Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1435951
MD5:702021300aed8dfde070019d752b020d
SHA1:45f152925534102013fbe5c17805ca938499256d
SHA256:e75a30472c88c4a2d875b19a60c704d773de97c025a87e5e813b02cbaccb4678
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RedLine Stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5228 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 702021300AED8DFDE070019D752B020D)
    • RegAsm.exe (PID: 712 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "5.42.65.96:28380", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000001.00000002.2196742233.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000001.00000002.2198042480.000000000323A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 3 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.file.exe.8df028.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  1.2.RegAsm.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.2.file.exe.8df028.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      0.2.file.exe.8b0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                        Sigma Signatures

                        No Sigma rule has matched

                        Snort Signatures

                        Timestamp:05/03/24-13:40:54.255282
                        SID:2043234
                        Source Port:28380
                        Destination Port:49699
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:05/03/24-13:40:54.078459
                        SID:2046045
                        Source Port:49699
                        Destination Port:28380
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:05/03/24-13:40:59.478662
                        SID:2046056
                        Source Port:28380
                        Destination Port:49699
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:05/03/24-13:41:06.269199
                        SID:2043231
                        Source Port:49699
                        Destination Port:28380
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: file.exeAvira: detected
                        Found malware configuration
                        Source: 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "5.42.65.96:28380", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}
                        Multi AV Scanner detection for submitted file
                        Source: file.exeVirustotal: Detection: 24%Perma Link
                        Machine Learning detection for sample
                        Source: file.exeJoe Sandbox ML: detected
                        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C8EA6 FindFirstFileExW,0_2_008C8EA6

                        Networking

                        barindex
                        Snort IDS alert for network traffic
                        Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.6:49699 -> 5.42.65.96:28380
                        Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.6:49699 -> 5.42.65.96:28380
                        Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 5.42.65.96:28380 -> 192.168.2.6:49699
                        Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 5.42.65.96:28380 -> 192.168.2.6:49699
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: 5.42.65.96:28380
                        Source: global trafficTCP traffic: 192.168.2.6:49699 -> 5.42.65.96:28380
                        Source: Joe Sandbox ViewIP Address: 5.42.65.96 5.42.65.96
                        Source: Joe Sandbox ViewASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003461000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2198042480.00000000030AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                        Source: RegAsm.exe, 00000001.00000002.2198042480.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                        Source: RegAsm.exe, 00000001.00000002.2198042480.000000000323A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                        Source: RegAsm.exe, 00000001.00000002.2198042480.00000000030AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                        Source: RegAsm.exe, 00000001.00000002.2198042480.000000000323A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003461000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2198042480.00000000030AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                        Source: RegAsm.exe, 00000001.00000002.2198042480.00000000033C9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16V
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                        Source: RegAsm.exe, 00000001.00000002.2198042480.00000000030AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                        Source: RegAsm.exe, 00000001.00000002.2198042480.00000000030AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                        Source: RegAsm.exe, 00000001.00000002.2198042480.00000000030AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                        Source: RegAsm.exe, 00000001.00000002.2198042480.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2198042480.00000000030AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                        Source: RegAsm.exe, 00000001.00000002.2198042480.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                        Source: RegAsm.exe, 00000001.00000002.2198042480.00000000030AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2198042480.00000000030AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2198042480.00000000030AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                        Source: RegAsm.exe, 00000001.00000002.2198042480.00000000030AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                        Source: RegAsm.exe, 00000001.00000002.2198042480.00000000030AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                        Source: RegAsm.exe, 00000001.00000002.2198042480.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2198042480.000000000344F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                        Source: RegAsm.exe, 00000001.00000002.2198042480.00000000030AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003432000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                        Source: RegAsm.exe, 00000001.00000002.2198042480.00000000030AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003432000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                        Source: RegAsm.exe, 00000001.00000002.2198042480.0000000003432000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2198042480.00000000030AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                        Source: file.exe, file.exe, 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.2196742233.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                        Source: file.exe, 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: RegisterRawInputDevicesmemstr_81dae805-f
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\TmpDC13.tmpJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\TmpDC02.tmpJump to dropped file
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008CB50B0_2_008CB50B
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008CCD700_2_008CCD70
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008BEEE00_2_008BEEE0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C36530_2_008C3653
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008BBE6D0_2_008BBE6D
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C3F3F0_2_008C3F3F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_011EDC741_2_011EDC74
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_067A67D81_2_067A67D8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_067AA3E81_2_067AA3E8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_067AA3D81_2_067AA3D8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_067A6FF81_2_067A6FF8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_067A6FE81_2_067A6FE8
                        Source: C:\Users\user\Desktop\file.exeCode function: String function: 008B6A00 appears 49 times
                        Source: file.exeBinary or memory string: OriginalFilename vs file.exe
                        Source: file.exe, 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStoutest.exe8 vs file.exe
                        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: file.exeStatic PE information: Section: .Left ZLIB complexity 0.9980692512274959
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/5@0/1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\TmpDC02.tmpJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: file.exeVirustotal: Detection: 24%
                        Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: esdsip.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: linkinfo.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
                        Source: Google Chrome.lnk.1.drLNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: file.exeStatic PE information: section name: .DAX
                        Source: file.exeStatic PE information: section name: .Left
                        Source: file.exeStatic PE information: section name: .INV
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B6158 push ecx; ret 0_2_008B616B
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008D5F3D push esi; ret 0_2_008D5F46
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_011E01A5 push esp; ret 1_2_011E01B3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_067AE060 push es; ret 1_2_067AE070
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_067AECF2 push eax; ret 1_2_067AED01

                        Persistence and Installation Behavior

                        barindex
                        Installs new ROOT certificates
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 BlobJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 11E0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2F90000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2D90000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 2363Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 6099Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeAPI coverage: 5.4 %
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2588Thread sleep time: -26747778906878833s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2616Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C8EA6 FindFirstFileExW,0_2_008C8EA6
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                        Source: RegAsm.exe, 00000001.00000002.2198042480.00000000035A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsuA+iYIJO4a+Hmq+9ONtmOcMMYl7TbktlwpTMf366yxqm+uPbWY4C
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                        Source: RegAsm.exe, 00000001.00000002.2207111392.000000000574E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                        Source: RegAsm.exe, 00000001.00000002.2200150085.0000000004275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B67DD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_008B67DD
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008CA021 mov eax, dword ptr fs:[00000030h]0_2_008CA021
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C010F mov ecx, dword ptr fs:[00000030h]0_2_008C010F
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008CC620 GetProcessHeap,0_2_008CC620
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B6939 SetUnhandledExceptionFilter,0_2_008B6939
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B6A4A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_008B6A4A
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B67DD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_008B67DD
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008BA713 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_008BA713
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Allocates memory in foreign processes
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                        Writes to foreign memory regions
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: CFE008Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B64BC cpuid 0_2_008B64BC
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_008CC0C0
                        Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_008C5022
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_008CC1E9
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_008CC2EF
                        Source: C:\Users\user\Desktop\file.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_008CBA5A
                        Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_008CC3BE
                        Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_008CBCFC
                        Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_008CBDE2
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_008C5548
                        Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_008CBD47
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_008CBE6D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B66D0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_008B66D0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.file.exe.8df028.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.8df028.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.8b0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.2196742233.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 5228, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 712, type: MEMORYSTR
                        Found many strings related to Crypto-Wallets (likely being stolen)
                        Source: RegAsm.exe, 00000001.00000002.2198042480.000000000323A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum\walletsLR
                        Source: RegAsm.exe, 00000001.00000002.2198042480.000000000323A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q4C:\Users\user\AppData\Roaming\Electrum\wallets\*
                        Source: RegAsm.exe, 00000001.00000002.2198042480.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
                        Source: RegAsm.exe, 00000001.00000002.2198042480.000000000323A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLR
                        Source: RegAsm.exe, 00000001.00000002.2198042480.000000000323A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLR
                        Source: RegAsm.exe, 00000001.00000002.2198042480.000000000323A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLR
                        Source: RegAsm.exe, 00000001.00000002.2198042480.000000000323A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: qdC:\Users\user\AppData\Roaming\Binance
                        Source: RegAsm.exe, 00000001.00000002.2198042480.000000000323A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLR
                        Source: RegAsm.exe, 00000001.00000002.2198042480.000000000323A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q&%localappdata%\Coinomi\Coinomi\walletsLR
                        Source: RegAsm.exe, 00000001.00000002.2198042480.000000000323A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q8C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                        Tries to steal Crypto Currency Wallets
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                        Source: Yara matchFile source: 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.2198042480.000000000323A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 712, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.file.exe.8df028.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.8df028.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.8b0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.2196742233.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 5228, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 712, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		311
                        Process Injection                        		1
                        Masquerading                        		1
                        OS Credential Dumping                        		1
                        System Time Discovery                        		Remote Services11
                        Input Capture                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		11
                        Input Capture                        		241
                        Security Software Discovery                        		Remote Desktop Protocol1
                        Archive Collected Data                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                        Virtualization/Sandbox Evasion                        		Security Account Manager1
                        Process Discovery                        		SMB/Windows Admin Shares3
                        Data from Local System                        		1
                        Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
                        Process Injection                        		NTDS241
                        Virtualization/Sandbox Evasion                        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Deobfuscate/Decode Files or Information                        		LSA Secrets1
                        Application Window Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                        Obfuscated Files or Information                        		Cached Domain Credentials2
                        File and Directory Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        Install Root Certificate                        		DCSync134
                        System Information Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        Software Packing                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                        DLL Side-Loading                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        file.exe24%VirustotalBrowse
                        file.exe100%AviraHEUR/AGEN.1314931
                        file.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        https://api.ip.sb/ip0%URL Reputationsafe
                        http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id14ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id6ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id91%VirustotalBrowse
                        http://tempuri.org/Entity/Id21Response4%VirustotalBrowse
                        http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id2Response2%VirustotalBrowse
                        http://tempuri.org/Entity/Id12Response2%VirustotalBrowse
                        http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                        http://tempuri.org/2%VirustotalBrowse
                        http://tempuri.org/Entity/Id14ResponseD2%VirustotalBrowse
                        http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id51%VirustotalBrowse
                        http://tempuri.org/Entity/Id13ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id41%VirustotalBrowse
                        http://tempuri.org/Entity/Id81%VirustotalBrowse
                        http://tempuri.org/Entity/Id19Response2%VirustotalBrowse
                        http://tempuri.org/Entity/Id61%VirustotalBrowse
                        http://tempuri.org/Entity/Id13ResponseD1%VirustotalBrowse
                        http://tempuri.org/Entity/Id6ResponseD1%VirustotalBrowse
                        http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id71%VirustotalBrowse
                        http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id23ResponseD1%VirustotalBrowse
                        http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id1ResponseD1%VirustotalBrowse
                        http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id201%VirustotalBrowse
                        http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id231%VirustotalBrowse
                        http://tempuri.org/Entity/Id221%VirustotalBrowse
                        http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id9Response2%VirustotalBrowse
                        http://tempuri.org/Entity/Id21ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id211%VirustotalBrowse
                        http://tempuri.org/Entity/Id24Response1%VirustotalBrowse
                        http://tempuri.org/Entity/Id5ResponseD2%VirustotalBrowse
                        http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id10ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id15Response2%VirustotalBrowse
                        http://tempuri.org/Entity/Id21ResponseD1%VirustotalBrowse
                        http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id6Response2%VirustotalBrowse
                        http://tempuri.org/Entity/Id241%VirustotalBrowse
                        http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id1Response2%VirustotalBrowse
                        http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id101%VirustotalBrowse
                        http://tempuri.org/Entity/Id111%VirustotalBrowse
                        http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id10ResponseD1%VirustotalBrowse
                        http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id121%VirustotalBrowse
                        http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id131%VirustotalBrowse
                        http://tempuri.org/Entity/Id15ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id161%VirustotalBrowse
                        http://tempuri.org/Entity/Id141%VirustotalBrowse
                        http://tempuri.org/Entity/Id151%VirustotalBrowse
                        http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id5Response1%VirustotalBrowse
                        http://tempuri.org/Entity/Id16Response2%VirustotalBrowse
                        http://tempuri.org/Entity/Id171%VirustotalBrowse
                        http://tempuri.org/Entity/Id191%VirustotalBrowse
                        http://tempuri.org/Entity/Id11ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id17ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id8ResponseD0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        No contacted domains info

