90a6f7f5e2bfa9c573d00e47d67964b78656695f6822af819d1e5910a
                                                                                                                                                        • Opcode Fuzzy Hash: 0a60a3e8b7012ae55a252660cd76a90ecd48474a1f00befd4bceec09e1f13f3c
                                                                                                                                                        • Instruction Fuzzy Hash: F4219D31204209AFDB20AF7ADC8086A77A9FF24368710C539FA1ED7256DB31ED1087A1
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 00889C09 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • GetEnvironmentStringsW.KERNEL32 ref: 00889C11
                                                                                                                                                          • Part of subcall function 00888857: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,0088639F,?,00000000,-00000008), ref: 00888903
                                                                                                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00889C49
                                                                                                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00889C69
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 158306478-0
                                                                                                                                                        • Opcode ID: 729f9aa9b6d78de0b063072e6ff7a00cd25e210157ac0279d07c136e9b62ea70
                                                                                                                                                        • Instruction ID: a856c8d341583031005ae84f5b8bff15d768b0d8eeb481eebe17d9ff267bd122
                                                                                                                                                        • Opcode Fuzzy Hash: 729f9aa9b6d78de0b063072e6ff7a00cd25e210157ac0279d07c136e9b62ea70
                                                                                                                                                        • Instruction Fuzzy Hash: 9C11C0F1501619BE671177BAAD8ACBF79ADFE897A83180425F442D1111FA26CE0183B2
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 008719D7 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 008719E3
                                                                                                                                                        • int.LIBCPMT ref: 008719F6
                                                                                                                                                          • Part of subcall function 008721B2: std::_Lockit::_Lockit.LIBCPMT ref: 008721C3
                                                                                                                                                          • Part of subcall function 008721B2: std::_Lockit::~_Lockit.LIBCPMT ref: 008721DD
                                                                                                                                                        • std::_Facet_Register.LIBCPMT ref: 00871A29
                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00871A3F
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 459529453-0
                                                                                                                                                        • Opcode ID: f5daec2376960d79178e626cd192d2cbd9c8cec5102b4261c931045659902aa6
                                                                                                                                                        • Instruction ID: 90ae7ed55705ed14a47f685612138e62885a544cda6559a7cc2dd3cec8e40b68
                                                                                                                                                        • Opcode Fuzzy Hash: f5daec2376960d79178e626cd192d2cbd9c8cec5102b4261c931045659902aa6
                                                                                                                                                        • Instruction Fuzzy Hash: 3801A736500124ABCB14FB6CDC4699DBB78FF40760B258149F50EE7299EF30DE419796
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 00871AC9 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00871AD5
                                                                                                                                                        • int.LIBCPMT ref: 00871AE8
                                                                                                                                                          • Part of subcall function 008721B2: std::_Lockit::_Lockit.LIBCPMT ref: 008721C3
                                                                                                                                                          • Part of subcall function 008721B2: std::_Lockit::~_Lockit.LIBCPMT ref: 008721DD
                                                                                                                                                        • std::_Facet_Register.LIBCPMT ref: 00871B1B
                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00871B31
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 459529453-0
                                                                                                                                                        • Opcode ID: 2be984ce541fe2c59e942845bb0f7fb9f32b45da956015e52c57c80e1d3bc54e
                                                                                                                                                        • Instruction ID: b963ccdb0da0fb63df0646a9f1013e20c7e053532430829948d004b4ca4a720a
                                                                                                                                                        • Opcode Fuzzy Hash: 2be984ce541fe2c59e942845bb0f7fb9f32b45da956015e52c57c80e1d3bc54e
                                                                                                                                                        • Instruction Fuzzy Hash: 55018476500114ABCF14BBACD90689D7B79FF44760B148149F50AEB295FF30DE418796
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 00871A50 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00871A5C
                                                                                                                                                        • int.LIBCPMT ref: 00871A6F
                                                                                                                                                          • Part of subcall function 008721B2: std::_Lockit::_Lockit.LIBCPMT ref: 008721C3
                                                                                                                                                          • Part of subcall function 008721B2: std::_Lockit::~_Lockit.LIBCPMT ref: 008721DD
                                                                                                                                                        • std::_Facet_Register.LIBCPMT ref: 00871AA2
                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00871AB8
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 459529453-0
                                                                                                                                                        • Opcode ID: a03971dd6fe8c1ea83de80a9e55219b78c0ca1ca6c94bdb80efe5b9b227a07d9
                                                                                                                                                        • Instruction ID: 93ff95701c3c69c28e6dd60404f97d832da16c376954a5512b867838cd2319db
                                                                                                                                                        • Opcode Fuzzy Hash: a03971dd6fe8c1ea83de80a9e55219b78c0ca1ca6c94bdb80efe5b9b227a07d9
                                                                                                                                                        • Instruction Fuzzy Hash: C401A732900524ABCF15BB6CD80A89DB778FF40364B148149F50ADB299EF30DF4197D6
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 0089030F Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,0088F1BA,00000000,00000001,00000000,00000000,?,008874AC,00000000,00000000,00000000), ref: 00890326
                                                                                                                                                        • GetLastError.KERNEL32(?,0088F1BA,00000000,00000001,00000000,00000000,?,008874AC,00000000,00000000,00000000,00000000,00000000,?,00887A33,00000000), ref: 00890332
                                                                                                                                                          • Part of subcall function 008902F8: CloseHandle.KERNEL32(FFFFFFFE,00890342,?,0088F1BA,00000000,00000001,00000000,00000000,?,008874AC,00000000,00000000,00000000,00000000,00000000), ref: 00890308
                                                                                                                                                        • ___initconout.LIBCMT ref: 00890342
                                                                                                                                                          • Part of subcall function 008902BA: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,008902E9,0088F1A7,00000000,?,008874AC,00000000,00000000,00000000,00000000), ref: 008902CD
                                                                                                                                                        • WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,0088F1BA,00000000,00000001,00000000,00000000,?,008874AC,00000000,00000000,00000000,00000000), ref: 00890357
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2744216297-0
                                                                                                                                                        • Opcode ID: a3e6ca4abc895d64447fe9b138d6ead619b8d57b94dcf6ed1f04f384bb39f956
                                                                                                                                                        • Instruction ID: a2398984514a67577ced919ef26fad5c90766fc1711f700c88fde2ff263a6ade
                                                                                                                                                        • Opcode Fuzzy Hash: a3e6ca4abc895d64447fe9b138d6ead619b8d57b94dcf6ed1f04f384bb39f956
                                                                                                                                                        • Instruction Fuzzy Hash: B5F0A236500658BFCF523FD5EC089993F66FF493A1B0C4411FA19D5131C6318920EF95
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 008790D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 0087910F
                                                                                                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 008791C3
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                        • String ID: csm
                                                                                                                                                        • API String ID: 3480331319-1018135373
                                                                                                                                                        • Opcode ID: 5f7f027b38e7206c44c9920561aba45f4afcafd57c83882243e1e43f142fdb53
                                                                                                                                                        • Instruction ID: 6b3f7bec8a86f394abc441d865e76c1e9669906d518f099f1937de14b74679ab
                                                                                                                                                        • Opcode Fuzzy Hash: 5f7f027b38e7206c44c9920561aba45f4afcafd57c83882243e1e43f142fdb53
                                                                                                                                                        • Instruction Fuzzy Hash: 1641B334A0020A9BCF10DF68C844A9EBBB5FF45324F58C055E858EB39AD735DA11CBA1
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 008799DD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • EncodePointer.KERNEL32(00000000,?), ref: 00879A02
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: EncodePointer
                                                                                                                                                        • String ID: MOC$RCC
                                                                                                                                                        • API String ID: 2118026453-2084237596
                                                                                                                                                        • Opcode ID: 22f527526e17026e69600b827fb9b0e2133f29c5ec27dd965e512282e586d321
                                                                                                                                                        • Instruction ID: 3756e58916fad85d918314827aa488cbae39143241c27acc267b3caeafedba12
                                                                                                                                                        • Opcode Fuzzy Hash: 22f527526e17026e69600b827fb9b0e2133f29c5ec27dd965e512282e586d321
                                                                                                                                                        • Instruction Fuzzy Hash: C5415571900219EFCF16DF98C881AEEBBB6FF48304F188099F958A7229D335DA50DB51
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 00871C4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00871C53
                                                                                                                                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00871C8B
                                                                                                                                                          • Part of subcall function 0087424A: _Yarn.LIBCPMT ref: 00874269
                                                                                                                                                          • Part of subcall function 0087424A: _Yarn.LIBCPMT ref: 0087428D
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                                                                                                        • String ID: bad locale name
                                                                                                                                                        • API String ID: 1908188788-1405518554
                                                                                                                                                        • Opcode ID: 343c738a985e4074494f159f5c2af28094d7ec49cc876ffa7e795731532a17d0
                                                                                                                                                        • Instruction ID: 0d608c22e93952d28ced7e98b8a0703186da56d8ec6279f7bdb6a0de3be5cc59
                                                                                                                                                        • Opcode Fuzzy Hash: 343c738a985e4074494f159f5c2af28094d7ec49cc876ffa7e795731532a17d0
                                                                                                                                                        • Instruction Fuzzy Hash: 02F01771505B409E83319FAE8481443FBE4FE29210394DA2FE1DEC3A11D730E504CBAA
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 00880317 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1609437098.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1609424103.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609462798.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.000000000089D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609476771.00000000008E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609929123.00000000008EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000000.00000002.1609978045.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_870000_file.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CommandLine
                                                                                                                                                        • String ID: 8%t