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/02/sc/sctRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/Entity/Id14ResponseDRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 2%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://tempuri.org/Entity/Id23ResponseDRegAsm.exe, 00000001.00000002.2198042480.00000000030AC000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 1%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/Entity/Id12ResponseRegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 2%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://tempuri.org/RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 2%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://tempuri.org/Entity/Id2ResponseRegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 2%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id21ResponseRegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 4%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id9RegAsm.exe, 00000001.00000002.2198042480.0000000003432000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 1%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id8RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 1%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://tempuri.org/Entity/Id6ResponseDRegAsm.exe, 00000001.00000002.2198042480.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2198042480.000000000344F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 1%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://tempuri.org/Entity/Id5RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 1%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id4RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • 1%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://tempuri.org/Entity/Id7RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • 1%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://tempuri.org/Entity/Id6RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • 1%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id19ResponseRegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • 2%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceRegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://tempuri.org/Entity/Id13ResponseDRegAsm.exe, 00000001.00000002.2198042480.00000000030AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • 1%, Virustotal, Browse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/faultRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2004/10/wsatRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://tempuri.org/Entity/Id15ResponseRegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • 2%, Virustotal, Browse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://tempuri.org/Entity/Id5ResponseDRegAsm.exe, 00000001.00000002.2198042480.00000000030AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • 2%, Virustotal, Browse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://tempuri.org/Entity/Id6ResponseRegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • 2%, Virustotal, Browse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://api.ip.sb/ipfile.exe, file.exe, 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.2196742233.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2004/04/scRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://tempuri.org/Entity/Id1ResponseDRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • 1%, Virustotal, Browse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id9ResponseRegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • 2%, Virustotal, Browse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://tempuri.org/Entity/Id20RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • 1%, Virustotal, Browse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://tempuri.org/Entity/Id21RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • 1%, Virustotal, Browse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://tempuri.org/Entity/Id22RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • 1%, Virustotal, Browse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id23RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2198042480.00000000030AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • 1%, Virustotal, Browse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Entity/Id24RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • 1%, Virustotal, Browse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://tempuri.org/Entity/Id24ResponseRegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • 1%, Virustotal, Browse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://tempuri.org/Entity/Id1ResponseRegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • 2%, Virustotal, Browse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedRegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://tempuri.org/Entity/Id21ResponseDRegAsm.exe, 00000001.00000002.2198042480.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • 1%, Virustotal, Browse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressingRegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/trustRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://tempuri.org/Entity/Id10RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • 1%, Virustotal, Browse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://tempuri.org/Entity/Id11RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • 1%, Virustotal, Browse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://tempuri.org/Entity/Id10ResponseDRegAsm.exe, 00000001.00000002.2198042480.0000000003461000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2198042480.00000000030AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • 1%, Virustotal, Browse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://tempuri.org/Entity/Id12RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • 1%, Virustotal, Browse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://tempuri.org/Entity/Id16ResponseRegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • 2%, Virustotal, Browse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://tempuri.org/Entity/Id13RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • 1%, Virustotal, Browse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id14RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • 1%, Virustotal, Browse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id15RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • 1%, Virustotal, Browse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id16RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • 1%, Virustotal, Browse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/NonceRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://tempuri.org/Entity/Id17RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • 1%, Virustotal, Browse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id18RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id5ResponseRegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • 1%, Virustotal, Browse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id19RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • 1%, Virustotal, Browse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsRegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://tempuri.org/Entity/Id15ResponseDRegAsm.exe, 00000001.00000002.2198042480.000000000323A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id10ResponseRegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RenewRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/Entity/Id11ResponseDRegAsm.exe, 00000001.00000002.2198042480.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id8ResponseRegAsm.exe, 00000001.00000002.2198042480.0000000003432000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2006/02/addressingidentityRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://tempuri.org/Entity/Id17ResponseDRegAsm.exe, 00000001.00000002.2198042480.00000000030AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://schemas.xmlsoap.org/soap/envelope/RegAsm.exe, 00000001.00000002.2198042480.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://tempuri.org/Entity/Id8ResponseDRegAsm.exe, 00000001.00000002.2198042480.00000000030AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1RegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trustRegAsm.exe, 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high

                                                                                                                                World Map of Contacted IPs

                                                                                                                                • No. of IPs < 25%
                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                • 75% < No. of IPs

                                                                                                                                Public IPs

                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                5.42.65.96
                                                                                                                                		unknownRussian Federation
                                                                                                                                		39493RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUtrue

                                                                                                                                General Information

                                                                                                                                Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                Analysis ID:1435951
                                                                                                                                Start date and time:2024-05-03 13:40:07 +02:00
                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                Overall analysis duration:0h 4m 59s
                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                Report type:full
                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                Number of analysed new started processes analysed:7
                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                Number of existing processes analysed:0
                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                Number of injected processes analysed:0
                                                                                                                                Technologies:
                                                                                                                                • HCA enabled
                                                                                                                                • EGA enabled
                                                                                                                                • AMSI enabled
                                                                                                                                Analysis Mode:default
                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                Sample name:file.exe
                                                                                                                                Detection:MAL
                                                                                                                                Classification:mal100.troj.spyw.evad.winEXE@3/5@0/1
                                                                                                                                EGA Information:
                                                                                                                                • Successful, ratio: 100%
                                                                                                                                HCA Information:
                                                                                                                                • Successful, ratio: 92%
                                                                                                                                • Number of executed functions: 84
                                                                                                                                • Number of non-executed functions: 45
                                                                                                                                Cookbook Comments:
                                                                                                                                • Found application associated with file extension: .exe

                                                                                                                                Warnings

                                                                                                                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                                Simulations

                                                                                                                                Behavior and APIs

                                                                                                                                TimeTypeDescription
                                                                                                                                13:40:59API Interceptor45x Sleep call for process: RegAsm.exe modified

                                                                                                                                Joe Sandbox View / Context

                                                                                                                                IPs

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                5.42.65.96file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                  tZvjMg3Hw9.exeGet hashmaliciousPureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRATBrowse
                                                                                                                                    file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                      WlCIinu0yp.exeGet hashmaliciousLummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, Socks5Systemz, Vidar, zgRATBrowse
                                                                                                                                        file.exeGet hashmaliciousLummaC, GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLineBrowse
                                                                                                                                          file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                            file.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRATBrowse
                                                                                                                                              file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                  file.exeGet hashmaliciousRedLineBrowse

                                                                                                                                                    Domains

                                                                                                                                                    No context

                                                                                                                                                    ASNs

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                    RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUfile.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                    • 5.42.65.96
                                                                                                                                                    tZvjMg3Hw9.exeGet hashmaliciousPureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRATBrowse
                                                                                                                                                    • 5.42.66.10
                                                                                                                                                    [V2]launcher.exeGet hashmaliciousPureLog Stealer, RedLine, XmrigBrowse
                                                                                                                                                    • 45.15.156.167
                                                                                                                                                    SecuriteInfo.com.Trojan.PWS.Siggen3.32416.6905.9348.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                    • 5.42.65.101
                                                                                                                                                    file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                    • 5.42.65.96
                                                                                                                                                    VOrqSh1Fts.exeGet hashmaliciousNeoreklami, PureLog StealerBrowse
                                                                                                                                                    • 5.42.66.10
                                                                                                                                                    WlCIinu0yp.exeGet hashmaliciousLummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, Socks5Systemz, Vidar, zgRATBrowse
                                                                                                                                                    • 5.42.66.10
                                                                                                                                                    file.exeGet hashmaliciousLummaC, GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLineBrowse
                                                                                                                                                    • 5.42.65.64
                                                                                                                                                    file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                    • 5.42.65.96
                                                                                                                                                    file.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRATBrowse
                                                                                                                                                    • 5.42.65.64

                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                    No context