                                                                                                                                                        • API String ID: 3253501508-1789004024
                                                                                                                                                        • Opcode ID: 9f515b8e68ddf3bea2f92784364714331351650099c08dd9a8d445d31fc4143a
                                                                                                                                                        • Instruction ID: eb414487f7a4d761d4fbb0cf6b8c6af92d3ab9895c9e35708e118cf2f33406c1
                                                                                                                                                        • Opcode Fuzzy Hash: 9f515b8e68ddf3bea2f92784364714331351650099c08dd9a8d445d31fc4143a
                                                                                                                                                        • Instruction Fuzzy Hash: 01B04878801600EB8B80EF20A80C0043FB1B288202388885B981682320D77942088F11
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Execution Graph

                                                                                                                                                        Execution Coverage:7.1%
                                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                        Signature Coverage:0%
                                                                                                                                                        Total number of Nodes:87
                                                                                                                                                        Total number of Limit Nodes:8
                                                                                                                                                        execution_graph 28718 13dad38 28719 13dad39 28718->28719 28723 13dae30 28719->28723 28731 13dae20 28719->28731 28720 13dad47 28724 13dae31 28723->28724 28725 13dae64 28724->28725 28739 13db0b8 28724->28739 28743 13db0c8 28724->28743 28725->28720 28726 13dae5c 28726->28725 28727 13db068 GetModuleHandleW 28726->28727 28728 13db095 28727->28728 28728->28720 28732 13dae30 28731->28732 28733 13dae64 28732->28733 28737 13db0b8 LoadLibraryExW 28732->28737 28738 13db0c8 LoadLibraryExW 28732->28738 28733->28720 28734 13dae5c 28734->28733 28735 13db068 GetModuleHandleW 28734->28735 28736 13db095 28735->28736 28736->28720 28737->28734 28738->28734 28740 13db0dc 28739->28740 28742 13db101 28740->28742 28747 13da870 28740->28747 28742->28726 28744 13db0dc 28743->28744 28745 13db101 28744->28745 28746 13da870 LoadLibraryExW 28744->28746 28745->28726 28746->28745 28748 13db2a8 LoadLibraryExW 28747->28748 28750 13db321 28748->28750 28750->28742 28751 13d4668 28752 13d4684 28751->28752 28753 13d4696 28752->28753 28757 13d47a0 28752->28757 28762 13d3e10 28753->28762 28758 13d47c5 28757->28758 28766 13d48a1 28758->28766 28770 13d48b0 28758->28770 28763 13d3e1b 28762->28763 28778 13d5c54 28763->28778 28765 13d46b5 28768 13d48d7 28766->28768 28767 13d49b4 28767->28767 28768->28767 28774 13d4248 28768->28774 28772 13d48d7 28770->28772 28771 13d49b4 28771->28771 28772->28771 28773 13d4248 CreateActCtxA 28772->28773 28773->28771 28775 13d5940 CreateActCtxA 28774->28775 28777 13d5a03 28775->28777 28779 13d5c5f 28778->28779 28782 13d5c64 28779->28782 28781 13d709d 28781->28765 28783 13d5c6f 28782->28783 28786 13d5c94 28783->28786 28785 13d717a 28785->28781 28787 13d5c9f 28786->28787 28790 13d5cc4 28787->28790 28789 13d726d 28789->28785 28791 13d5ccf 28790->28791 28792 13d8691 28791->28792 28794 13dcdf4 28791->28794 28792->28789 28795 13dce11 28794->28795 28796 13dce35 28795->28796 28800 13dcff9 28795->28800 28811 13dcf90 28795->28811 28815 13dcfa0 28795->28815 28796->28792 28801 13dd00e 28800->28801 28802 13dd02c 28801->28802 28803 13dd115 GetCurrentProcess 28801->28803 28802->28796 28804 13dd149 28803->28804 28805 13dd150 GetCurrentThread 28803->28805 28804->28805 28806 13dd18d GetCurrentProcess 28805->28806 28807 13dd186 28805->28807 28808 13dd1c3 28806->28808 28807->28806 28809 13dd1eb GetCurrentThreadId 28808->28809 28810 13dd21c 28809->28810 28810->28796 28813 13dcfad 28811->28813 28812 13dcfe7 28812->28796 28813->28812 28819 13dc8d8 28813->28819 28817 13dcfad 28815->28817 28816 13dcfe7 28816->28796 28817->28816 28818 13dc8d8 4 API calls 28817->28818 28818->28816 28820 13dc8e3 28819->28820 28822 13dd8f8 28820->28822 28823 13dca04 28820->28823 28822->28822 28824 13dca0f 28823->28824 28825 13d5cc4 4 API calls 28824->28825 28826 13dd967 28825->28826 28826->28822 28827 13dd300 DuplicateHandle 28828 13dd396 28827->28828

                                                                                                                                                        Executed Functions

                                                                                                                                                        Function 06A03F50 Relevance: 1.8, Strings: 1, Instructions: 523COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 619 6a03f50-6a03f84 622 6a03f92-6a03fa5 619->622 623 6a03f86-6a03f8f 619->623 624 6a04215-6a04219 622->624 625 6a03fab-6a03fae 622->625 623->622 627 6a0421b-6a0422b 624->627 628 6a0422e-6a04238 624->628 629 6a03fb0-6a03fb5 625->629 630 6a03fbd-6a03fc9 625->630 627->628 629->630 631 6a04253-6a04299 630->631 632 6a03fcf-6a03fe1 630->632 639 6a042a8-6a042d0 631->639 640 6a0429b-6a042a5 631->640 636 6a03fe7-6a0403a 632->636 637 6a0414d-6a0415b 632->637 668 6a0404a 636->668 669 6a0403c-6a04048 call 6a03c88 636->669 643 6a041e0-6a041e2 637->643 644 6a04161-6a0416f 637->644 661 6a04425-6a04443 639->661 662 6a042d6-6a042ef 639->662 640->639 649 6a041f0-6a041fc 643->649 650 6a041e4-6a041ea 643->650 647 6a04171-6a04176 644->647 648 6a0417e-6a0418a 644->648 647->648 648->631 654 6a04190-6a041bf 648->654 659 6a041fe-6a0420f 649->659 652 6a041ec 650->652 653 6a041ee 650->653 652->649 653->649 675 6a041d0-6a041de 654->675 676 6a041c1-6a041ce 654->676 659->624 659->625 680 6a04445-6a04467 661->680 681 6a044ae-6a044b8 661->681 677 6a042f5-6a0430b 662->677 678 6a04406-6a0441f 662->678 672 6a0404c-6a0405c 668->672 669->672 687 6a04077-6a04079 672->687 688 6a0405e-6a04075 672->688 675->624 676->675 677->678 698 6a04311-6a0435f 677->698 678->661 678->662 699 6a044b9-6a0450a 680->699 700 6a04469-6a04485 680->700 690 6a040c2-6a040c4 687->690 691 6a0407b-6a04089 687->691 688->687 694 6a040d2-6a040e2 690->694 695 6a040c6-6a040d0 690->695 691->690 705 6a0408b-6a0409d 691->705 710 6a040e4-6a040f2 694->710 711 6a0410d-6a04113 call 6a04aff 694->711 695->694 709 6a0411b-6a04127 695->709 747 6a04361-6a04387 698->747 748 6a04389-6a043ad 698->748 735 6a0452a-6a04568 699->735 736 6a0450c-6a04528 699->736 714 6a044a9-6a044ac 700->714 715 6a040a3-6a040a7 705->715 716 6a0409f-6a040a1 705->716 709->659 725 6a0412d-6a04148 709->725 722 6a040f4-6a04103 710->722 723 6a04105-6a04108 710->723 718 6a04119 711->718 714->681 720 6a04493-6a04496 714->720 724 6a040ad-6a040bc 715->724 716->724 718->709 720->699 726 6a04498-6a044a8 720->726 722->709 723->624 724->690 734 6a04239-6a0424c 724->734 725->624 726->714 734->631 736->735 747->748 757 6a043df-6a043f8 748->757 758 6a043af-6a043c6 748->758 761 6a04403-6a04404 757->761 762 6a043fa 757->762 765 6a043d2-6a043dd 758->765 766 6a043c8-6a043cb 758->766 761->678 762->761 765->757 765->758 766->765
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: $dq
                                                                                                                                                        • API String ID: 0-847773763
                                                                                                                                                        • Opcode ID: 679f78b2a9e1703b0737dc825066aa89bbcb99e95a536fb2820a75e40ac181ae
                                                                                                                                                        • Instruction ID: 3b9fd986a83607bdd4ef89213d7cf3d512432e9a05fa725e887a6fb16e6829bf
                                                                                                                                                        • Opcode Fuzzy Hash: 679f78b2a9e1703b0737dc825066aa89bbcb99e95a536fb2820a75e40ac181ae
                                                                                                                                                        • Instruction Fuzzy Hash: 07125D74B002159FDB54DF68D594AAEBBF6FF88300B148569E906EB3A5DB30DC01CBA0
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A067D8 Relevance: .4, Instructions: 418COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: a217c35b99fe01123a3b2ec49893117369c12be48e39c7d316a97c39070d0c8f
                                                                                                                                                        • Instruction ID: e5fae76edd89e0f9a93a37770108fd41efd2780a6189aa5422ae47eef792f09f
                                                                                                                                                        • Opcode Fuzzy Hash: a217c35b99fe01123a3b2ec49893117369c12be48e39c7d316a97c39070d0c8f
                                                                                                                                                        • Instruction Fuzzy Hash: 25F1B171A002159FDF55EF68E880B9EBBF2EF84304F158569E405EB2A1DB30ED56CB90
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0A3D8 Relevance: .3, Instructions: 295COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 26ce44adecd9a8bdf9f2d3d3e53e285406c70476f40fb90042e754728e07a34b
                                                                                                                                                        • Instruction ID: f4fa5e0c462c969a353c3d79aaa7729a6d45d6b64159a79140c2f090b1494f6b
                                                                                                                                                        • Opcode Fuzzy Hash: 26ce44adecd9a8bdf9f2d3d3e53e285406c70476f40fb90042e754728e07a34b
                                                                                                                                                        • Instruction Fuzzy Hash: 79D1D474900318CFCB58EFB4D854AADBBB2FF8A301F1085A9D51AAB254DB355D86CF11
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0A3E8 Relevance: .3, Instructions: 289COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 9bdbc9f5bfa2e9e919939ebe85195dbc7f9b2ddd5c9f8de55f20572b31eb65d0
                                                                                                                                                        • Instruction ID: a5397c7a027cadc44ceeeea9da63fc2f588c5f11ee7e84fa739c7bcbc8a05678
                                                                                                                                                        • Opcode Fuzzy Hash: 9bdbc9f5bfa2e9e919939ebe85195dbc7f9b2ddd5c9f8de55f20572b31eb65d0
                                                                                                                                                        • Instruction Fuzzy Hash: DBD1D474900318CFCB18EFB4D844AADBBB2FF8A301F1085A9D51AAB254DB359D86CF11
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 069E1298 Relevance: 10.2, Strings: 8, Instructions: 196COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 296 69e1298-69e12af 298 69e12c7-69e12e9 296->298 299 69e12b1-69e12b7 296->299 304 69e12ec-69e12f0 298->304 300 69e12bb-69e12bd 299->300 301 69e12b9 299->301 300->298 301->298 305 69e12f9-69e12fe 304->305 306 69e12f2-69e12f7 304->306 307 69e1304-69e1307 305->307 306->307 308 69e130d-69e1322 307->308 309 69e14f8-69e1500 307->309 308->304 311 69e1324 308->311 312 69e132b-69e1350 311->312 313 69e1498-69e14b9 311->313 314 69e13e0-69e1405 311->314 326 69e1356-69e135a 312->326 327 69e1352-69e1354 312->327 318 69e14bf-69e14f3 313->318 324 69e140b-69e140f 314->324 325 69e1407-69e1409 314->325 318->304 332 69e1430-69e1453 324->332 333 69e1411-69e142e 324->333 331 69e146d-69e1493 325->331 328 69e135c-69e1379 326->328 329 69e137b-69e139e 326->329 334 69e13b8-69e13db 327->334 328->334 350 69e13b6 329->350 351 69e13a0-69e13a6 329->351 331->304 348 69e146b 332->348 349 69e1455-69e145b 332->349 333->331 334->304 348->331 352 69e145f-69e1461 349->352 353 69e145d 349->353 350->334 354 69e13aa-69e13ac 351->354 355 69e13a8 351->355 352->348 353->348 354->350 355->350
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791026005.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_69e0000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: $dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq
                                                                                                                                                        • API String ID: 0-634254105
                                                                                                                                                        • Opcode ID: c94944350e6a3d0d8e4cedcba1d3c00759d4aa625c575c3a5c636d14db1268dc
                                                                                                                                                        • Instruction ID: 41270988f931e68b6ba6515d031f98c2c99945090d63cc77597f64c32ebe61cd
                                                                                                                                                        • Opcode Fuzzy Hash: c94944350e6a3d0d8e4cedcba1d3c00759d4aa625c575c3a5c636d14db1268dc
                                                                                                                                                        • Instruction Fuzzy Hash: 6161C1747002009FDB969BA9DC44A3B77EBFF88705B218469EA068B7A3DF71DC418791
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 069E1582 Relevance: 7.8, Strings: 6, Instructions: 335COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 356 69e1582-69e1584 357 69e158e 356->357 358 69e1598-69e15af 357->358 359 69e15b5-69e15b7 358->359 360 69e15cf-69e15f1 359->360 361 69e15b9-69e15bf 359->361 366 69e1638-69e163f 360->366 362 69e15c3-69e15c5 361->362 363 69e15c1 361->363 362->360 363->360 367 69e1645-69e1747 366->367 368 69e1571-69e1580 366->368 368->356 371 69e15f3-69e15f7 368->371 373 69e15f9-69e1604 371->373 374 69e1606 371->374 376 69e160b-69e160e 373->376 374->376 376->367 378 69e1610-69e1614 376->378 379 69e1616-69e1621 378->379 380 69e1623 378->380 381 69e1625-69e1627 379->381 380->381 383 69e162d-69e1637 381->383 384 69e174a-69e17a7 381->384 383->366 391 69e17bf-69e17e1 384->391 392 69e17a9-69e17af 384->392 397 69e17e4-69e17e8 391->397 393 69e17b3-69e17b5 392->393 394 69e17b1 392->394 393->391 394->391 398 69e17ea-69e17ef 397->398 399 69e17f1-69e17f6 397->399 400 69e17fc-69e17ff 398->400 399->400 401 69e1abf-69e1ac7 400->401 402 69e1805-69e181a 400->402 402->397 404 69e181c 402->404 405 69e18d8-69e198b 404->405 406 69e1a07-69e1a2c 404->406 407 69e1823-69e18d3 404->407 408 69e1990-69e19bd 404->408 405->397 421 69e1a2e-69e1a30 406->421 422 69e1a32-69e1a36 406->422 407->397 427 69e1b36-69e1b77 408->427 428 69e19c3-69e19cd 408->428 426 69e1a94-69e1aba 421->426 429 69e1a38-69e1a55 422->429 430 69e1a57-69e1a7a 422->430 426->397 433 69e19d3-69e1a02 428->433 434 69e1b00-69e1b2f 428->434 429->426 451 69e1a7c-69e1a82 430->451 452 69e1a92 430->452 433->397 434->427 454 69e1a86-69e1a88 451->454 455 69e1a84 451->455 452->426 454->452 455->452
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791026005.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_69e0000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: $dq$$dq$$dq$$dq$$dq$$dq
                                                                                                                                                        • API String ID: 0-2331353128
                                                                                                                                                        • Opcode ID: 0a653888911aee88b87c291aff80088bf9d0bcee7d5db50b9aa9fb199f9406df
                                                                                                                                                        • Instruction ID: 1949d2f28f9ef34b5ef4e15d88e379101e2eca11e66ac0ce6045f5763c453e73
                                                                                                                                                        • Opcode Fuzzy Hash: 0a653888911aee88b87c291aff80088bf9d0bcee7d5db50b9aa9fb199f9406df
                                                                                                                                                        • Instruction Fuzzy Hash: D9C1D230B002059FDB959BA8C854A3EBBEAFF89701F24446DE5028B7A2DF75DC05C791
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 013DCFF9 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 459 13dcff9-13dd00c 460 13dd00f-13dd020 459->460 461 13dd00e 459->461 463 13dd037-13dd038 460->463 464 13dd022-13dd02a 460->464 461->460 466 13dd09d-13dd0a2 464->466 467 13dd02c-13dd030 call 13dc8e8 464->467 469 13dd115-13dd147 GetCurrentProcess 466->469 470 13dd0a4-13dd0a7 466->470 471 13dd035 467->471 472 13dd149-13dd14f 469->472 473 13dd150-13dd184 GetCurrentThread 469->473 471->463 472->473 474 13dd18d-13dd1c1 GetCurrentProcess 473->474 475 13dd186-13dd18c 473->475 476 13dd1ca-13dd1e5 call 13dd289 474->476 477 13dd1c3-13dd1c9 474->477 475->474 481 13dd1eb-13dd21a GetCurrentThreadId 476->481 477->476 482 13dd21c-13dd222 481->482 483 13dd223-13dd285 481->483 482->483
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1743246090.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_13d0000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 1614848564892cd6c2bacd4933993e71a3fa422c6bf3cf600e7f95e25c4c89ad
                                                                                                                                                        • Instruction ID: 1ed59698befe724c7f27e3302ce915ec0ab8daaa38d2c9415e9a23235bb1261e
                                                                                                                                                        • Opcode Fuzzy Hash: 1614848564892cd6c2bacd4933993e71a3fa422c6bf3cf600e7f95e25c4c89ad
                                                                                                                                                        • Instruction Fuzzy Hash: 3B51C0B19003498FDB54DFA9E8497DEBFF1EF49318F248059D109AB3A1C7344989CB65
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 013DD0A8 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 490 13dd0a8-13dd147 GetCurrentProcess 495 13dd149-13dd14f 490->495 496 13dd150-13dd184 GetCurrentThread 490->496 495->496 497 13dd18d-13dd1c1 GetCurrentProcess 496->497 498 13dd186-13dd18c 496->498 499 13dd1ca-13dd1e5 call 13dd289 497->499 500 13dd1c3-13dd1c9 497->500 498->497 504 13dd1eb-13dd21a GetCurrentThreadId 499->504 500->499 505 13dd21c-13dd222 504->505 506 13dd223-13dd285 504->506 505->506
                                                                                                                                                        APIs
                                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 013DD136
                                                                                                                                                        • GetCurrentThread.KERNEL32 ref: 013DD173
                                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 013DD1B0
                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 013DD209
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1743246090.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_13d0000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Current$ProcessThread
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2063062207-0
                                                                                                                                                        • Opcode ID: 4ad4e2d6c7150888ee09fe9680a5a3b9dbb7f4acd87ff23d440a74025bfb75a4
                                                                                                                                                        • Instruction ID: a6edefb61bca2ceb2e5a78069c6f5c922ebd0201bbfdfb4b80120ff535243f94
                                                                                                                                                        • Opcode Fuzzy Hash: 4ad4e2d6c7150888ee09fe9680a5a3b9dbb7f4acd87ff23d440a74025bfb75a4
                                                                                                                                                        • Instruction Fuzzy Hash: F05189B19003498FDB54DFA9D94879EBBF1EF48314F208459E009A7390D7345988CF65
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 013DD0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 513 13dd0b8-13dd147 GetCurrentProcess 518 13dd149-13dd14f 513->518 519 13dd150-13dd184 GetCurrentThread 513->519 518->519 520 13dd18d-13dd1c1 GetCurrentProcess 519->520 521 13dd186-13dd18c 519->521 522 13dd1ca-13dd1e5 call 13dd289 520->522 523 13dd1c3-13dd1c9 520->523 521->520 527 13dd1eb-13dd21a GetCurrentThreadId 522->527 523->522 528 13dd21c-13dd222 527->528 529 13dd223-13dd285 527->529 528->529
                                                                                                                                                        APIs
                                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 013DD136
                                                                                                                                                        • GetCurrentThread.KERNEL32 ref: 013DD173
                                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 013DD1B0
                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 013DD209
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1743246090.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_13d0000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Current$ProcessThread
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2063062207-0
                                                                                                                                                        • Opcode ID: 5d05e753867d6ef8f31f70bdb949bcc58b37e71a9412541143f0f214cc564228
                                                                                                                                                        • Instruction ID: 1453b53c63972bad3ff9754104d8c8da842f22bc1bb5a9a906935a3fcf7d43b7
                                                                                                                                                        • Opcode Fuzzy Hash: 5d05e753867d6ef8f31f70bdb949bcc58b37e71a9412541143f0f214cc564228
                                                                                                                                                        • Instruction Fuzzy Hash: 6A5177B19003098FDB58DFA9D948B9EBBF5FF48314F208459E419A73A0DB345A88CF65
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 069E1297 Relevance: 2.6, Strings: 2, Instructions: 123COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 558 69e1297-69e12af 561 69e12c7-69e12e9 558->561 562 69e12b1-69e12b7 558->562 567 69e12ec-69e12f0 561->567 563 69e12bb-69e12bd 562->563 564 69e12b9 562->564 563->561 564->561 568 69e12f9-69e12fe 567->568 569 69e12f2-69e12f7 567->569 570 69e1304-69e1307 568->570 569->570 571 69e130d-69e1322 570->571 572 69e14f8-69e1500 570->572 571->567 574 69e1324 571->574 575 69e132b-69e1350 574->575 576 69e1498 574->576 577 69e13e0-69e1405 574->577 589 69e1356-69e135a 575->589 590 69e1352-69e1354 575->590 578 69e14a2-69e14b9 576->578 587 69e140b-69e140f 577->587 588 69e1407-69e1409 577->588 581 69e14bf-69e14f3 578->581 581->567 595 69e1430-69e1453 587->595 596 69e1411-69e142e 587->596 594 69e146d-69e1493 588->594 591 69e135c-69e1379 589->591 592 69e137b-69e139e 589->592 597 69e13b8-69e13db 590->597 591->597 613 69e13b6 592->613 614 69e13a0-69e13a6 592->614 594->567 611 69e146b 595->611 612 69e1455-69e145b 595->612 596->594 597->567 611->594 615 69e145f-69e1461 612->615 616 69e145d 612->616 613->597 617 69e13aa-69e13ac 614->617 618 69e13a8 614->618 615->611 616->611 617->613 618->613
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791026005.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_69e0000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: $dq$$dq
                                                                                                                                                        • API String ID: 0-2340669324
                                                                                                                                                        • Opcode ID: eca10f42084b52f1dc20dbe1014d167b3520bd76c14624d482cb8243bf438d39
                                                                                                                                                        • Instruction ID: f72202a28464baaa38cd8637e9340b92c7d5b551409bc01aa378c08118523d89
                                                                                                                                                        • Opcode Fuzzy Hash: eca10f42084b52f1dc20dbe1014d167b3520bd76c14624d482cb8243bf438d39
                                                                                                                                                        • Instruction Fuzzy Hash: C341F2747402019FD7869BA88C54A3B76EBAF99705F114469EB02CB7E2CEB1DC058791
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 013DAE30 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 769 13dae30-13dae3f 771 13dae6b-13dae6f 769->771 772 13dae41-13dae4e call 13d9838 769->772 774 13dae71-13dae7b 771->774 775 13dae83-13daec4 771->775 778 13dae64 772->778 779 13dae50 772->779 774->775 781 13daec6-13daece 775->781 782 13daed1-13daedf 775->782 778->771 827 13dae56 call 13db0b8 779->827 828 13dae56 call 13db0c8 779->828 781->782 783 13daee1-13daee6 782->783 784 13daf03-13daf05 782->784 786 13daee8-13daeef call 13da814 783->786 787 13daef1 783->787 789 13daf08-13daf0f 784->789 785 13dae5c-13dae5e 785->778 788 13dafa0-13dafb7 785->788 791 13daef3-13daf01 786->791 787->791 803 13dafb9-13db018 788->803 792 13daf1c-13daf23 789->792 793 13daf11-13daf19 789->793 791->789 794 13daf25-13daf2d 792->794 795 13daf30-13daf39 call 13da824 792->795 793->792 794->795 801 13daf3b-13daf43 795->801 802 13daf46-13daf4b 795->802 801->802 804 13daf4d-13daf54 802->804 805 13daf69-13daf76 802->805 821 13db01a-13db060 803->821 804->805 806 13daf56-13daf66 call 13da834 call 13da844 804->806 812 13daf99-13daf9f 805->812 813 13daf78-13daf96 805->813 806->805 813->812 822 13db068-13db093 GetModuleHandleW 821->822 823 13db062-13db065 821->823 824 13db09c-13db0b0 822->824 825 13db095-13db09b 822->825 823->822 825->824 827->785 828->785
                                                                                                                                                        APIs
                                                                                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 013DB086
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1743246090.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_13d0000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: HandleModule
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 4139908857-0
                                                                                                                                                        • Opcode ID: 8ef9e843c20d69d0e9191efa5ac400cf80ab569fe1bb041374c927a1db04adc5
                                                                                                                                                        • Instruction ID: 1a118ed1c288c1086b928940c8cd9e1fb34cfd7962b784c4f382f4117599fd86
                                                                                                                                                        • Opcode Fuzzy Hash: 8ef9e843c20d69d0e9191efa5ac400cf80ab569fe1bb041374c927a1db04adc5
                                                                                                                                                        • Instruction Fuzzy Hash: 9C8165B1A00B058FDB24DF29E54075ABBF5FF88308F00896DD58AD7A90DB75E949CB90
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 013D4248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 829 13d4248-13d5a01 CreateActCtxA 832 13d5a0a-13d5a64 829->832 833 13d5a03-13d5a09 829->833 840 13d5a66-13d5a69 832->840 841 13d5a73-13d5a77 832->841 833->832 840->841 842 13d5a79-13d5a85 841->842 843 13d5a88 841->843 842->843 845 13d5a89 843->845 845->845
                                                                                                                                                        APIs
                                                                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 013D59F1
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1743246090.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_13d0000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Create
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2289755597-0
                                                                                                                                                        • Opcode ID: 13de6a5d66e8552948176efc08fd4be6f86d3d60067375af7895a73d82077eae
                                                                                                                                                        • Instruction ID: eb6c57aef4f702ff62237e4cf59820b79addc44cf7876a342e2cc91e77f92840
                                                                                                                                                        • Opcode Fuzzy Hash: 13de6a5d66e8552948176efc08fd4be6f86d3d60067375af7895a73d82077eae
                                                                                                                                                        • Instruction Fuzzy Hash: 6941F1B1C0072DCADB24CFA9C884B8DBBB5FF49314F20806AD509AB255DBB56949CF91
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 013D5935 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 846 13d5935-13d593a 847 13d5944-13d5a01 CreateActCtxA 846->847 849 13d5a0a-13d5a64 847->849 850 13d5a03-13d5a09 847->850 857 13d5a66-13d5a69 849->857 858 13d5a73-13d5a77 849->858 850->849 857->858 859 13d5a79-13d5a85 858->859 860 13d5a88 858->860 859->860 862 13d5a89 860->862 862->862
                                                                                                                                                        APIs
                                                                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 013D59F1
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1743246090.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_13d0000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Create
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2289755597-0
                                                                                                                                                        • Opcode ID: 4d666d4350f68ec988c6f37df0d2b6b1656349791756cd211c0a16e05f657dab
                                                                                                                                                        • Instruction ID: 7a956cc7224453ae6008493b416da49f91a8a97d56964350c077b82a782cc72a
                                                                                                                                                        • Opcode Fuzzy Hash: 4d666d4350f68ec988c6f37df0d2b6b1656349791756cd211c0a16e05f657dab
                                                                                                                                                        • Instruction Fuzzy Hash: 5F4112B1C00729CEDB24CFA9C884B8DBBB5FF49314F24805AD408AB251DBB5294ACF91
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 013DD300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 868 13dd300-13dd394 DuplicateHandle 869 13dd39d-13dd3ba 868->869 870 13dd396-13dd39c 868->870 870->869
                                                                                                                                                        APIs
                                                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013DD387
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1743246090.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_13d0000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DuplicateHandle
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3793708945-0
                                                                                                                                                        • Opcode ID: d6aed6a0822a8d3a3c6d71b1dcd209038545618ca8eb96ea67ef76e47bc58037
                                                                                                                                                        • Instruction ID: b64f5062f2677aa38effdeb21933ed2b639e9f2004106959c065642e354f42c9
                                                                                                                                                        • Opcode Fuzzy Hash: d6aed6a0822a8d3a3c6d71b1dcd209038545618ca8eb96ea67ef76e47bc58037