                                                                                                                                                    Dropped Files

                                                                                                                                                    No context

                                                                                                                                                    Created / dropped Files

                                                                                                                                                    C:\Users\Public\Desktop\Google Chrome.lnk

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Thu Oct 5 05:47:14 2023, atime=Wed Sep 27 08:36:54 2023, length=3242272, window=hide
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):2104
                                                                                                                                                    Entropy (8bit):3.468213012568913
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:48:8S3d5TvG90lRYrnvPdAKRkdAGdAKRFdAKR6P:8S7by7
                                                                                                                                                    MD5:5D3CC3EBC2FE9A3127EBC33DAB8AC98C
                                                                                                                                                    SHA1:8E57592446EC44174EA522C0251A96A16682EEF9
                                                                                                                                                    SHA-256:FE110C1E2FC5A6487EEDD697FF91357D1AFB17E1EE27E2E372180E09D6ED0CD8
                                                                                                                                                    SHA-512:CE7D0680EB84951151AF185C924CE662FC95251F3DF63C52743483CDB138DF2D0C8FFE00207D9CB8AB7B6E7C8022B31F3FDB781E3C7DF1911829303D5FDD1C97
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview:L..................F.@.. ......,.....R<.W....X.&&... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....EW.3..PROGRA~1..t......O.IEW.5....B...............J.......j.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VEW@2....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.2..Chrome..>......CW.VEW.2....M.....................7...C.h.r.o.m.e.....`.1.....EW.2..APPLIC~1..H......CW.VEW.2..........................7...A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.L .chrome.exe..F......CW.VEW.5.........................l...c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):3274
                                                                                                                                                    Entropy (8bit):5.3318368586986695
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlq0
                                                                                                                                                    MD5:0C1110E9B7BBBCB651A0B7568D796468
                                                                                                                                                    SHA1:7AEE00407EE27655FFF0ADFBC96CF7FAD9610AAA
                                                                                                                                                    SHA-256:112E21404A85963FB5DF8388F97429D6A46E9D4663435CC86267C563C0951FA2
                                                                                                                                                    SHA-512:46E37552764B4E61006AB99F8C542D55B2418668B097D3C6647D306604C3D7CA3FAF34F8B4121D94B0E7168295B2ABEB7C21C3B96F37208943537B887BC81590
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\TmpDC02.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):2662
                                                                                                                                                    Entropy (8bit):7.8230547059446645
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                                                    MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                                                    SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                                                    SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                                                    SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                    Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\TmpDC13.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):2662
                                                                                                                                                    Entropy (8bit):7.8230547059446645
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                                                    MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                                                    SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                                                    SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                                                    SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                    Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):2251
                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3::
                                                                                                                                                    MD5:0158FE9CEAD91D1B027B795984737614
                                                                                                                                                    SHA1:B41A11F909A7BDF1115088790A5680AC4E23031B
                                                                                                                                                    SHA-256:513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
                                                                                                                                                    SHA-512:C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                    Static File Info

                                                                                                                                                    General

                                                                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Entropy (8bit):7.236561860707032
                                                                                                                                                    TrID:
                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                    File name:file.exe
                                                                                                                                                    File size:558'592 bytes
                                                                                                                                                    MD5:702021300aed8dfde070019d752b020d
                                                                                                                                                    SHA1:45f152925534102013fbe5c17805ca938499256d
                                                                                                                                                    SHA256:e75a30472c88c4a2d875b19a60c704d773de97c025a87e5e813b02cbaccb4678
                                                                                                                                                    SHA512:34cf3a888f35bee61a72ca5bb418a8676ff66d3be44af31d709548b9ba8ba0c8fed84a6c44baab74965a72d3b60e5d74d178589614a06a24bbf966b2ffa7ccc0
                                                                                                                                                    SSDEEP:12288:a/kIWN053iBXmiHvxIsFCmelWpqKoQ/P6znImCruFPyeJegy91Ho:aMIb3mHpzeqqdQ/P6MJepa1
                                                                                                                                                    TLSH:87C4F11279C18172D57324360AF1DBB85E3EBD700E61AD9FA3D40FBF4B342919A24A97
                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(tY.F'Y.F'Y.F'..E&U.F'..C&..F'..B&L.F'..B&K.F'..E&M.F'..G&\.F'Y.G'..F'..C&..F'..C&X.F'..D&X.F'RichY.F'................PE..L..

                                                                                                                                                    File Icon

                                                                                                                                                    Icon Hash:00928e8e8686b000

                                                                                                                                                    Static PE Info

                                                                                                                                                    General

                                                                                                                                                    Entrypoint:0x406102
                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                    Digitally signed:false
                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                    Time Stamp:0x6634C399 [Fri May 3 10:59:37 2024 UTC]
                                                                                                                                                    TLS Callbacks:
                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                    OS Version Major:6
                                                                                                                                                    OS Version Minor:0
                                                                                                                                                    File Version Major:6
                                                                                                                                                    File Version Minor:0
                                                                                                                                                    Subsystem Version Major:6
                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                    Import Hash:f23588e58d9b5c75df2f16b529527a2e

                                                                                                                                                    Entrypoint Preview

                                                                                                                                                    Instruction
                                                                                                                                                    call 00007F8A9945BFCBh
                                                                                                                                                    jmp 00007F8A9945B829h
                                                                                                                                                    push ebp
                                                                                                                                                    mov ebp, esp
                                                                                                                                                    jmp 00007F8A9945B9BFh
                                                                                                                                                    push dword ptr [ebp+08h]
                                                                                                                                                    call 00007F8A994672A1h
                                                                                                                                                    pop ecx
                                                                                                                                                    test eax, eax
                                                                                                                                                    je 00007F8A9945B9C1h
                                                                                                                                                    push dword ptr [ebp+08h]
                                                                                                                                                    call 00007F8A99462609h
                                                                                                                                                    pop ecx
                                                                                                                                                    test eax, eax
                                                                                                                                                    je 00007F8A9945B998h
                                                                                                                                                    pop ebp
                                                                                                                                                    ret
                                                                                                                                                    cmp dword ptr [ebp+08h], FFFFFFFFh
                                                                                                                                                    je 00007F8A99458698h
                                                                                                                                                    jmp 00007F8A994597A9h
                                                                                                                                                    push ebp
                                                                                                                                                    mov ebp, esp
                                                                                                                                                    push dword ptr [ebp+08h]
                                                                                                                                                    call 00007F8A9945C2B3h
                                                                                                                                                    pop ecx
                                                                                                                                                    pop ebp
                                                                                                                                                    ret
                                                                                                                                                    cmp ecx, dword ptr [0042D040h]
                                                                                                                                                    jne 00007F8A9945B9B3h
                                                                                                                                                    ret
                                                                                                                                                    jmp 00007F8A9945C2CFh
                                                                                                                                                    mov ecx, dword ptr [ebp-0Ch]
                                                                                                                                                    mov dword ptr fs:[00000000h], ecx
                                                                                                                                                    pop ecx
                                                                                                                                                    pop edi
                                                                                                                                                    pop edi
                                                                                                                                                    pop esi
                                                                                                                                                    pop ebx
                                                                                                                                                    mov esp, ebp
                                                                                                                                                    pop ebp
                                                                                                                                                    push ecx
                                                                                                                                                    ret
                                                                                                                                                    mov ecx, dword ptr [ebp-10h]
                                                                                                                                                    xor ecx, ebp
                                                                                                                                                    call 00007F8A9945B989h
                                                                                                                                                    jmp 00007F8A9945B992h
                                                                                                                                                    push eax
                                                                                                                                                    push dword ptr fs:[00000000h]
                                                                                                                                                    lea eax, dword ptr [esp+0Ch]
                                                                                                                                                    sub esp, dword ptr [esp+0Ch]
                                                                                                                                                    push ebx
                                                                                                                                                    push esi
                                                                                                                                                    push edi
                                                                                                                                                    mov dword ptr [eax], ebp
                                                                                                                                                    mov ebp, eax
                                                                                                                                                    mov eax, dword ptr [0042D040h]
                                                                                                                                                    xor eax, ebp
                                                                                                                                                    push eax
                                                                                                                                                    push dword ptr [ebp-04h]
                                                                                                                                                    mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                                                                                    lea eax, dword ptr [ebp-0Ch]
                                                                                                                                                    mov dword ptr fs:[00000000h], eax
                                                                                                                                                    ret
                                                                                                                                                    push eax
                                                                                                                                                    push dword ptr fs:[00000000h]
                                                                                                                                                    lea eax, dword ptr [esp+0Ch]
                                                                                                                                                    sub esp, dword ptr [esp+0Ch]
                                                                                                                                                    push ebx
                                                                                                                                                    push esi
                                                                                                                                                    push edi
                                                                                                                                                    mov dword ptr [eax], ebp
                                                                                                                                                    mov ebp, eax
                                                                                                                                                    mov eax, dword ptr [0042D040h]

                                                                                                                                                    Data Directories

                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x7e0000xdae.INV
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x7c0000x1a6c.reloc
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x2aba80x1c.DAX
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2aae80x40.DAX
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x230000x13c.DAX
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                    Sections

                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                    .text0x10000x211ef0x2120074721851a7749ef6e44e879029958779False0.5832768278301886data6.644360937306272IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                    .DAX0x230000x9cf60x9e0099d6bc4bea04511f397ebd520b8df780False0.4341871044303797data4.953927952055476IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                    .data0x2d0000x1d540x100096f6fc94400f9b3c80d126cafa6f2df3False0.190673828125data3.018020491461944IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                    .Left0x2f0000x4c4d40x4c6003847e3ea5f4cd2f26084e74d800339bbFalse0.9980692512274959data7.999114778984702IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                    .reloc0x7c0000x1a6c0x1c006f40397f4829021ef609cc1670e7efd9False0.7197265625data6.348967303435409IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                    .INV0x7e0000xdae0xde001c77006257b50536491ca5c7a4b57571False0.029402449324324325data0.5553493164852099IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                                    Imports

                                                                                                                                                    DLLImport
                                                                                                                                                    USER32.DLLOpenIcon, RegisterRawInputDevices, OemToCharBuffW, TranslateAccelerator, EvaluateProximityToRect, DrawTextA, DrawStateA, IsCharAlphaNumericW, RegisterClipboardFormatA, LoadKeyboardLayoutA, EnumDisplaySettingsW, DdeCreateStringHandleA, OemToCharA, SendMessageTimeoutW, GetIconInfoExW, InvertRect, GetSystemMenu, FreeDDElParam, SetCursor, GetWindowContextHelpId, PrintWindow, DwmGetDxSharedSurface, ReleaseDwmHitTestWaiters, OpenWindowStationW, DwmGetRemoteSessionOcclusionEvent, GetParent, TrackPopupMenuEx, _UserTestTokenForInteractive, DdeQueryStringW, ScrollChildren
                                                                                                                                                    KERNEL32.DLLLoadLibraryExW, CreateFileW, VirtualProtect, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetCPInfo, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetModuleHandleW, GetCurrentProcess, TerminateProcess, HeapSize, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, WriteConsoleW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, GetFileType, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileSizeEx, SetFilePointerEx, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, ReadConsoleW
                                                                                                                                                    MSVCRT.DLL_mbsupr_s, _set_errno, _wtoi64, _mbsnextc_l, _islower_l, _wutime64, _vfwprintf_l, __pwctype_func, _mktemp, _popen, __CxxCallUnwindDtor, _fwscanf_s_l, _gcvt, _sprintf_l, _cwscanf_l, _wcstoul_l, _wtempnam_dbg, _vcprintf, __ExceptionPtrCopy, _swprintf_s_l, _get_environ, _mbscpy, _fprintf_s_l, _wspawnvpe, exit

                                                                                                                                                    Network Behavior

                                                                                                                                                    Snort IDS Alerts

                                                                                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                    05/03/24-13:40:54.255282TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response28380496995.42.65.96192.168.2.6
                                                                                                                                                    05/03/24-13:40:54.078459TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)4969928380192.168.2.65.42.65.96
                                                                                                                                                    05/03/24-13:40:59.478662TCP2046056ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)28380496995.42.65.96192.168.2.6
                                                                                                                                                    05/03/24-13:41:06.269199TCP2043231ET TROJAN Redline Stealer TCP CnC Activity4969928380192.168.2.65.42.65.96

                                                                                                                                                    Network Port Distribution

                                                                                                                                                    TCP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    May 3, 2024 13:40:53.676842928 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:40:53.850569963 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:40:53.850658894 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:40:53.862823963 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:40:54.036683083 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:40:54.078459024 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:40:54.255281925 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:40:54.299222946 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:40:59.303356886 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:40:59.478662014 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:40:59.478678942 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:40:59.478693962 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:40:59.478708029 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:40:59.478724003 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:40:59.478806019 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:40:59.533607006 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:40:59.592117071 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:40:59.767750025 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:40:59.776021004 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:40:59.949605942 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:40:59.949851036 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:40:59.949970007 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:40:59.951816082 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:00.002362013 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:00.535037994 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:00.709830046 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:00.752372026 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:01.220105886 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:01.393780947 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:01.439837933 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:02.106873035 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:02.282646894 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:02.284765959 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:02.458890915 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:02.502377987 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:02.529186010 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:02.702419043 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:02.702456951 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:02.702469110 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:02.702646971 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:02.703469992 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:02.719048023 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:02.892894983 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:02.939872026 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:02.968991041 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:03.144088984 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:03.171344042 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:03.346113920 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:03.349737883 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:03.523808002 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:03.564846992 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:03.698149920 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:03.872234106 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:03.924384117 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:03.948499918 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:04.121787071 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.121851921 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:04.122009993 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.122068882 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.122091055 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:04.122140884 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:04.122299910 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.122378111 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:04.122450113 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.122518063 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:04.122679949 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.122730970 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:04.297333002 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.297444105 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:04.297518015 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.297719955 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:04.297734022 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.297792912 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:04.297877073 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.297977924 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.298012018 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.298280001 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.298511982 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.298655987 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.298829079 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.298829079 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:04.298943996 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.298957109 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:04.299021006 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:04.299202919 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.299285889 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:04.299412012 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.299438953 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.299829960 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.299880028 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.300057888 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.300283909 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.300430059 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.300693989 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.300743103 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.300915003 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.301068068 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.471226931 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.471447945 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.471565962 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.471877098 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.472136974 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.472368002 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:04.472459078 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:04.472628117 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.472904921 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.473196030 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.473402977 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.473601103 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.474715948 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.474947929 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.475197077 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.475835085 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.476452112 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.476530075 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.476890087 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.477217913 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.477269888 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.477642059 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.478085041 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.478147030 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.478188992 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.478698969 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.480144024 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.480619907 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.480894089 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:04.480956078 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:04.645869970 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.645883083 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.646096945 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.646132946 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.646378994 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.646605015 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.646799088 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.647044897 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.647186041 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.647310972 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.647753000 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.647818089 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.648144960 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.648183107 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.648569107 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.648751020 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.649086952 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.654109955 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.654313087 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.654350042 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:04.654433012 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:04.654690981 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.654846907 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.655015945 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.655366898 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.655437946 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.655467033 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.655879021 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.656182051 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.656604052 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.657085896 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.657100916 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.657490969 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.657783031 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.658085108 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.658389091 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.658581018 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:04.658639908 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:04.827863932 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.827912092 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.828145027 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.828213930 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.828320026 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.828764915 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.828875065 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.829343081 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.829394102 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.829798937 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.829812050 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.829895020 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.830108881 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.830316067 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.830444098 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.830840111 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.830858946 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.831041098 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.832247019 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.832386017 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.832458973 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.832470894 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.832482100 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.832484961 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:04.832565069 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:04.832731009 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.832812071 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.833122015 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.833525896 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.833647966 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.833703995 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.833914995 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.834041119 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.834213018 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.834479094 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.834816933 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.834876060 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:04.835048914 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:04.835112095 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:05.006036043 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.006438017 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.006702900 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.006769896 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.006829977 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.006916046 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.007128000 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.007299900 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.007741928 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.007870913 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.008233070 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.008543015 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.008869886 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.008960009 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.009412050 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.009772062 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.009876013 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.010013103 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.010057926 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:05.010152102 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:05.010238886 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.010377884 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.010636091 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.010996103 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.011096001 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.011447906 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.011627913 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.011888981 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.011945009 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.012326956 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.012523890 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.012924910 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.013035059 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.013518095 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.013669014 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:05.183653116 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.183707952 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.184000015 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.184192896 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.184407949 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.184751987 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.184856892 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.185256958 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.185534954 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.185692072 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.185914993 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.186001062 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.186343908 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.186680079 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.186815977 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.187313080 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.187429905 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.187529087 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.187716007 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.187876940 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.188229084 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.188402891 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.188601017 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.189042091 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.189086914 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.189282894 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.189467907 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.189640999 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.189769983 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.190284967 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.191613913 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.198142052 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:05.371896029 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.378849983 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:05.552824020 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.554728985 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:05.728843927 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.733381987 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:05.907135010 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:05.909033060 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:06.083153963 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:06.092482090 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:06.268219948 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:06.269198895 CEST4969928380192.168.2.65.42.65.96
                                                                                                                                                    May 3, 2024 13:41:06.448920012 CEST28380496995.42.65.96192.168.2.6
                                                                                                                                                    May 3, 2024 13:41:06.488807917 CEST4969928380192.168.2.65.42.65.96

                                                                                                                                                    Statistics

                                                                                                                                                    CPU Usage

                                                                                                                                                    Click to jump to process

                                                                                                                                                    Memory Usage

                                                                                                                                                    Click to jump to process

                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                    Behavior

                                                                                                                                                    Click to jump to process

                                                                                                                                                    System Behavior

                                                                                                                                                    General

                                                                                                                                                    Target ID:0
                                                                                                                                                    Start time:13:40:52
                                                                                                                                                    Start date:03/05/2024
                                                                                                                                                    Path:C:\Users\user\Desktop\file.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                                                                    Imagebase:0x8b0000
                                                                                                                                                    File size:558'592 bytes
                                                                                                                                                    MD5 hash:702021300AED8DFDE070019D752B020D
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                    Reputation:low
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:1
                                                                                                                                                    Start time:13:40:52
                                                                                                                                                    Start date:03/05/2024
                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                                    Imagebase:0xa80000
                                                                                                                                                    File size:65'440 bytes
                                                                                                                                                    MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.2196742233.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.2198042480.0000000003038000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2198042480.000000000323A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    Reputation:high
                                                                                                                                                    Has exited:true