                                                                                                                                                        • Instruction Fuzzy Hash: 4021C2B59003489FDB10CFAAD984ADEBFF4EB48324F14841AE919A3350D774A954CFA5
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 013DD2F9 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 863 13dd2f9-13dd394 DuplicateHandle 864 13dd39d-13dd3ba 863->864 865 13dd396-13dd39c 863->865 865->864
                                                                                                                                                        APIs
                                                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013DD387
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1743246090.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_13d0000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DuplicateHandle
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3793708945-0
                                                                                                                                                        • Opcode ID: 3e43d4945802a7edb6938ef9d13b8d841eaadc1c49664501a00ef82974d004ed
                                                                                                                                                        • Instruction ID: 2a09f9d4e4155808e9d4e18b1c1678f8f93f80b5186c8e4630e72eb88594ef3f
                                                                                                                                                        • Opcode Fuzzy Hash: 3e43d4945802a7edb6938ef9d13b8d841eaadc1c49664501a00ef82974d004ed
                                                                                                                                                        • Instruction Fuzzy Hash: 7C21E4B5D003489FDB10CF99D985ADEBBF4EB48324F14841AE918B3350D374A954CF64
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 013DA870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 873 13da870-13db2e8 875 13db2ea-13db2ed 873->875 876 13db2f0-13db31f LoadLibraryExW 873->876 875->876 877 13db328-13db345 876->877 878 13db321-13db327 876->878 878->877
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,013DB101,00000800,00000000,00000000), ref: 013DB312
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1743246090.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_13d0000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: LibraryLoad
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 1029625771-0
                                                                                                                                                        • Opcode ID: 39eb47ff007db3b60c1d5d9dab41a6c58d6017dc2ef93ca64f0a04b40556c658
                                                                                                                                                        • Instruction ID: 0bd70408ed937c2ab2d7f44ebc0719570f1ba32f56f51c2e55482adfcd779928
                                                                                                                                                        • Opcode Fuzzy Hash: 39eb47ff007db3b60c1d5d9dab41a6c58d6017dc2ef93ca64f0a04b40556c658
                                                                                                                                                        • Instruction Fuzzy Hash: CB1126B6D003498FDB10CF9AD844ADEFBF4EB89324F11842ED919A7200C774A545CFA4
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 013DB2A0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,013DB101,00000800,00000000,00000000), ref: 013DB312
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1743246090.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_13d0000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: LibraryLoad
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 1029625771-0
                                                                                                                                                        • Opcode ID: 9407b3aa77b32e8047f903b0bfbe497a6bf4d043438534f62ff189f32d850214
                                                                                                                                                        • Instruction ID: 1bf46a84a86e8f4fe0723fd42fa565fd31a2be8b3b9d2f6a5278f50482cccd6b
                                                                                                                                                        • Opcode Fuzzy Hash: 9407b3aa77b32e8047f903b0bfbe497a6bf4d043438534f62ff189f32d850214
                                                                                                                                                        • Instruction Fuzzy Hash: CA2147B68003498FDB10CFAAD844ADEFFF4EB49324F10852ED929A7240C774A545CFA1
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 013DB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 013DB086
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1743246090.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_13d0000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: HandleModule
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 4139908857-0
                                                                                                                                                        • Opcode ID: f7ea10c9c52f213dfd58e6104d678c971f590d6468265bf756fc1958e5867d32
                                                                                                                                                        • Instruction ID: dc5d976b229649ee1221007a0bd7f6dcd32de0f28dbf1580e42177bc36dc391a
                                                                                                                                                        • Opcode Fuzzy Hash: f7ea10c9c52f213dfd58e6104d678c971f590d6468265bf756fc1958e5867d32
                                                                                                                                                        • Instruction Fuzzy Hash: 661110B6C003498FDB20DF9AD844ADEFBF4EB89324F15841AD929B7210C375A549CFA1
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A059D8 Relevance: 1.5, Strings: 1, Instructions: 292COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: d
                                                                                                                                                        • API String ID: 0-2564639436
                                                                                                                                                        • Opcode ID: 3d0f698eb463f1cfff84550308bbbf0a385e15b41004712ffe692f98c90b57cf
                                                                                                                                                        • Instruction ID: eaf6e93ef3e2c777bd7fc6989986c9157ee82d58f63aee5b341755282662dd3e
                                                                                                                                                        • Opcode Fuzzy Hash: 3d0f698eb463f1cfff84550308bbbf0a385e15b41004712ffe692f98c90b57cf
                                                                                                                                                        • Instruction Fuzzy Hash: 1AC16D34A00602CFCB55DF19D58096ABBF2FF89310755C999E45A8B6A6D730FC46CF90
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 069E1BA0 Relevance: 1.4, Instructions: 1437COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791026005.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_69e0000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 24cb57a22885c0e91228416ed013ad430b4afb84f25e366e6f30cd07eca6e81c
                                                                                                                                                        • Instruction ID: 51135e843719509cad2b4176b1498cd42c3e326e3018fc27720f09c1d5d0f151
                                                                                                                                                        • Opcode Fuzzy Hash: 24cb57a22885c0e91228416ed013ad430b4afb84f25e366e6f30cd07eca6e81c
                                                                                                                                                        • Instruction Fuzzy Hash: 0AC24070B002189FCB55DF64C851AADBBB6FF88704F118099E60A9B3A1DF71AE45CF91
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A084C8 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: 4'dq
                                                                                                                                                        • API String ID: 0-1167855494
                                                                                                                                                        • Opcode ID: 50a21e83e1019d299f5e61e03454a0de3b9b5041ac9069ab63277a5881d50c53
                                                                                                                                                        • Instruction ID: 5d243be5cf0fbc34774ddb58b10bb21c4e61c8faf13574b7757cdee8ecd42ad9
                                                                                                                                                        • Opcode Fuzzy Hash: 50a21e83e1019d299f5e61e03454a0de3b9b5041ac9069ab63277a5881d50c53
                                                                                                                                                        • Instruction Fuzzy Hash: F6318C317002058FCB49EB7CA4555AF3BE7ABC82017104439E50ACB385EE39AC4687E1
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A03DE0 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: 4'dq
                                                                                                                                                        • API String ID: 0-1167855494
                                                                                                                                                        • Opcode ID: 68cf45db09beff4270c107a8579407b287e18a8ac99149c99f4120de0f491cdd
                                                                                                                                                        • Instruction ID: 0b28752e9b853609bb32b8458224555103c8fec87c16415650f2f58360ad05f9
                                                                                                                                                        • Opcode Fuzzy Hash: 68cf45db09beff4270c107a8579407b287e18a8ac99149c99f4120de0f491cdd
                                                                                                                                                        • Instruction Fuzzy Hash: 9F312871B003524FCB19AB38A85456E7BE6EFCA31135548AEE80A8B791DE34EC07C791
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0B358 Relevance: 1.3, Strings: 1, Instructions: 38COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: 4'dq
                                                                                                                                                        • API String ID: 0-1167855494
                                                                                                                                                        • Opcode ID: 1471cbdd54bb63e07b41a90ee51dced462fd234ce014cd4ffd02b6b63886ff6f
                                                                                                                                                        • Instruction ID: eb260e6bb85456404a462c7211a1ac57bfbf1d355215967fd5c6e463b328ef41
                                                                                                                                                        • Opcode Fuzzy Hash: 1471cbdd54bb63e07b41a90ee51dced462fd234ce014cd4ffd02b6b63886ff6f
                                                                                                                                                        • Instruction Fuzzy Hash: 4D01A2B0E05246DFCB05EFB8EA9419C7FB2FF55201B1544AED446EB350DA340E49CB21
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A03EC8 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: 4'dq
                                                                                                                                                        • API String ID: 0-1167855494
                                                                                                                                                        • Opcode ID: 7e4836848b1333b29a2554ee702e2039c9de74374e37026f8c8f86789f89ab92
                                                                                                                                                        • Instruction ID: 52156da2cf6b3d8e3f9e5ab5aab53fee9dadb5062378af03800e337f59b96d18
                                                                                                                                                        • Opcode Fuzzy Hash: 7e4836848b1333b29a2554ee702e2039c9de74374e37026f8c8f86789f89ab92
                                                                                                                                                        • Instruction Fuzzy Hash: 9FF067313103124F8708EB69E85196E7BDAEBD9212351492DE80A8BA54EE20BD4B87A5
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0B368 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: 4'dq
                                                                                                                                                        • API String ID: 0-1167855494
                                                                                                                                                        • Opcode ID: fd32ebf49f3074eedce5b79084841baf684edde07f214d17671bef6066f61a23
                                                                                                                                                        • Instruction ID: 3e830fdef900ae5b1a37dc5a543edb65c6c0552517f1eb660c1a5a835a2677e8
                                                                                                                                                        • Opcode Fuzzy Hash: fd32ebf49f3074eedce5b79084841baf684edde07f214d17671bef6066f61a23
                                                                                                                                                        • Instruction Fuzzy Hash: B0F03CB0E0120AEFCB04EFB8E65555D7BB6FB44201B1445A9D90AA7354EA381E44DB54
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 069E00D8 Relevance: .7, Instructions: 676COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791026005.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_69e0000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 082c15874bc3942571c01267cdee67c94c26c61bb6e7f22dd14c55c01675a42c
                                                                                                                                                        • Instruction ID: afd00ec5d0c65b67c84cccc655fca1d9241a7f6956664177233c2cb925458ad6
                                                                                                                                                        • Opcode Fuzzy Hash: 082c15874bc3942571c01267cdee67c94c26c61bb6e7f22dd14c55c01675a42c
                                                                                                                                                        • Instruction Fuzzy Hash: DC426930B006298FCBA5AF78D45062EBBF2FF95705B50495CD503AB792CF79AC058B82
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 069E2070 Relevance: .6, Instructions: 570COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791026005.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_69e0000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 747b058d298fed0836946efaffd557accdb6624391305719c6773c50f85f7077
                                                                                                                                                        • Instruction ID: 1195bbd6545f7761228846c2db63031b356d47dbb204d857af90eb235c398898
                                                                                                                                                        • Opcode Fuzzy Hash: 747b058d298fed0836946efaffd557accdb6624391305719c6773c50f85f7077
                                                                                                                                                        • Instruction Fuzzy Hash: E622A474B102148FCB559B24C856EAE77FAEFC8704F118189EA0A5B791CF71EE418F91
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 069E4050 Relevance: .4, Instructions: 354COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791026005.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_69e0000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 5ec62c47c337fc6b8dca34b8de42345ac7877d08a4e92eb516850472d034defa
                                                                                                                                                        • Instruction ID: 2fb48408a5cbf8c43785c96da50b159ee131e433b8e6eb6efec6612ffdede97c
                                                                                                                                                        • Opcode Fuzzy Hash: 5ec62c47c337fc6b8dca34b8de42345ac7877d08a4e92eb516850472d034defa
                                                                                                                                                        • Instruction Fuzzy Hash: 38D11A74B002049FCB55DFA9C894EAEBBF6EF89704F118099E505DB3A2DA71ED41CB50
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 069E00B8 Relevance: .3, Instructions: 336COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791026005.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_69e0000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: fcc50b34f3ffc3e49fe57b415fa98e041bd6f5c7ec63afe227e9511d281fdf2d
                                                                                                                                                        • Instruction ID: 892fe43181fc7bb88bb51349212c70ff73358c0cb79139accf4bc9decfe9fbfd
                                                                                                                                                        • Opcode Fuzzy Hash: fcc50b34f3ffc3e49fe57b415fa98e041bd6f5c7ec63afe227e9511d281fdf2d
                                                                                                                                                        • Instruction Fuzzy Hash: CBC19130B002048FDB859B64C859B6E7BFAFF89704F118059EA029B7A2CFB5DC55CB91
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A04AFF Relevance: .3, Instructions: 292COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 075879d67a695b55a6f38ff82636dc01a2b370ee730c59a90729367ba66d191b
                                                                                                                                                        • Instruction ID: 3d62e3bf8feba7563e0caff881496d5aa8112e5e3fdc0a4971ba495e715b4408
                                                                                                                                                        • Opcode Fuzzy Hash: 075879d67a695b55a6f38ff82636dc01a2b370ee730c59a90729367ba66d191b
                                                                                                                                                        • Instruction Fuzzy Hash: CCC13774B00605CFDB44DF69D484AAABBF2FF89305B1584A9E506DB3A1DB34EC46CB60
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A07D58 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: e18ca235a2be6a283b5d588c06c5d956354d0f6f7a99552914e9d695f2b06991
                                                                                                                                                        • Instruction ID: 012e59f88b00269dcb7de246304fc4524a9218a2c67313f7f5e53462b44f9b1b
                                                                                                                                                        • Opcode Fuzzy Hash: e18ca235a2be6a283b5d588c06c5d956354d0f6f7a99552914e9d695f2b06991
                                                                                                                                                        • Instruction Fuzzy Hash: 8B514771E00258CFEB54DFA9E980BEEBBF5BF48710F148429D415AB284DB74A946CF80
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A059C8 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: b08bad7fc9d749175e7ec90cf393509bdc50c6777182200c2ead468396e268ee
                                                                                                                                                        • Instruction ID: b1dc0fa499f634186088a4d4308bb9ab1e46d62fb6472c0da9e5f52b365231ba
                                                                                                                                                        • Opcode Fuzzy Hash: b08bad7fc9d749175e7ec90cf393509bdc50c6777182200c2ead468396e268ee
                                                                                                                                                        • Instruction Fuzzy Hash: 88515775A00205CFDB54DF59D980AAAFBF2FF88310B558999E5599B3A1D730F801CF90
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A07D4C Relevance: .1, Instructions: 129COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: f94c778bf02c181886dacd6c7d4a9030a086f398b7eff162947b3c786a4da1d5
                                                                                                                                                        • Instruction ID: 58a4e8ccca907c871458c37a7898df84edbf47b171436bf44611b0f77d1c1860
                                                                                                                                                        • Opcode Fuzzy Hash: f94c778bf02c181886dacd6c7d4a9030a086f398b7eff162947b3c786a4da1d5
                                                                                                                                                        • Instruction Fuzzy Hash: 825138B1E00258DFEB54DFA9E984BDEBBF5AF49700F148429E415AB280DB74A845CF80
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A05579 Relevance: .1, Instructions: 99COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 2ce8f1c0b5eee97dc71864351e0e0963dc202d8bc8d9321abeb5e643315c98e2
                                                                                                                                                        • Instruction ID: 0f3d6dd9200c972dbddb1ff77275082c81910c756a5e22f06378a0baa2aa71cf
                                                                                                                                                        • Opcode Fuzzy Hash: 2ce8f1c0b5eee97dc71864351e0e0963dc202d8bc8d9321abeb5e643315c98e2
                                                                                                                                                        • Instruction Fuzzy Hash: 82316875B112119FCB09EF38D884A6EBBB2BF89301B448469F905CB395DB30DD02CB90
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A05588 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 2bc89225ab3acee4d02b2ebf24ff8f0f6ef46d19884e7acbf356fb7e1464afe6
                                                                                                                                                        • Instruction ID: b7c70085a3c66b23625e6e1bccfd0fa2bc4206887a787656448fc7ac2b7a8aa3
                                                                                                                                                        • Opcode Fuzzy Hash: 2bc89225ab3acee4d02b2ebf24ff8f0f6ef46d19884e7acbf356fb7e1464afe6
                                                                                                                                                        • Instruction Fuzzy Hash: BE312375B112119FCB19EF38D88496EBBB6FF89301B548469F9058B3A5DB31ED02CB90
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A087A0 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 5ca5705ff1fb022e69b261775896f362031d07aca3b302a92fa597c4ae6f4a7f
                                                                                                                                                        • Instruction ID: 6a945f659af0caa2f9d2ac37085ad2cd5c62ffd3954f9d86133fd4857df7bbd6
                                                                                                                                                        • Opcode Fuzzy Hash: 5ca5705ff1fb022e69b261775896f362031d07aca3b302a92fa597c4ae6f4a7f
                                                                                                                                                        • Instruction Fuzzy Hash: 724102B1D012489FDF54DFAAE944ADEFBB6AF88310F14802AD415B7290DB34A949CF94
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 069E10D0 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791026005.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_69e0000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 720d0db5b3d6d48a49fffabf70676ee0a01ec50c536a24be6e987769820f886f
                                                                                                                                                        • Instruction ID: c99469925f4681640aa5907d827f9ef783ee6e4c92852faa112b068e063bb30e
                                                                                                                                                        • Opcode Fuzzy Hash: 720d0db5b3d6d48a49fffabf70676ee0a01ec50c536a24be6e987769820f886f
                                                                                                                                                        • Instruction Fuzzy Hash: BF31E330B042408FDB568BA8CC14A6A7BF6EF96710F2584AAD516CB7A3CF34CC05CB91
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A08795 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: b400300012ed3322f98994817857022684836c40d774f9326e1cd6b9e00f7434
                                                                                                                                                        • Instruction ID: 8da46e695dacd0f3f584225cd5b5fd273705ed3a402fddbacaa231a79955510f
                                                                                                                                                        • Opcode Fuzzy Hash: b400300012ed3322f98994817857022684836c40d774f9326e1cd6b9e00f7434
                                                                                                                                                        • Instruction Fuzzy Hash: 343113B1D012489FEB54DFAAD944ADEBFF6AF48300F14802AD415BB290DB35A949CF54
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 069E360B Relevance: .1, Instructions: 78COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791026005.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_69e0000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 5b39127986180758c3e826aa618f90cb6bd27626cb0a41160cb99dbf5de8db62
                                                                                                                                                        • Instruction ID: ec3a38de9749d31afe90b71a39f8502ef2fb4ab4a2c95e3a82673ede332c491c
                                                                                                                                                        • Opcode Fuzzy Hash: 5b39127986180758c3e826aa618f90cb6bd27626cb0a41160cb99dbf5de8db62
                                                                                                                                                        • Instruction Fuzzy Hash: 11213D35B401049FCB54DF65C884DAABBB2FF88715F2180A9F9099F3A2DA31ED05CB50
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A08A98 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 2073bd493085a0e05f26f019821d1ecec1999eb56ab14940d78b11d3f1de3810
                                                                                                                                                        • Instruction ID: b8674cb806bffddca9eaaba08f384fbc2d7740205556c1a00c8a21f6afd4cf67
                                                                                                                                                        • Opcode Fuzzy Hash: 2073bd493085a0e05f26f019821d1ecec1999eb56ab14940d78b11d3f1de3810
                                                                                                                                                        • Instruction Fuzzy Hash: 603123B1D01258DFDF14DFA9E890ADEBBF5AF48310F14802AE405B7280CB78A945CB94
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 0129D654 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1742858620.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_129d000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: d2db0fe841bcf7d3d5d8b8be3c42babf94604d5077c06c131cdd299303a442f6
                                                                                                                                                        • Instruction ID: 9edd2f254dce0aa44c2107a779163e140f33f7ba058ef5202b2df1ee8a483cf7
                                                                                                                                                        • Opcode Fuzzy Hash: d2db0fe841bcf7d3d5d8b8be3c42babf94604d5077c06c131cdd299303a442f6
                                                                                                                                                        • Instruction Fuzzy Hash: 3C2148B6510244EFCF05CF58D9C4B2ABFA5FB88314F24C668EA0D0B246C336D416DBA1
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 0129D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1742858620.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_129d000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 53d7ef6075c1a0bda42511e612c779c87796aaa7b918dd25f413255917d8d5bc
                                                                                                                                                        • Instruction ID: 731b2e409b45a8535cbbfdf0316960d94e90bb7b4f00b3dea350edc2d994f52d
                                                                                                                                                        • Opcode Fuzzy Hash: 53d7ef6075c1a0bda42511e612c779c87796aaa7b918dd25f413255917d8d5bc
                                                                                                                                                        • Instruction Fuzzy Hash: A72124B5510209DFDF01DF48C9C0B66BF65FB94324F24C568D90A0B206C336E456DAA1
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 012AD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1742899342.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_12ad000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 30b05730e7995b112895fe54387db6e01d12f196399225a3a6770e72c4364b20
                                                                                                                                                        • Instruction ID: 59cc070088ae4ac8040050fe091217ecb5f89a60aa93a70c3696dc8b1e896d0f
                                                                                                                                                        • Opcode Fuzzy Hash: 30b05730e7995b112895fe54387db6e01d12f196399225a3a6770e72c4364b20
                                                                                                                                                        • Instruction Fuzzy Hash: CF2142B0694308DFCB11CF68D9C4B22BBA1EB84314F60C96DD90A4B742C37AD807CA61
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0C0BF Relevance: .1, Instructions: 65COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: ea90caa99bc06046500b0e6c74bc13ce60f7f29fbe5fbae4576911b8850953ff
                                                                                                                                                        • Instruction ID: 4f7d8b282d6421d3220bde4bc1d75803ac3ba9716fd0938f24d8e30fb9d1ea6c
                                                                                                                                                        • Opcode Fuzzy Hash: ea90caa99bc06046500b0e6c74bc13ce60f7f29fbe5fbae4576911b8850953ff
                                                                                                                                                        • Instruction Fuzzy Hash: 7C113B722053954FC302CF28DDA47EB3FE6DF82305B04455FD4C68B262CA215D1AC751
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A08A8C Relevance: .1, Instructions: 65COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 933eddd0ea9c76a90c1d97ab38d7713d778a633817778af50ac3a1abd024f8a0
                                                                                                                                                        • Instruction ID: 338c7546ec50c62cfefd3c0f570d3b4ac1fd644357e678f32791c39848eeae50
                                                                                                                                                        • Opcode Fuzzy Hash: 933eddd0ea9c76a90c1d97ab38d7713d778a633817778af50ac3a1abd024f8a0
                                                                                                                                                        • Instruction Fuzzy Hash: 402144B1D013489FDF54EFA9D894B9EBBF8AF09310F148029E405A7380CB78A945CB94
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 012AD006 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1742899342.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_12ad000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 64fe9b5366ec70282bb9c7e2590ff895bf9fcad11e7de191a542633a882ac024