                                                                                                                                                    Disassembly

                                                                                                                                                    Reset < >

                                                                                                                                                      Execution Graph

                                                                                                                                                      Execution Coverage:0.8%
                                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                      Signature Coverage:1.3%
                                                                                                                                                      Total number of Nodes:1378
                                                                                                                                                      Total number of Limit Nodes:28
                                                                                                                                                      execution_graph 20529 8c4f86 20530 8c4f92 ___scrt_is_nonwritable_in_current_image 20529->20530 20541 8bcd04 EnterCriticalSection 20530->20541 20532 8c4f99 20542 8ca102 20532->20542 20534 8c4fb7 20566 8c4fdd 20534->20566 20541->20532 20543 8ca10e ___scrt_is_nonwritable_in_current_image 20542->20543 20544 8ca138 20543->20544 20545 8ca117 20543->20545 20569 8bcd04 EnterCriticalSection 20544->20569 20547 8bd600 __dosmaperr 12 API calls 20545->20547 20548 8ca11c 20547->20548 20549 8ba90f __strnicoll 39 API calls 20548->20549 20550 8c4fa8 20549->20550 20550->20534 20555 8c4e20 GetStartupInfoW 20550->20555 20551 8ca170 20577 8ca197 20551->20577 20552 8ca144 20552->20551 20570 8ca052 20552->20570 20556 8c4ed1 20555->20556 20557 8c4e3d 20555->20557 20561 8c4ed6 20556->20561 20557->20556 20558 8ca102 40 API calls 20557->20558 20559 8c4e65 20558->20559 20559->20556 20560 8c4e95 GetFileType 20559->20560 20560->20559 20562 8c4edd 20561->20562 20563 8c4f20 GetStdHandle 20562->20563 20564 8c4f82 20562->20564 20565 8c4f33 GetFileType 20562->20565 20563->20562 20564->20534 20565->20562 20581 8bcd4c LeaveCriticalSection 20566->20581 20568 8c4fc8 20569->20552 20571 8c3c99 __Getctype 12 API calls 20570->20571 20576 8ca064 20571->20576 20572 8ca071 20573 8c3cf6 ___free_lconv_mon 12 API calls 20572->20573 20575 8ca0c6 20573->20575 20574 8c55c3 6 API calls 20574->20576 20575->20552 20576->20572 20576->20574 20580 8bcd4c LeaveCriticalSection 20577->20580 20579 8ca19e 20579->20550 20580->20579 20581->20568 16719 8b5f80 16720 8b5f8c ___scrt_is_nonwritable_in_current_image 16719->16720 16745 8b62b3 16720->16745 16722 8b5f93 16723 8b60ec 16722->16723 16733 8b5fbd ___scrt_is_nonwritable_in_current_image __InternalCxxFrameHandler ___scrt_release_startup_lock 16722->16733 16783 8b67dd IsProcessorFeaturePresent 16723->16783 16725 8b60f3 16726 8b60f9 16725->16726 16762 8c021c 16725->16762 16787 8c01e0 16726->16787 16730 8b5fdc 16731 8b605d 16753 8bfe5a 16731->16753 16733->16730 16733->16731 16765 8c01f6 16733->16765 16735 8b6063 16757 8b3d0a VirtualProtect 16735->16757 16740 8b6088 16741 8b6091 16740->16741 16774 8c01d1 16740->16774 16777 8b6424 16741->16777 16746 8b62bc 16745->16746 16790 8b64bc IsProcessorFeaturePresent 16746->16790 16750 8b62cd 16751 8b62d1 16750->16751 16800 8b923d 16750->16800 16751->16722 16754 8bfe63 16753->16754 16756 8bfe68 16753->16756 16858 8bfbb4 16754->16858 16756->16735 17505 8b3062 16757->17505 17959 8c0004 16762->17959 16766 8c1f6c ___scrt_is_nonwritable_in_current_image 16765->16766 16767 8c020c std::_Locinfo::_Locinfo_ctor 16765->16767 16768 8c2a40 __Getctype 39 API calls 16766->16768 16767->16731 16771 8c1f7d 16768->16771 16769 8bf3f9 CallUnexpected 39 API calls 16770 8c1fa7 16769->16770 16771->16769 16772 8b68f7 GetModuleHandleW 16773 8b6084 16772->16773 16773->16725 16773->16740 16775 8c0004 __InternalCxxFrameHandler 21 API calls 16774->16775 16776 8c01dc 16775->16776 16776->16741 16778 8b6430 16777->16778 16779 8b609a 16778->16779 18036 8c1edd 16778->18036 16779->16730 16781 8b643e 16782 8b923d ___scrt_uninitialize_crt 7 API calls 16781->16782 16782->16779 16784 8b67f3 __InternalCxxFrameHandler codecvt 16783->16784 16785 8b689e IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16784->16785 16786 8b68e2 __InternalCxxFrameHandler 16785->16786 16786->16725 16788 8c0004 __InternalCxxFrameHandler 21 API calls 16787->16788 16789 8b6101 16788->16789 16791 8b62c8 16790->16791 16792 8b921e 16791->16792 16806 8ba2f7 16792->16806 16795 8b9227 16795->16750 16797 8b922f 16798 8b923a 16797->16798 16820 8ba333 16797->16820 16798->16750 16801 8b9250 16800->16801 16802 8b9246 16800->16802 16801->16751 16803 8b93b6 ___vcrt_uninitialize_ptd 6 API calls 16802->16803 16804 8b924b 16803->16804 16805 8ba333 ___vcrt_uninitialize_locks DeleteCriticalSection 16804->16805 16805->16801 16807 8ba300 16806->16807 16809 8ba329 16807->16809 16811 8b9223 16807->16811 16824 8ba53c 16807->16824 16810 8ba333 ___vcrt_uninitialize_locks DeleteCriticalSection 16809->16810 16810->16811 16811->16795 16812 8b9383 16811->16812 16841 8ba44d 16812->16841 16817 8b93b3 16817->16797 16819 8b9398 16819->16797 16821 8ba35d 16820->16821 16822 8ba33e 16820->16822 16821->16795 16823 8ba348 DeleteCriticalSection 16822->16823 16823->16821 16823->16823 16829 8ba362 16824->16829 16827 8ba55f 16827->16807 16828 8ba574 InitializeCriticalSectionAndSpinCount 16828->16827 16830 8ba37f 16829->16830 16833 8ba383 16829->16833 16830->16827 16830->16828 16831 8ba3eb GetProcAddress 16831->16830 16833->16830 16833->16831 16834 8ba3dc 16833->16834 16836 8ba402 LoadLibraryExW 16833->16836 16834->16831 16835 8ba3e4 FreeLibrary 16834->16835 16835->16831 16837 8ba449 16836->16837 16838 8ba419 GetLastError 16836->16838 16837->16833 16838->16837 16839 8ba424 ___vcrt_FlsSetValue 16838->16839 16839->16837 16840 8ba43a LoadLibraryExW 16839->16840 16840->16833 16842 8ba362 ___vcrt_FlsSetValue 5 API calls 16841->16842 16843 8b938d 16842->16843 16843->16819 16844 8ba4fe 16843->16844 16845 8ba362 ___vcrt_FlsSetValue 5 API calls 16844->16845 16846 8ba518 16845->16846 16847 8ba533 TlsSetValue 16846->16847 16848 8b93a6 16846->16848 16847->16848 16848->16817 16849 8b93b6 16848->16849 16850 8b93c6 16849->16850 16851 8b93c0 16849->16851 16850->16819 16853 8ba488 16851->16853 16854 8ba362 ___vcrt_FlsSetValue 5 API calls 16853->16854 16855 8ba4a2 16854->16855 16856 8ba4ba TlsFree 16855->16856 16857 8ba4ae 16855->16857 16856->16857 16857->16850 16859 8bfbbd 16858->16859 16860 8bfbd3 16858->16860 16859->16860 16864 8bfbe0 16859->16864 16860->16756 16862 8bfbca 16862->16860 16881 8bfd4b 16862->16881 16865 8bfbe9 16864->16865 16866 8bfbec 16864->16866 16865->16862 16889 8c98f7 16866->16889 16871 8bfc09 16922 8bfc3a 16871->16922 16872 8bfbfd 16916 8c3cf6 16872->16916 16877 8c3cf6 ___free_lconv_mon 12 API calls 16878 8bfc2d 16877->16878 16879 8c3cf6 ___free_lconv_mon 12 API calls 16878->16879 16880 8bfc33 16879->16880 16880->16862 16882 8bfdbc 16881->16882 16883 8bfd5a 16881->16883 16882->16860 16883->16882 16884 8c3c99 __Getctype 12 API calls 16883->16884 16885 8c8847 WideCharToMultiByte _Fputc 16883->16885 16887 8bfdc0 16883->16887 16888 8c3cf6 ___free_lconv_mon 12 API calls 16883->16888 16884->16883 16885->16883 16886 8c3cf6 ___free_lconv_mon 12 API calls 16886->16882 16887->16886 16888->16883 16890 8bfbf2 16889->16890 16891 8c9900 16889->16891 16895 8c9bf9 GetEnvironmentStringsW 16890->16895 16944 8c2afb 16891->16944 16896 8bfbf7 16895->16896 16897 8c9c11 16895->16897 16896->16871 16896->16872 16898 8c8847 _Fputc WideCharToMultiByte 16897->16898 16899 8c9c2e 16898->16899 16900 8c9c38 FreeEnvironmentStringsW 16899->16900 16901 8c9c43 16899->16901 16900->16896 16902 8c3d30 std::_Locinfo::_Locinfo_ctor 13 API calls 16901->16902 16903 8c9c4a 16902->16903 16904 8c9c52 16903->16904 16905 8c9c63 16903->16905 16906 8c3cf6 ___free_lconv_mon 12 API calls 16904->16906 16907 8c8847 _Fputc WideCharToMultiByte 16905->16907 16908 8c9c57 FreeEnvironmentStringsW 16906->16908 16909 8c9c73 16907->16909 16908->16896 16910 8c9c7a 16909->16910 16911 8c9c82 