                                                                                                                                                        • Instruction ID: 3f9d56df0ce758bf6167b8902520c239b5f88ddaf9b6c9b4159202dc634f5558
                                                                                                                                                        • Opcode Fuzzy Hash: 64fe9b5366ec70282bb9c7e2590ff895bf9fcad11e7de191a542633a882ac024
                                                                                                                                                        • Instruction Fuzzy Hash: 7A21B0755483849FCB03CF24D994711BF71EB46314F28C5DAD9498F6A7C33A980ACB62
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0BC5D Relevance: .1, Instructions: 59COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: a93c21f034c50f896c647411dd29b6891a6d21a73771e22ad68f5a640439281d
                                                                                                                                                        • Instruction ID: 3c102faeed6de99469ae0b5beab34f71ca1c7bd8528aaf86265eb156f10f5fd0
                                                                                                                                                        • Opcode Fuzzy Hash: a93c21f034c50f896c647411dd29b6891a6d21a73771e22ad68f5a640439281d
                                                                                                                                                        • Instruction Fuzzy Hash: E711E1B22102155FCB85B738A8505BE3BE7FFE2246305082DE60B87601DE206D4B87B1
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 0129D64F Relevance: .1, Instructions: 58COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1742858620.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_129d000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: b76b64262ce5a84015d8a22a2ffddec681db0ffbce5b5348a29b5f34a6a2bf4a
                                                                                                                                                        • Instruction ID: 23e9bbe4fc13366ecc534ef624f24b327ddd028e515c993f52d32f1964ae5c17
                                                                                                                                                        • Opcode Fuzzy Hash: b76b64262ce5a84015d8a22a2ffddec681db0ffbce5b5348a29b5f34a6a2bf4a
                                                                                                                                                        • Instruction Fuzzy Hash: 1F21D276504284DFCF06CF48D9C4B5ABF72FB88314F24C6A9DA490B256C33AD416DB91
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 0129D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1742858620.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_129d000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 84cb766ada7fbb598ee014b1ccd1c5bca89836becd0d68ec9e965d0554f0dc82
                                                                                                                                                        • Instruction ID: 6d896dd15c0d5c8634599fa3db698d9c61c1049dbdf8499439aa37a753d208c6
                                                                                                                                                        • Opcode Fuzzy Hash: 84cb766ada7fbb598ee014b1ccd1c5bca89836becd0d68ec9e965d0554f0dc82
                                                                                                                                                        • Instruction Fuzzy Hash: 3A11E176504285CFDF02CF48D9C4B56BF71FB84324F24C6A9D9090B616C33AE45ADBA1
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A08350 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 57de8b8601eb064edc0df4035e65092f591e2222985ec7b1ea59213ddb40e652
                                                                                                                                                        • Instruction ID: e23e089646685d8daa324a245137e0a3ff1237d996de63480ac16d255668cdaf
                                                                                                                                                        • Opcode Fuzzy Hash: 57de8b8601eb064edc0df4035e65092f591e2222985ec7b1ea59213ddb40e652
                                                                                                                                                        • Instruction Fuzzy Hash: DC018471B002199BDF50DEA9EC44ABFF7FAEBD8751B14403AE604D3240EB309D1587A1
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A06E90 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: d38b159cdf555039c19c7a5e6c80cd7067eddb0c725824d91be82a7ee6d7d392
                                                                                                                                                        • Instruction ID: 6e0ef779e0b1d161895ab8478e7b1f037a18ee82e802ce3c03b0ae73420d1219
                                                                                                                                                        • Opcode Fuzzy Hash: d38b159cdf555039c19c7a5e6c80cd7067eddb0c725824d91be82a7ee6d7d392
                                                                                                                                                        • Instruction Fuzzy Hash: 3A0126776041A82ACB514E996C01ABB3FDDDB8C166B084022FE84C2241C028C82197B0
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0C499 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 463c82b034f6c05ca7847ee07e6885e9426732e9c38831e8413de6feb2435018
                                                                                                                                                        • Instruction ID: b1c1677205a40c3631c1d1d1682522a271452fc4cba77b39a60aea0b7fcc8dbf
                                                                                                                                                        • Opcode Fuzzy Hash: 463c82b034f6c05ca7847ee07e6885e9426732e9c38831e8413de6feb2435018
                                                                                                                                                        • Instruction Fuzzy Hash: 7F01E1B02047058FC325EF38E50465E7BE3EFDA316B118A29D04A87744CF749C0ACBA1
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0BC70 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 27748e6994875da75a9116449bf09d1076e2ab1e872985f658f9ca823c171b95
                                                                                                                                                        • Instruction ID: 2561591ba8195356d4e63149dbf71c54fa49bd4342bd1474667bad2d738f6ac1
                                                                                                                                                        • Opcode Fuzzy Hash: 27748e6994875da75a9116449bf09d1076e2ab1e872985f658f9ca823c171b95
                                                                                                                                                        • Instruction Fuzzy Hash: 70017CB22102164B8B84B73CE55453E7AE3FFE1256754482CE60B8B640DE707D8B87A1
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 0129DA4D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1742858620.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_129d000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 41474479d2ac94e99a7da25f79614b585acb1ed8c98b78f11aebba959d74ece7
                                                                                                                                                        • Instruction ID: 3d3ef9fde8b682048fda80442386feaa1038afe901f6e43d2492457a8b4c0463
                                                                                                                                                        • Opcode Fuzzy Hash: 41474479d2ac94e99a7da25f79614b585acb1ed8c98b78f11aebba959d74ece7
                                                                                                                                                        • Instruction Fuzzy Hash: 2C01F27101C3499AEB208A9DDC84B66BFD8DF51325F18C41AEE090B282C67C9840D6B1
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0E8B0 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: d4d9218f7226ea5ba5e5fee625188a4eff8083002604cf46ca326ea0b016893b
                                                                                                                                                        • Instruction ID: 53f8c513ebc83d6a078c281b688158f8b4f8e06d596fd03b9bab4bda44fa25b9
                                                                                                                                                        • Opcode Fuzzy Hash: d4d9218f7226ea5ba5e5fee625188a4eff8083002604cf46ca326ea0b016893b
                                                                                                                                                        • Instruction Fuzzy Hash: AE01F9346183489FCB45DB74D81489D3FB6EF8630075484E9E505CB362DB36DD01D791
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0C4A8 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 45a12f47289dea422d041d476d848abb67cfb98ae33118ea830fc0ad3a48422e
                                                                                                                                                        • Instruction ID: 07db8c8efbc70f4ccac0a03e95fec7d02cfc865f055cfe7bb0dea85755f00611
                                                                                                                                                        • Opcode Fuzzy Hash: 45a12f47289dea422d041d476d848abb67cfb98ae33118ea830fc0ad3a48422e
                                                                                                                                                        • Instruction Fuzzy Hash: 25015E742006058FD725EF79E54866A77E3FBD5316B108A29D14B87744CF74AC0ACBA1
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A05508 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 6f4ae6a58b6d86ebd3adee3c8f31096d48aebc9480093a53d0a5e300af261fa9
                                                                                                                                                        • Instruction ID: 372bafee4fea994df1a05bcc7a726c8149c65f63e1d2aca75a8e02d614077a33
                                                                                                                                                        • Opcode Fuzzy Hash: 6f4ae6a58b6d86ebd3adee3c8f31096d48aebc9480093a53d0a5e300af261fa9
                                                                                                                                                        • Instruction Fuzzy Hash: D5016238E15711CFEBA5AB25F60452777F7BF843097148828E44686594DA75F481CF90
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0C170 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 48e4bec032b9f4f4dce3385bf7137362263f4f21e1b58248bc2fb38a6d08446e
                                                                                                                                                        • Instruction ID: 3077af9c0614508009584a05becb3a4f506534baa03572a5df2374280debc68c
                                                                                                                                                        • Opcode Fuzzy Hash: 48e4bec032b9f4f4dce3385bf7137362263f4f21e1b58248bc2fb38a6d08446e
                                                                                                                                                        • Instruction Fuzzy Hash: 4D01F4B1901B05DFD315DF25E908596BFF6FF49300700892AE48AC7710DB34A90ACFA1
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A08F50 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 292b92f169b77aab2fa2cda07542aa39c3b639493dd33484f49296854c352c45
                                                                                                                                                        • Instruction ID: 8e5db3fb656e1672aa5b9378354829ac192c129bf00ca76d2ca9f0973ed5d148
                                                                                                                                                        • Opcode Fuzzy Hash: 292b92f169b77aab2fa2cda07542aa39c3b639493dd33484f49296854c352c45
                                                                                                                                                        • Instruction Fuzzy Hash: 0901D6B4D04209EFDF44EFA9E5456AEBBF5BF48305F1081AAE415A3380E7780A44DF94
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A08F42 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: d4f5783ebb517051f17bb1b75eb7424ee6381771a3ebbfcaad881a2b37b03f2b
                                                                                                                                                        • Instruction ID: fe9209d36881ec5ea40db025e2b70767776e00d1e1c38b90f92c4b5362801280
                                                                                                                                                        • Opcode Fuzzy Hash: d4f5783ebb517051f17bb1b75eb7424ee6381771a3ebbfcaad881a2b37b03f2b
                                                                                                                                                        • Instruction Fuzzy Hash: FF015AB4C0828ADFDF50DFA4E9496EEBFB5AF09315F10419AE410A7381D7740A41DB94
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0ACB8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 32f22a7d766f218dd3c93e8729d262d4a206a3084d5c99996ce6c491a11ea9a1
                                                                                                                                                        • Instruction ID: 6947d21508ceb8c263ca00966bfe6e4fd1a08748c9bff31b95b1499893c8a568
                                                                                                                                                        • Opcode Fuzzy Hash: 32f22a7d766f218dd3c93e8729d262d4a206a3084d5c99996ce6c491a11ea9a1
                                                                                                                                                        • Instruction Fuzzy Hash: 93F0E9B23093645FC71237786C240BE3FB6D9D669234504DEE28ACB192DA545907C3F1
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 0129DA4C Relevance: .0, Instructions: 36COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1742858620.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_129d000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 70ad9de81dca15a5db80bb7be3d15f5e4fb7f41fc8e5864d51ade54c83c93a2d
                                                                                                                                                        • Instruction ID: 1490e9fdb1babede2679431e1cc9a040110f0a44b2bfb852223ad212b3477e55
                                                                                                                                                        • Opcode Fuzzy Hash: 70ad9de81dca15a5db80bb7be3d15f5e4fb7f41fc8e5864d51ade54c83c93a2d
                                                                                                                                                        • Instruction Fuzzy Hash: 4DF0F6320083449EFB108A0EDD84B62FFD8EB41735F18C45EEE084B286C37CA840CAB0
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A06EA0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 417c87a01bc08a9f90865b7a12d09b56e0969a9eab4907d44885fc253b132d7a
                                                                                                                                                        • Instruction ID: aa475bd8c5600eb523249a21c4bee827a288364f76d00249a35a9c951ba2608c
                                                                                                                                                        • Opcode Fuzzy Hash: 417c87a01bc08a9f90865b7a12d09b56e0969a9eab4907d44885fc253b132d7a
                                                                                                                                                        • Instruction Fuzzy Hash: 3FF012662041E83F8F518EAA5C10DFB7FEDDA8E1657084156FE98D2141C429C925ABB0
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0ADE9 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: b833f035058fa81f7e5875d72976886cbc8d0736e166e33b61e7783d3fcee6e3
                                                                                                                                                        • Instruction ID: 152446ee284c9728f4a2954ac348cbe1eebca815fd982ee6001ab6ac76ee80ec
                                                                                                                                                        • Opcode Fuzzy Hash: b833f035058fa81f7e5875d72976886cbc8d0736e166e33b61e7783d3fcee6e3
                                                                                                                                                        • Instruction Fuzzy Hash: 6DF0A732304151AFC754776DA8547DFBFDBEFCA655F04452DE20E87242CA611C4583B5
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A08FC0 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: a0d424e66ca1a549e5366cec0fdb323c768eda0e0d05fce57513bd3cc31568cd
                                                                                                                                                        • Instruction ID: 09f6414e00dfb60a748a2293d03226b61e8d4f5347ff97497a9b6347673887a8
                                                                                                                                                        • Opcode Fuzzy Hash: a0d424e66ca1a549e5366cec0fdb323c768eda0e0d05fce57513bd3cc31568cd
                                                                                                                                                        • Instruction Fuzzy Hash: 92F0A9B4C082499FEB40EFB4E8450AEBFB1EF6A301F0041C6E406E7291E6394A01DB40
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A067C8 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 7bf165dd5c06af9260b9dd2c1148a8ead20a45576c6acbb2b037045452b79ef4
                                                                                                                                                        • Instruction ID: 039b18745b94eb0504f19c287fd0f9058dd0c13063d696ad7a203dac05be688b
                                                                                                                                                        • Opcode Fuzzy Hash: 7bf165dd5c06af9260b9dd2c1148a8ead20a45576c6acbb2b037045452b79ef4
                                                                                                                                                        • Instruction Fuzzy Hash: 24F09A72B103009BE7219B68A805FA57BE5AB52719F158266F214DF1E2E7B1E80AC740
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A054F8 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: d22053c887496fbeb940974cf401beae4f38c07cb88d1d380c3c97c8a00ad9a2
                                                                                                                                                        • Instruction ID: 53516aa3bcb2019689ae2ad2a2cd0ad13c94fd6ba1fb73a3d34cfa6699110b29
                                                                                                                                                        • Opcode Fuzzy Hash: d22053c887496fbeb940974cf401beae4f38c07cb88d1d380c3c97c8a00ad9a2
                                                                                                                                                        • Instruction Fuzzy Hash: E7F02439D017418FEBA4DB61E60076BBBF2BF80315F08886CD046469A4D6B5F485CF40
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0AC60 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: b328f18aadd1d3667877e82e529f84944046a001812c215b9986fd3ed0f5623a
                                                                                                                                                        • Instruction ID: b13e420d5e542f56c6038e8f581dee8a37c002e00ec5ac49fc3684e3379ed905
                                                                                                                                                        • Opcode Fuzzy Hash: b328f18aadd1d3667877e82e529f84944046a001812c215b9986fd3ed0f5623a
                                                                                                                                                        • Instruction Fuzzy Hash: BCF0A7726183A45FC71367386C344EE3F66DED6665305009BD289CB193CE650D46C7F6
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A08340 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 0e1a19a21e8831cacbfb0e844acab58b06c4020e8e515f43f86624388cfd63ae
                                                                                                                                                        • Instruction ID: 18eb91bfeb955fc619f45aba048c9c0fb028a3b8b78225765cd55011a950ef5a
                                                                                                                                                        • Opcode Fuzzy Hash: 0e1a19a21e8831cacbfb0e844acab58b06c4020e8e515f43f86624388cfd63ae
                                                                                                                                                        • Instruction Fuzzy Hash: 8EF02772F042198BCF50DEA8AC446AFBBE9AFD4211F0C043AD644C3280F730D411C362
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0ADF8 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 27c081cf611133a5a5166c9e6c8288ccb2e91c3f499d36cadc0835fc67182848
                                                                                                                                                        • Instruction ID: 4d9ca458f26f4a77e246c7403436726ca98dcb86590b17692c2039768e2bc9fe
                                                                                                                                                        • Opcode Fuzzy Hash: 27c081cf611133a5a5166c9e6c8288ccb2e91c3f499d36cadc0835fc67182848
                                                                                                                                                        • Instruction Fuzzy Hash: 14E09231300111AFC7107A6EA498AAEBADAEBC9351B00442CE20EC3241CAB11C4547B5
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0C180 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 26a2026dfa5352131132b9e5326c4d71b54dcaa1884a29351dc72ae2a8a7f586
                                                                                                                                                        • Instruction ID: 17d5ded7b2e0457374dc7c5b0acaf2883d872ce46e2ee25634c142e1ac9c865a
                                                                                                                                                        • Opcode Fuzzy Hash: 26a2026dfa5352131132b9e5326c4d71b54dcaa1884a29351dc72ae2a8a7f586
                                                                                                                                                        • Instruction Fuzzy Hash: 5FF09074500B01CFD715DF26E548512BBF6FF88301700C62EE44B83A10DB74A90ACF94
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0C120 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: f509150f6e7d35c7ecda78c65d4c6069b7a7529bd5a56f214a3d068a4f198e9e
                                                                                                                                                        • Instruction ID: 69a0ddec011190720e375903663cb546ba44b914691d175db7ddb48884ecc02e
                                                                                                                                                        • Opcode Fuzzy Hash: f509150f6e7d35c7ecda78c65d4c6069b7a7529bd5a56f214a3d068a4f198e9e
                                                                                                                                                        • Instruction Fuzzy Hash: 3BE065712007618FC711EB2DE5087AE7FE6DFD5315F04092DE24B8B641CBA56C068BA1
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0CC38 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 5bb72a1b8e5037003e156c833b6b75e4c34d788782b5870358bdde5f978f577f
                                                                                                                                                        • Instruction ID: c3e6dadc8e6491cfab62a6deb553203477176363091a18e364ddaf59f445fd3b
                                                                                                                                                        • Opcode Fuzzy Hash: 5bb72a1b8e5037003e156c833b6b75e4c34d788782b5870358bdde5f978f577f
                                                                                                                                                        • Instruction Fuzzy Hash: F1E0DFB22053518FDB52EF28F8446DEBBA9EBA2210B014162D000DB751CA7C0C46CBE3
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A05698 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 1931777c433fc264df0fcce2ab2ce297e6dc007678c457750c1e593f6250b2be
                                                                                                                                                        • Instruction ID: 4e4f968d13584f9a40ed996d36b10cac7ea6aa127ddaeb778fcb2cb4f673b21d
                                                                                                                                                        • Opcode Fuzzy Hash: 1931777c433fc264df0fcce2ab2ce297e6dc007678c457750c1e593f6250b2be
                                                                                                                                                        • Instruction Fuzzy Hash: 25E012B250D2414FD3159B64B8099863BE4EB51324F55887EF044CA096E7359447CA65
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0B500 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: a1ab7a68aff8bedc3b64a61dbb5013abf58b0dc14c41df7411b28fea58b295dd
                                                                                                                                                        • Instruction ID: 3b06854e0bb93a3a0472b585f4c49e699cf2474734a7fc95b297675a164e6b14
                                                                                                                                                        • Opcode Fuzzy Hash: a1ab7a68aff8bedc3b64a61dbb5013abf58b0dc14c41df7411b28fea58b295dd
                                                                                                                                                        • Instruction Fuzzy Hash: 0BF039B5D04209EFCB01DFB4DA488CDBBB6EB84200F1082AAD806E3244EA314B55DB90
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0CE88 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 447840e767661842b2fc03169fd7be192fb599bbb574467a4402c5090a82eb76
                                                                                                                                                        • Instruction ID: c2580c71898490ef55f47aea2bd9340da9654ac01b92677bb0a9e6c499ff92f6
                                                                                                                                                        • Opcode Fuzzy Hash: 447840e767661842b2fc03169fd7be192fb599bbb574467a4402c5090a82eb76
                                                                                                                                                        • Instruction Fuzzy Hash: D6E026F5205382AFCF43DB30B41A46A3BAAEB5220030600E9DC86DB302E92C5C0683D2
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0E1FF Relevance: .0, Instructions: 22COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 9a33eefd3cf75022711ef1d63fecbb424b265eeeecba42d63fa5e171c880223f
                                                                                                                                                        • Instruction ID: b6d2d8f3d1bf8134ff921f897396e0eaebb808315c15ac4e4be40ff448749ac7
                                                                                                                                                        • Opcode Fuzzy Hash: 9a33eefd3cf75022711ef1d63fecbb424b265eeeecba42d63fa5e171c880223f
                                                                                                                                                        • Instruction Fuzzy Hash: 45E048F2949355EFCB01DF78A9508AD7BF5DB5210172046D6D809E7261D5340F158761
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0E8F8 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: ce2e53cb71dd8eb2559a2d0c59c1af35f51a457c54ba4514f1f1170a1a50e847
                                                                                                                                                        • Instruction ID: 8dc305629c2528ce90187732c4f84ab510184900e218bde4af7e53dd90912dd2
                                                                                                                                                        • Opcode Fuzzy Hash: ce2e53cb71dd8eb2559a2d0c59c1af35f51a457c54ba4514f1f1170a1a50e847
                                                                                                                                                        • Instruction Fuzzy Hash: F6E0123A2542449FC7429B54D8408993F79BF5A65474940D5F5808F372C622D821DBA1
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0AC80 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 3c8faa864441ef82362cf0f1dc74c4b82d3e5653fb4a427fcb300298e144e56a
                                                                                                                                                        • Instruction ID: 32355c7698c1a2482f31959c45986df71b03bf74e2b0c4c30a3e458fcf41b5bd
                                                                                                                                                        • Opcode Fuzzy Hash: 3c8faa864441ef82362cf0f1dc74c4b82d3e5653fb4a427fcb300298e144e56a
                                                                                                                                                        • Instruction Fuzzy Hash: BBD05E32310229978B1677A9B4184BF7BABEBC9662301042EE70FCB240CEA51D0787E5
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0B510 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 5de7d63449054f61547962491b6072f826a2f8bef31fb57768eb41d47a4b096f
                                                                                                                                                        • Instruction ID: 8711f862a535674c4cf757024b29c12b87143cc6bb2072a1ed2994e7a568f421
                                                                                                                                                        • Opcode Fuzzy Hash: 5de7d63449054f61547962491b6072f826a2f8bef31fb57768eb41d47a4b096f
                                                                                                                                                        • Instruction Fuzzy Hash: 3EE09275D0020DEFCB40DFE8E9448DDBBB9EB48200F1082AAD909A3200EB306B55EF90
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0E280 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: b1dac1a3e7fc4b1e8c4cef71a8120f206854f13ce63c8a2699ca1ba89c0034d5
                                                                                                                                                        • Instruction ID: e4ca46f517bda40d9c3e459a62f5cbb59aeff5ff343888ae0bbb23392497b24d
                                                                                                                                                        • Opcode Fuzzy Hash: b1dac1a3e7fc4b1e8c4cef71a8120f206854f13ce63c8a2699ca1ba89c0034d5
                                                                                                                                                        • Instruction Fuzzy Hash: AEE04FB16006279BCB44EF24FE0664673A9F749744F110165D801B76A0C77C2D599BD2
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0E210 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: bd3b24e457cb9e9fbf600c6307a38736ce1851ea235f2cdc8cad160e21bca641
                                                                                                                                                        • Instruction ID: ec9b219e7896b9e7a40918502aea7b48f20987a68787faf1144329ece18af23f
                                                                                                                                                        • Opcode Fuzzy Hash: bd3b24e457cb9e9fbf600c6307a38736ce1851ea235f2cdc8cad160e21bca641
                                                                                                                                                        • Instruction Fuzzy Hash: 8ED017B2A0020DFF8B40EFA8E90195EB7F9EB44205B1085A99409E3200EA352F009BA1
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0F8EA Relevance: .0, Instructions: 14COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 17c0c04f795f0bc49303d1e2bdaa10a454868d46ba5a67abba7bc81c60e05fed
                                                                                                                                                        • Instruction ID: ed48132114f4d3f905cba75921e0ee278a192d017df6061f85bc50391df12060
                                                                                                                                                        • Opcode Fuzzy Hash: 17c0c04f795f0bc49303d1e2bdaa10a454868d46ba5a67abba7bc81c60e05fed