16909->16911 16912 8c3cf6 ___free_lconv_mon 12 API calls 16910->16912 16913 8c3cf6 ___free_lconv_mon 12 API calls 16911->16913 16914 8c9c80 FreeEnvironmentStringsW 16912->16914 16913->16914 16914->16896 16917 8c3d01 HeapFree 16916->16917 16921 8bfc03 16916->16921 16918 8c3d16 GetLastError 16917->16918 16917->16921 16919 8c3d23 __dosmaperr 16918->16919 16920 8bd600 __dosmaperr 10 API calls 16919->16920 16920->16921 16921->16862 16923 8bfc4f 16922->16923 16924 8c3c99 __Getctype 12 API calls 16923->16924 16925 8bfc76 16924->16925 16926 8bfc7e 16925->16926 16941 8bfc88 16925->16941 16927 8c3cf6 ___free_lconv_mon 12 API calls 16926->16927 16943 8bfc10 16927->16943 16928 8bfce5 16929 8c3cf6 ___free_lconv_mon 12 API calls 16928->16929 16929->16943 16930 8c3c99 __Getctype 12 API calls 16930->16941 16931 8bfcf4 17495 8bfd1c 16931->17495 16935 8c3cf6 ___free_lconv_mon 12 API calls 16937 8bfd01 16935->16937 16936 8bfd0f 17501 8ba93c IsProcessorFeaturePresent 16936->17501 16940 8c3cf6 ___free_lconv_mon 12 API calls 16937->16940 16938 8c3cf6 ___free_lconv_mon 12 API calls 16938->16941 16940->16943 16941->16928 16941->16930 16941->16931 16941->16936 16941->16938 17486 8c1fa8 16941->17486 16942 8bfd1b 16943->16877 16945 8c2b0c 16944->16945 16946 8c2b06 16944->16946 16965 8c2b12 16945->16965 16995 8c5506 16945->16995 16992 8c54c7 16946->16992 16952 8c2b36 16954 8c2b3e 16952->16954 16955 8c2b53 16952->16955 16956 8c5506 __Getctype 5 API calls 16954->16956 16957 8c5506 __Getctype 5 API calls 16955->16957 16966 8c2b4a 16956->16966 16958 8c2b5f 16957->16958 16959 8c2b72 16958->16959 16960 8c2b63 16958->16960 17005 8c286e 16959->17005 16963 8c5506 __Getctype 5 API calls 16960->16963 16962 8c3cf6 ___free_lconv_mon 12 API calls 16962->16965 16963->16966 16968 8c2b17 16965->16968 17010 8bf3f9 16965->17010 16966->16962 16967 8c3cf6 ___free_lconv_mon 12 API calls 16967->16968 16969 8c9702 16968->16969 17291 8c9857 16969->17291 16974 8c9745 16974->16890 16976 8c9756 16977 8c976c 16976->16977 16978 8c975e 16976->16978 17316 8c9952 16977->17316 16979 8c3cf6 ___free_lconv_mon 12 API calls 16978->16979 16979->16974 16982 8c97a4 16983 8bd600 __dosmaperr 12 API calls 16982->16983 16984 8c97a9 16983->16984 16988 8c3cf6 ___free_lconv_mon 12 API calls 16984->16988 16985 8c97eb 16987 8c9834 16985->16987 17327 8c9374 16985->17327 16986 8c97bf 16986->16985 16989 8c3cf6 ___free_lconv_mon 12 API calls 16986->16989 16991 8c3cf6 ___free_lconv_mon 12 API calls 16987->16991 16988->16974 16989->16985 16991->16974 17021 8c52b6 16992->17021 16996 8c52b6 std::_Locinfo::_Locinfo_ctor 5 API calls 16995->16996 16997 8c2b26 16996->16997 16997->16965 16998 8c3c99 16997->16998 17003 8c3ca6 __Getctype 16998->17003 16999 8c3ce6 17039 8bd600 16999->17039 17000 8c3cd1 HeapAlloc 17002 8c3ce4 17000->17002 17000->17003 17002->16952 17003->16999 17003->17000 17036 8c1a05 17003->17036 17076 8c2702 17005->17076 17178 8c8593 17010->17178 17013 8bf409 17015 8bf413 IsProcessorFeaturePresent 17013->17015 17020 8bf432 17013->17020 17016 8bf41f 17015->17016 17208 8ba713 17016->17208 17017 8c01e0 __InternalCxxFrameHandler 21 API calls 17019 8bf43c 17017->17019 17020->17017 17022 8c52e4 17021->17022 17026 8c52e0 17021->17026 17022->17026 17028 8c51eb 17022->17028 17025 8c52fe GetProcAddress 17025->17026 17027 8c530e std::_Locinfo::_Locinfo_ctor 17025->17027 17026->16945 17027->17026 17029 8c51fc ___vcrt_FlsSetValue 17028->17029 17030 8c5292 17029->17030 17031 8c521a LoadLibraryExW 17029->17031 17035 8c5268 LoadLibraryExW 17029->17035 17030->17025 17030->17026 17032 8c5299 17031->17032 17033 8c5235 GetLastError 17031->17033 17032->17030 17034 8c52ab FreeLibrary 17032->17034 17033->17029 17034->17030 17035->17029 17035->17032 17042 8c1a32 17036->17042 17053 8c2b91 GetLastError 17039->17053 17041 8bd605 17041->17002 17043 8c1a3e ___scrt_is_nonwritable_in_current_image 17042->17043 17048 8bcd04 EnterCriticalSection 17043->17048 17045 8c1a49 17049 8c1a85 17045->17049 17048->17045 17052 8bcd4c LeaveCriticalSection 17049->17052 17051 8c1a10 17051->17003 17052->17051 17054 8c2ba7 17053->17054 17057 8c2bad 17053->17057 17055 8c54c7 __Getctype 5 API calls 17054->17055 17055->17057 17056 8c5506 __Getctype 5 API calls 17058 8c2bc9 17056->17058 17057->17056 17073 8c2bb1 SetLastError 17057->17073 17060 8c3c99 __Getctype 10 API calls 17058->17060 17058->17073 17061 8c2bde 17060->17061 17062 8c2be6 17061->17062 17063 8c2bf7 17061->17063 17065 8c5506 __Getctype 5 API calls 17062->17065 17064 8c5506 __Getctype 5 API calls 17063->17064 17066 8c2c03 17064->17066 17067 8c2bf4 17065->17067 17068 8c2c1e 17066->17068 17069 8c2c07 17066->17069 17071 8c3cf6 ___free_lconv_mon 10 API calls 17067->17071 17072 8c286e __Getctype 10 API calls 17068->17072 17070 8c5506 __Getctype 5 API calls 17069->17070 17070->17067 17071->17073 17074 8c2c29 17072->17074 17073->17041 17075 8c3cf6 ___free_lconv_mon 10 API calls 17074->17075 17075->17073 17077 8c270e ___scrt_is_nonwritable_in_current_image 17076->17077 17090 8bcd04 EnterCriticalSection 17077->17090 17079 8c2718 17091 8c2748 17079->17091 17082 8c2814 17083 8c2820 ___scrt_is_nonwritable_in_current_image 17082->17083 17095 8bcd04 EnterCriticalSection 17083->17095 17085 8c282a 17096 8c29f5 17085->17096 17087 8c2842 17100 8c2862 17087->17100 17090->17079 17094 8bcd4c LeaveCriticalSection 17091->17094 17093 8c2736 17093->17082 17094->17093 17095->17085 17097 8c2a04 __Getctype 17096->17097 17099 8c2a2b __Getctype 17096->17099 17097->17099 17103 8cb041 17097->17103 17099->17087 17177 8bcd4c LeaveCriticalSection 17100->17177 17102 8c2850 17102->16967 17104 8cb0c1 17103->17104 17108 8cb057 17103->17108 17105 8cb10f 17104->17105 17107 8c3cf6 ___free_lconv_mon 12 API calls 17104->17107 17171 8cb1b2 17105->17171 17109 8cb0e3 17107->17109 17108->17104 17110 8cb08a 17108->17110 17115 8c3cf6 ___free_lconv_mon 12 API calls 17108->17115 17111 8c3cf6 ___free_lconv_mon 12 API calls 17109->17111 17112 8cb0ac 17110->17112 17117 8c3cf6 ___free_lconv_mon 12 API calls 17110->17117 17113 8cb0f6 17111->17113 17114 8c3cf6 ___free_lconv_mon 12 API calls 17112->17114 17116 8c3cf6 ___free_lconv_mon 12 API calls 17113->17116 17118 8cb0b6 17114->17118 17120 8cb07f 17115->17120 17123 8cb104 17116->17123 17124 8cb0a1 17117->17124 17125 8c3cf6 ___free_lconv_mon 12 API calls 17118->17125 17119 8cb17d 17126 8c3cf6 ___free_lconv_mon 12 API calls 17119->17126 17131 8ca2f7 17120->17131 17121 8cb11d 17121->17119 17129 8c3cf6 12 API calls ___free_lconv_mon 17121->17129 17127 8c3cf6 ___free_lconv_mon 12 API calls 17123->17127 17159 8ca7ab 17124->17159 17125->17104 17130 8cb183 17126->17130 17127->17105 17129->17121 17130->17099 17132 8ca308 17131->17132 17158 8ca3f1 17131->17158 17133 8ca319 17132->17133 17134 8c3cf6 ___free_lconv_mon 12 API calls 17132->17134 17135 8ca32b 17133->17135 17136 8c3cf6 ___free_lconv_mon 12 API calls 17133->17136 17134->17133 17137 8ca33d 17135->17137 17138 8c3cf6 ___free_lconv_mon 12 API calls 17135->17138 17136->17135 17139 8ca34f 17137->17139 17140 8c3cf6 ___free_lconv_mon 12 API calls 17137->17140 17138->17137 17141 8ca361 17139->17141 17142 8c3cf6 ___free_lconv_mon 12 API calls 17139->17142 17140->17139 17143 8ca373 17141->17143 17144 8c3cf6 ___free_lconv_mon 12 API calls 17141->17144 17142->17141 17145 8ca385 17143->17145 17146 8c3cf6 ___free_lconv_mon 12 API calls 17143->17146 17144->17143 17147 8ca397 17145->17147 17148 8c3cf6 ___free_lconv_mon 12 API calls 17145->17148 17146->17145 17149 8ca3a9 17147->17149 17150 8c3cf6 ___free_lconv_mon 12 API calls 17147->17150 17148->17147 17151 8c3cf6 ___free_lconv_mon 12 API calls 17149->17151 17153 8ca3bb 17149->17153 17150->17149 17151->17153 17152 8ca3cd 17155 8ca3df 17152->17155 17156 8c3cf6 ___free_lconv_mon 12 API calls 17152->17156 17153->17152 17154 8c3cf6 ___free_lconv_mon 12 API calls 17153->17154 17154->17152 17157 8c3cf6 ___free_lconv_mon 12 API calls 17155->17157 17155->17158 17156->17155 17157->17158 17158->17110 17160 8ca7b8 17159->17160 17161 8ca810 17159->17161 17162 8ca7c8 17160->17162 17163 8c3cf6 ___free_lconv_mon 12 API calls 17160->17163 17161->17112 17164 8ca7da 17162->17164 17165 8c3cf6 ___free_lconv_mon 12 API calls 17162->17165 17163->17162 17166 8ca7ec 17164->17166 17168 8c3cf6 ___free_lconv_mon 12 API calls 17164->17168 17165->17164 17167 8ca7fe 17166->17167 17169 8c3cf6 ___free_lconv_mon 12 API calls 17166->17169 17167->17161 17170 8c3cf6 ___free_lconv_mon 12 API calls 17167->17170 17168->17166 17169->17167 17170->17161 17172 8cb1bf 17171->17172 17173 8cb1de 17171->17173 17172->17173 17174 8cacc6 __Getctype 12 API calls 17172->17174 17173->17121 17175 8cb1d8 17174->17175 17176 8c3cf6 ___free_lconv_mon 12 API calls 17175->17176 17176->17173 17177->17102 17214 8c84c5 17178->17214 17181 8c85d8 17182 8c85e4 ___scrt_is_nonwritable_in_current_image 17181->17182 17183 8c2b91 __dosmaperr 12 API calls 17182->17183 17184 8c860b __InternalCxxFrameHandler 17182->17184 17189 8c8611 __InternalCxxFrameHandler 17182->17189 17183->17184 17185 8c8658 17184->17185 17187 8c8642 17184->17187 17184->17189 17186 8bd600 __dosmaperr 12 API calls 17185->17186 17188 8c865d 17186->17188 17187->17013 17225 8ba90f 17188->17225 17191 8c8684 17189->17191 17228 8bcd04 EnterCriticalSection 17189->17228 17194 8c86c6 17191->17194 17195 8c87b7 17191->17195 17206 8c86f5 17191->17206 17194->17206 17229 8c2a40 GetLastError 17194->17229 17196 8c87c2 17195->17196 17260 8bcd4c LeaveCriticalSection 17195->17260 17199 8c01e0 __InternalCxxFrameHandler 21 API calls 17196->17199 17201 8c87ca 17199->17201 17202 8c2a40 __Getctype 39 API calls 17204 8c874a 17202->17204 17204->17187 17207 8c2a40 __Getctype 39 API calls 17204->17207 17205 8c2a40 __Getctype 39 API calls 17205->17206 17256 8c8764 17206->17256 17207->17187 17209 8ba72f __InternalCxxFrameHandler codecvt 17208->17209 17210 8ba75b IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 17209->17210 17212 8ba82c __InternalCxxFrameHandler 17210->17212 17283 8b614a 17212->17283 17213 8ba84a 17213->17020 17215 8c84d1 ___scrt_is_nonwritable_in_current_image 17214->17215 17220 8bcd04 EnterCriticalSection 17215->17220 17217 8c84df 17221 8c851d 17217->17221 17220->17217 17224 8bcd4c LeaveCriticalSection 17221->17224 17223 8bf3fe 17223->17013 17223->17181 17224->17223 17261 8ba85b 17225->17261 17228->17191 17230 8c2a56 17229->17230 17231 8c2a5c 17229->17231 17232 8c54c7 __Getctype 5 API calls 17230->17232 17233 8c5506 __Getctype 5 API calls 17231->17233 17235 8c2a60 SetLastError 17231->17235 17232->17231 17234 8c2a78 17233->17234 17234->17235 17237 8c3c99 __Getctype 12 API calls 17234->17237 17239 8c2af5 17235->17239 17240 8c2af0 17235->17240 17238 8c2a8d 17237->17238 17241 8c2a95 17238->17241 17242 8c2aa6 17238->17242 17243 8bf3f9 CallUnexpected 37 API calls 17239->17243 17240->17205 17244 8c5506 __Getctype 5 API calls 17241->17244 17245 8c5506 __Getctype 5 API calls 17242->17245 17246 8c2afa 17243->17246 17254 8c2aa3 17244->17254 17247 8c2ab2 17245->17247 17248 8c2acd 17247->17248 17249 8c2ab6 17247->17249 17250 8c286e __Getctype 12 API calls 17248->17250 17251 8c5506 __Getctype 5 API calls 17249->17251 17253 8c2ad8 17250->17253 17251->17254 17252 8c3cf6 ___free_lconv_mon 12 API calls 17252->17235 17255 8c3cf6 ___free_lconv_mon 12 API calls 17253->17255 17254->17252 17255->17235 17257 8c876a 17256->17257 17258 8c873b 17256->17258 17282 8bcd4c LeaveCriticalSection 17257->17282 17258->17187 17258->17202 17258->17204 17260->17196 17262 8ba86d _Fputc 17261->17262 17267 8ba892 17262->17267 17268 8ba8a9 17267->17268 17269 8ba8a2 17267->17269 17271 8ba885 17268->17271 17272 8ba687 __strnicoll GetLastError SetLastError 17268->17272 17270 8ba6b0 __strnicoll 14 API calls 17269->17270 17270->17268 17276 8ba64b 17271->17276 17273 8ba8de 17272->17273 17273->17271 17274 8ba93c _Deallocate 11 API calls 17273->17274 17275 8ba90e 17274->17275 17277 8ba657 17276->17277 17278 8ba66e 17277->17278 17279 8ba6f6 _Fputc 39 API calls 17277->17279 17280 8ba681 17278->17280 17281 8ba6f6 _Fputc 39 API calls 17278->17281 17279->17278 17280->17187 17281->17280 17282->17258 17284 8b6153 IsProcessorFeaturePresent 17283->17284 17285 8b6152 17283->17285 17287 8b6a87 17284->17287 17285->17213 17290 8b6a4a SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 17287->17290 17289 8b6b6a 17289->17213 17290->17289 17292 8c9863 ___scrt_is_nonwritable_in_current_image 17291->17292 17294 8c987d 17292->17294 17335 8bcd04 EnterCriticalSection 17292->17335 17295 8c972c 17294->17295 17296 8bf3f9 CallUnexpected 39 API calls 17294->17296 17302 8c9482 17295->17302 17298 8c98f6 17296->17298 17299 8c988d 17300 8c3cf6 ___free_lconv_mon 12 API calls 17299->17300 17301 8c98b9 17299->17301 17300->17301 17336 8c98d6 17301->17336 17340 8bee5a 17302->17340 17305 8c94b5 17307 8c94cc 17305->17307 17308 8c94ba GetACP 17305->17308 17306 8c94a3 GetOEMCP 17306->17307 17307->16974 17309 8c3d30 17307->17309 17308->17307 17310 8c3d6e 17309->17310 17315 8c3d3e __Getctype 17309->17315 17311 8bd600 __dosmaperr 12 API calls 17310->17311 17313 8c3d6c 17311->17313 17312 8c3d59 HeapAlloc 17312->17313 17312->17315 17313->16976 17314 8c1a05 codecvt 2 API calls 17314->17315 17315->17310 17315->17312 17315->17314 17317 8c9482 41 API calls 17316->17317 17318 8c9972 17317->17318 17319 8c99eb codecvt 17318->17319 17321 8c99af IsValidCodePage 17318->17321 17320 8b614a __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 17319->17320 17322 8c9799 17320->17322 17321->17319 17323 8c99c1 17321->17323 17322->16982 17322->16986 17324 8c99f0 GetCPInfo 17323->17324 17326 8c99ca codecvt 17323->17326 17324->17319 17324->17326 17382 8c9556 17326->17382 17328 8c9380 ___scrt_is_nonwritable_in_current_image 17327->17328 17460 8bcd04 EnterCriticalSection 17328->17460 17330 8c938a 17461 8c93c1 17330->17461 17335->17299 17339 8bcd4c LeaveCriticalSection 17336->17339 17338 8c98dd 17338->17294 17339->17338 17341 8bee78 17340->17341 17347 8bee71 17340->17347 17342 8c2a40 __Getctype 39 API calls 17341->17342 17341->17347 17343 8bee99 17342->17343 17348 8c3d7e 17343->17348 17347->17305 17347->17306 17349 8beeaf 17348->17349 17350 8c3d91 17348->17350 17352 8c3ddc 17349->17352 17350->17349 17356 8cb28d 17350->17356 17353 8c3def 17352->17353 17354 8c3e04 17352->17354 17353->17354 17377 8c993f 17353->17377 17354->17347 17357 8cb299 ___scrt_is_nonwritable_in_current_image 17356->17357 17358 8c2a40 __Getctype 39 API calls 17357->17358 17359 8cb2a2 17358->17359 17360 8cb2e8 17359->17360 17369 8bcd04 EnterCriticalSection 17359->17369 17360->17349 17362 8cb2c0 17370 8cb30e 17362->17370 17367 8bf3f9 CallUnexpected 39 API calls 17368 8cb30d 17367->17368 17369->17362 17371 8cb31c __Getctype 17370->17371 17373 8cb2d1 17370->17373 17372 8cb041 __Getctype 12 API calls 17371->17372 17371->17373 17372->17373 17374 8cb2ed 17373->17374 17375 8bcd4c std::_Lockit::~_Lockit LeaveCriticalSection 17374->17375 17376 8cb2e4 17375->17376 17376->17360 17376->17367 17378 8c2a40 __Getctype 39 API calls 17377->17378 17379 8c9944 17378->17379 17380 8c9857 __strnicoll 39 API calls 17379->17380 17381 8c994f 17380->17381 17381->17354 17383 8c957e GetCPInfo 17382->17383 17385 8c9647 17382->17385 17384 8c9596 17383->17384 17383->17385 17393 8c60e1 17384->17393 17386 8b614a __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 17385->17386 17388 8c9700 17386->17388 17388->17319 17392 8c63d8 43 API calls 17392->17385 17394 8bee5a __strnicoll 39 API calls 17393->17394 17395 8c6101 17394->17395 17413 8c87cb 17395->17413 17397 8c61c5 17400 8b614a __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 17397->17400 17398 8c61bd 17416 8b5d1d 17398->17416 17399 8c612e 17399->17397 17399->17398 17402 8c3d30 std::_Locinfo::_Locinfo_ctor 13 API calls 17399->17402 17404 8c6153 __alloca_probe_16 codecvt 17399->17404 17403 8c61e8 17400->17403 17402->17404 17408 8c63d8 17403->17408 17404->17398 17405 8c87cb __strnicoll MultiByteToWideChar 17404->17405 17406 8c619e 17405->17406 17406->17398 17407 8c61a9 GetStringTypeW 17406->17407 17407->17398 17409 8bee5a __strnicoll 39 API calls 17408->17409 17410 8c63eb 17409->17410 17423 8c61ea 17410->17423 17414 8c87dc MultiByteToWideChar 17413->17414 17414->17399 17417 8b5d27 17416->17417 17419 8b5d38 17416->17419 17417->17419 17420 8bab3a 17417->17420 17419->17397 17421 8c3cf6 ___free_lconv_mon 12 API calls 17420->17421 17422 8bab52 17421->17422 17422->17419 17424 8c6205 __strnicoll 17423->17424 17425 8c87cb __strnicoll MultiByteToWideChar 17424->17425 17428 8c624b 17425->17428 17426 8c63c3 17427 8b614a __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 17426->17427 17429 8c63d6 17427->17429 17428->17426 17430 8c3d30 std::_Locinfo::_Locinfo_ctor 13 API calls 17428->17430 17432 8c6271 __alloca_probe_16 17428->17432 17450 8c62f7 17428->17450 17429->17392 