                                                                                                                                                        • Instruction Fuzzy Hash: 69C012B37900204F0AE9A66CB0101AD66D397D85A23AA007AEA0AC3348DD608C864B90
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0DFD1 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: e25322b15a9bf4b4aa744a043399dbb7b24e529d53f3423909fa8b446f5c14a6
                                                                                                                                                        • Instruction ID: 59b90a289f752a9c6598e7cebf3cce9d7cc5244938716fee29fbbd5e2e2aef79
                                                                                                                                                        • Opcode Fuzzy Hash: e25322b15a9bf4b4aa744a043399dbb7b24e529d53f3423909fa8b446f5c14a6
                                                                                                                                                        • Instruction Fuzzy Hash: 33B09B6638F7805ED71605244C155453A164FE7E1470400DFD7539D1A6C612044B43E1
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A03721 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: e7d002279a471f24bed9af6143647064568712c88f7b040865133c5d8fc6eafc
                                                                                                                                                        • Instruction ID: 6594ad9538077bb91fe62e429a66ed6ec9d44faf0be80951763745ea4aefe8dd
                                                                                                                                                        • Opcode Fuzzy Hash: e7d002279a471f24bed9af6143647064568712c88f7b040865133c5d8fc6eafc
                                                                                                                                                        • Instruction Fuzzy Hash: CDC02BF2C343400FF30061906C06F057F104374702F031021E712071C3E644D0088161
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Non-executed Functions

                                                                                                                                                        Function 06A0E2C7 Relevance: 46.6, Strings: 37, Instructions: 387COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj
                                                                                                                                                        • API String ID: 0-3760891704
                                                                                                                                                        • Opcode ID: 610070f79c68b70077f7ba84fe620a72a2cd1eac1f79f937f9d02e05f5bcdada
                                                                                                                                                        • Instruction ID: d1c1cc8269b3c352911670c99cd96552c67aea5bf81e2febd84a1bd29c861f4f
                                                                                                                                                        • Opcode Fuzzy Hash: 610070f79c68b70077f7ba84fe620a72a2cd1eac1f79f937f9d02e05f5bcdada
                                                                                                                                                        • Instruction Fuzzy Hash: 2DD1AE30310611ABC705AAB99C93EBDA797FB8A301B40493CD12A4F791EFB96D1943C7
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0E2D8 Relevance: 46.6, Strings: 37, Instructions: 383COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj
                                                                                                                                                        • API String ID: 0-3760891704
                                                                                                                                                        • Opcode ID: a659010fbd5e1bb968d594091ed8c4fba1ae40c741826d29f6bdeed0dc008780
                                                                                                                                                        • Instruction ID: 9195980bd0f0c37b2cf3a0fce9098647c963364d9f074c3b08458d62d021ac92
                                                                                                                                                        • Opcode Fuzzy Hash: a659010fbd5e1bb968d594091ed8c4fba1ae40c741826d29f6bdeed0dc008780
                                                                                                                                                        • Instruction Fuzzy Hash: 92D1AE30310611ABC705AAB99C93EBDA697FB8B301B44493CD12A4F791EFB96C1943C7
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0CC7F Relevance: 16.4, Strings: 13, Instructions: 148COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj
                                                                                                                                                        • API String ID: 0-2950335420
                                                                                                                                                        • Opcode ID: d503168d923e26f5a993f737bd2f277d335d481a8b238b4c547910cd13fc7edd
                                                                                                                                                        • Instruction ID: 1f0a5aaeba93067882e2f56a6bda1c98b2a6adde5c555cb4ebd2ff85298ae923
                                                                                                                                                        • Opcode Fuzzy Hash: d503168d923e26f5a993f737bd2f277d335d481a8b238b4c547910cd13fc7edd
                                                                                                                                                        • Instruction Fuzzy Hash: 5C41A1303106116BD705AAB99C93ABD6793FB97200B404A38D22E4FA82DFB96D0943D7
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0CC90 Relevance: 16.4, Strings: 13, Instructions: 143COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj
                                                                                                                                                        • API String ID: 0-2950335420
                                                                                                                                                        • Opcode ID: c7e320a8e0ccb67dc61dd69bda589afc8d628423eea273bd337801a59f9ab6e0
                                                                                                                                                        • Instruction ID: e8d8c63b5300f261f9445237cfb01a01e21caa0eb58a877d61cf203aeb7beb9c
                                                                                                                                                        • Opcode Fuzzy Hash: c7e320a8e0ccb67dc61dd69bda589afc8d628423eea273bd337801a59f9ab6e0
                                                                                                                                                        • Instruction Fuzzy Hash: FA4171303106116BD705AAB99C83ABD6793FB97201B404A38D22E4FA85DFBD6D0947D7
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0CED1 Relevance: 10.1, Strings: 8, Instructions: 101COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj
                                                                                                                                                        • API String ID: 0-4266538241
                                                                                                                                                        • Opcode ID: c384ce9041842240e21064b00cfd67701e6516da365eccfbcda886836710072e
                                                                                                                                                        • Instruction ID: b7200d7854c21086d835f0159d6944960242471cec4aa2760c261f3583972902
                                                                                                                                                        • Opcode Fuzzy Hash: c384ce9041842240e21064b00cfd67701e6516da365eccfbcda886836710072e
                                                                                                                                                        • Instruction Fuzzy Hash: A731B4303103116BC706AAA99C83BBD6B93FB87200B404A38E11E4FB81DFB96D4943D7
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0CEE0 Relevance: 10.1, Strings: 8, Instructions: 93COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: DGj$DGj$DGj$DGj$DGj$DGj$DGj$DGj
                                                                                                                                                        • API String ID: 0-4266538241
                                                                                                                                                        • Opcode ID: 09ba6cbdffe0411cead8491d8582edb9c29fa9dafef99c74a58af2ccc5e5bf10
                                                                                                                                                        • Instruction ID: 8d24a577b8731465df496f38e6efcec81c64e3ebb6476840c7ea6c3d83c086e1
                                                                                                                                                        • Opcode Fuzzy Hash: 09ba6cbdffe0411cead8491d8582edb9c29fa9dafef99c74a58af2ccc5e5bf10
                                                                                                                                                        • Instruction Fuzzy Hash: EB2195303102116BC705AAA99C83FBD6793FB86200B404A38E21E4FA81DFB96C4943D7
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0C968 Relevance: 8.8, Strings: 7, Instructions: 88COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: DGj$DGj$DGj$DGj$DGj$DGj$DGj
                                                                                                                                                        • API String ID: 0-3215742008
                                                                                                                                                        • Opcode ID: 0a9f2ef18fc6ef81b1cdd14ab8f1be5d087ed1d057540d044fd2ec6a2b1295c6
                                                                                                                                                        • Instruction ID: a8111b2c12938670d8701aef6cac8e3d7c219a056b69f30f7c2509eef111b358
                                                                                                                                                        • Opcode Fuzzy Hash: 0a9f2ef18fc6ef81b1cdd14ab8f1be5d087ed1d057540d044fd2ec6a2b1295c6
                                                                                                                                                        • Instruction Fuzzy Hash: F731D9303002936FDB016BB9DC55DAD7B93FBA77017044638E11A9F690CEB89D8A87C2
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0C978 Relevance: 8.8, Strings: 7, Instructions: 83COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: DGj$DGj$DGj$DGj$DGj$DGj$DGj
                                                                                                                                                        • API String ID: 0-3215742008
                                                                                                                                                        • Opcode ID: 164ab447e0e704532a8462e280e7f866c0f1c9dca51113e54fb701c59abfdbde
                                                                                                                                                        • Instruction ID: 7bd46770958c7c9f38581ff8f8eed94553c409fd054904e27031af17e276db9b
                                                                                                                                                        • Opcode Fuzzy Hash: 164ab447e0e704532a8462e280e7f866c0f1c9dca51113e54fb701c59abfdbde
                                                                                                                                                        • Instruction Fuzzy Hash: B121BC303002936BCB056FA9DC46DBD7B93FBA7701B004538E1199F690CEB99D8A87C2
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0D538 Relevance: 7.6, Strings: 6, Instructions: 79COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: DGj$DGj$DGj$DGj$DGj$DGj
                                                                                                                                                        • API String ID: 0-1101258311
                                                                                                                                                        • Opcode ID: d0b4cf4781c588596f6693a5fc8f1a5f27b165d1a5692ca87928de1d90266551
                                                                                                                                                        • Instruction ID: d259692cadbbdb76edafdfeb747e99d7ba5c95f94efa2f0080e3a6d8dc275593
                                                                                                                                                        • Opcode Fuzzy Hash: d0b4cf4781c588596f6693a5fc8f1a5f27b165d1a5692ca87928de1d90266551
                                                                                                                                                        • Instruction Fuzzy Hash: 5721D3303103516FC7065AA99C93ABD6B93FB97600B404A3CD11A4FB81DFB95D1943D3
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0D548 Relevance: 7.6, Strings: 6, Instructions: 73COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: DGj$DGj$DGj$DGj$DGj$DGj
                                                                                                                                                        • API String ID: 0-1101258311
                                                                                                                                                        • Opcode ID: 351ed81a23075aa9e743d918bba303dd2ee93c476a508f8d094986fa9bfcee7a
                                                                                                                                                        • Instruction ID: 171bdc7152d154143ae05a1aee3a47cf3439180df0f21bc37dc9b7519677f74d
                                                                                                                                                        • Opcode Fuzzy Hash: 351ed81a23075aa9e743d918bba303dd2ee93c476a508f8d094986fa9bfcee7a
                                                                                                                                                        • Instruction Fuzzy Hash: A711A4303102117BC7016AA99C83EBDA793FB87600B404A3CE11A4FA81DFBA6D5943D3
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                        Function 06A0ED10 Relevance: 5.2, Strings: 4, Instructions: 241COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.1791057472.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_6a00000_RegAsm.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: (_dq$(_dq$(_dq$(_dq
                                                                                                                                                        • API String ID: 0-2092114380
                                                                                                                                                        • Opcode ID: ff8225ec91c5565a6dcab52d4d44b3c749cebff0b23d63b50ae2d2de939f556d
                                                                                                                                                        • Instruction ID: e796e05f3b187da03b99ef262f02dd36214cfe0ddd28fa1ecc99541838ddfe9e
                                                                                                                                                        • Opcode Fuzzy Hash: ff8225ec91c5565a6dcab52d4d44b3c749cebff0b23d63b50ae2d2de939f556d
                                                                                                                                                        • Instruction Fuzzy Hash: 3F91AC79A04304AFDB45AF78D4105AE7BB2FF86300F24846ADD069B381DA35DE06CBE1
                                                                                                                                                        Uniqueness

                                                                                                                                                        Uniqueness Score: -1.00%