17430->17432 17431 8b5d1d __freea 12 API calls 17431->17426 17433 8c87cb __strnicoll MultiByteToWideChar 17432->17433 17432->17450 17434 8c62b6 17433->17434 17434->17450 17451 8c5685 17434->17451 17437 8c62e8 17442 8c5685 std::_Locinfo::_Locinfo_ctor 6 API calls 17437->17442 17437->17450 17438 8c6320 17439 8c63ab 17438->17439 17440 8c3d30 std::_Locinfo::_Locinfo_ctor 13 API calls 17438->17440 17443 8c6332 __alloca_probe_16 17438->17443 17441 8b5d1d __freea 12 API calls 17439->17441 17440->17443 17441->17450 17442->17450 17443->17439 17444 8c5685 std::_Locinfo::_Locinfo_ctor 6 API calls 17443->17444 17445 8c6375 17444->17445 17445->17439 17457 8c8847 17445->17457 17447 8c638f 17447->17439 17448 8c6398 17447->17448 17449 8b5d1d __freea 12 API calls 17448->17449 17449->17450 17450->17431 17452 8c51b7 std::_Locinfo::_Locinfo_ctor 5 API calls 17451->17452 17453 8c5690 17452->17453 17454 8c56e2 __strnicoll 5 API calls 17453->17454 17456 8c5696 17453->17456 17455 8c56d6 LCMapStringW 17454->17455 17455->17456 17456->17437 17456->17438 17456->17450 17459 8c885e WideCharToMultiByte 17457->17459 17459->17447 17460->17330 17471 8bf368 17461->17471 17463 8c93e3 17464 8bf368 _swprintf 39 API calls 17463->17464 17465 8c9402 17464->17465 17466 8c9397 17465->17466 17467 8c3cf6 ___free_lconv_mon 12 API calls 17465->17467 17468 8c93b5 17466->17468 17467->17466 17485 8bcd4c LeaveCriticalSection 17468->17485 17470 8c93a3 17470->16987 17472 8bf379 17471->17472 17481 8bf375 _Yarn 17471->17481 17473 8bf393 codecvt 17472->17473 17474 8bf380 17472->17474 17478 8bf3ca 17473->17478 17479 8bf3c1 17473->17479 17473->17481 17475 8bd600 __dosmaperr 12 API calls 17474->17475 17476 8bf385 17475->17476 17477 8ba90f __strnicoll 39 API calls 17476->17477 17477->17481 17478->17481 17483 8bd600 __dosmaperr 12 API calls 17478->17483 17480 8bd600 __dosmaperr 12 API calls 17479->17480 17482 8bf3c6 17480->17482 17481->17463 17484 8ba90f __strnicoll 39 API calls 17482->17484 17483->17482 17484->17481 17485->17470 17487 8c1fb6 17486->17487 17488 8c1fc4 17486->17488 17487->17488 17492 8c1fdc 17487->17492 17489 8bd600 __dosmaperr 12 API calls 17488->17489 17494 8c1fcc 17489->17494 17490 8ba90f __strnicoll 39 API calls 17491 8c1fd6 17490->17491 17491->16941 17492->17491 17493 8bd600 __dosmaperr 12 API calls 17492->17493 17493->17494 17494->17490 17496 8bfd29 17495->17496 17497 8bfcfa 17495->17497 17498 8bfd40 17496->17498 17499 8c3cf6 ___free_lconv_mon 12 API calls 17496->17499 17497->16935 17500 8c3cf6 ___free_lconv_mon 12 API calls 17498->17500 17499->17496 17500->17497 17502 8ba948 17501->17502 17503 8ba713 __InternalCxxFrameHandler 8 API calls 17502->17503 17504 8ba95d GetCurrentProcess TerminateProcess 17503->17504 17504->16942 17506 8b309f 17505->17506 17507 8b3070 OpenIcon 17505->17507 17508 8b3048 17506->17508 17507->17506 17507->17507 17511 8b238f 17508->17511 17516 8b23c2 17511->17516 17512 8b2494 17513 8b614a __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 17512->17513 17514 8b24a6 17513->17514 17514->16772 17516->17512 17518 8b2081 17516->17518 17528 8b19ae 17516->17528 17519 8b208d __EH_prolog3_catch 17518->17519 17535 8b1e9a 17519->17535 17522 8b20c6 std::ios_base::_Ios_base_dtor 17554 8b2fa9 17522->17554 17527 8b217e codecvt 17527->17516 17866 8b3c9b 17528->17866 17530 8b19c1 17870 8b3b67 17530->17870 17532 8b19cc 17533 8b39ed 49 API calls 17532->17533 17534 8b19d3 17533->17534 17534->17516 17536 8b1ea9 17535->17536 17537 8b1ec7 17536->17537 17566 8b39ed 17536->17566 17537->17522 17539 8b1a50 17537->17539 17574 8b3dc6 17539->17574 17543 8b1a74 17553 8b1a87 17543->17553 17586 8b26f3 17543->17586 17546 8b1abd 17546->17522 17548 8b1a9e 17594 8b4111 17548->17594 17549 8b1ac3 17604 8b2e36 17549->17604 17597 8b3e1e 17553->17597 17555 8b2176 17554->17555 17559 8b2fc0 std::ios_base::_Init 17554->17559 17561 8b2040 17555->17561 17556 8b2ff9 17557 8b740c Concurrency::cancel_current_task RaiseException 17556->17557 17558 8b3012 17557->17558 17559->17556 17757 8b1e40 17559->17757 17848 8b3fad 17561->17848 17563 8b2048 17564 8b2001 17563->17564 17852 8b2d13 17563->17852 17564->17527 17567 8b39f9 __EH_prolog3_catch 17566->17567 17568 8b1e9a 49 API calls 17567->17568 17569 8b3a9e codecvt 17567->17569 17572 8b3a18 17568->17572 17569->17537 17570 8b3a96 17571 8b2040 49 API calls 17570->17571 17571->17569 17572->17570 17573 8b2fa9 std::ios_base::_Init 41 API calls 17572->17573 17573->17570 17575 8b3ddc 17574->17575 17576 8b3dd5 17574->17576 17578 8b1a61 17575->17578 17613 8b5c6a EnterCriticalSection 17575->17613 17608 8bcd63 17576->17608 17580 8b21b2 17578->17580 17581 8b21be 17580->17581 17582 8b21e2 17580->17582 17583 8b3dc6 std::_Lockit::_Lockit 7 API calls 17581->17583 17582->17543 17584 8b21c8 17583->17584 17585 8b3e1e std::_Lockit::~_Lockit 2 API calls 17584->17585 17585->17582 17587 8b1a97 17586->17587 17588 8b2707 17586->17588 17587->17548 17587->17549 17588->17587 17665 8b610c 17588->17665 17590 8b272b 17590->17587 17687 8b1f84 17590->17687 17591 8b2713 codecvt 17591->17590 17678 8b1c4c 17591->17678 17595 8b610c codecvt 41 API calls 17594->17595 17596 8b411c 17595->17596 17596->17553 17598 8b3e28 17597->17598 17599 8bcd71 17597->17599 17600 8b3e3b 17598->17600 17755 8b5c78 LeaveCriticalSection 17598->17755 17756 8bcd4c LeaveCriticalSection 17599->17756 17600->17546 17602 8bcd78 17602->17546 17605 8b2e44 17604->17605 17606 8b740c Concurrency::cancel_current_task RaiseException 17605->17606 17607 8b2e52 17606->17607 17614 8c571e 17608->17614 17613->17578 17635 8c50cd 17614->17635 17634 8c5750 17634->17634 17636 8c52b6 std::_Locinfo::_Locinfo_ctor 5 API calls 17635->17636 17637 8c50e3 17636->17637 17638 8c50e7 17637->17638 17639 8c52b6 std::_Locinfo::_Locinfo_ctor 5 API calls 17638->17639 17640 8c50fd 17639->17640 17641 8c5101 17640->17641 17642 8c52b6 std::_Locinfo::_Locinfo_ctor 5 API calls 17641->17642 17643 8c5117 17642->17643 17644 8c511b 17643->17644 17645 8c52b6 std::_Locinfo::_Locinfo_ctor 5 API calls 17644->17645 17646 8c5131 17645->17646 17647 8c5135 17646->17647 17648 8c52b6 std::_Locinfo::_Locinfo_ctor 5 API calls 17647->17648 17649 8c514b 17648->17649 17650 8c514f 17649->17650 17651 8c52b6 std::_Locinfo::_Locinfo_ctor 5 API calls 17650->17651 17652 8c5165 17651->17652 17653 8c5169 17652->17653 17654 8c52b6 std::_Locinfo::_Locinfo_ctor 5 API calls 17653->17654 17655 8c517f 17654->17655 17656 8c5183 17655->17656 17657 8c52b6 std::_Locinfo::_Locinfo_ctor 5 API calls 17656->17657 17658 8c5199 17657->17658 17659 8c51b7 17658->17659 17660 8c52b6 std::_Locinfo::_Locinfo_ctor 5 API calls 17659->17660 17661 8c51cd 17660->17661 17662 8c519d 17661->17662 17663 8c52b6 std::_Locinfo::_Locinfo_ctor 5 API calls 17662->17663 17664 8c51b3 17663->17664 17664->17634 17668 8b6111 17665->17668 17667 8b612b 17667->17591 17668->17667 17669 8c1a05 codecvt 2 API calls 17668->17669 17671 8b2e19 Concurrency::cancel_current_task 17668->17671 17705 8bcd7a 17668->17705 17669->17668 17670 8b6137 17670->17670 17671->17670 17702 8b740c 17671->17702 17673 8b2e35 17674 8ba85b __strnicoll 39 API calls 17673->17674 17675 8ba92e 17674->17675 17676 8ba93c _Deallocate 11 API calls 17675->17676 17677 8ba93b 17676->17677 17679 8b3dc6 std::_Lockit::_Lockit 7 API calls 17678->17679 17680 8b1c58 17679->17680 17681 8b1c99 17680->17681 17682 8b1c86 17680->17682 17721 8b3f8d 17681->17721 17712 8b4241 17682->17712 17751 8b428c 17687->17751 17690 8bab3a _Yarn 12 API calls 17691 8b1f9d 17690->17691 17692 8b1fb0 17691->17692 17694 8bab3a _Yarn 12 API calls 17691->17694 17693 8b1fc1 17692->17693 17695 8bab3a _Yarn 12 API calls 17692->17695 17696 8b1fd2 17693->17696 17697 8bab3a _Yarn 12 API calls 17693->17697 17694->17692 17695->17693 17698 8b1fe3 17696->17698 17699 8bab3a _Yarn 12 API calls 17696->17699 17697->17696 17700 8b1ff4 17698->17700 17701 8bab3a _Yarn 12 API calls 17698->17701 17699->17698 17701->17700 17703 8b7453 RaiseException 17702->17703 17704 8b7426 17702->17704 17703->17673 17704->17703 17710 8c3d30 __Getctype 17705->17710 17706 8c3d6e 17707 8bd600 __dosmaperr 12 API calls 17706->17707 17709 8c3d6c 17707->17709 17708 8c3d59 HeapAlloc 17708->17709 17708->17710 17709->17668 17710->17706 17710->17708 17711 8c1a05 codecvt 2 API calls 17710->17711 17711->17710 17726 8bcfda 17712->17726 17716 8b4265 17717 8b4275 17716->17717 17718 8bcfda std::_Locinfo::_Locinfo_ctor 66 API calls 17716->17718 17719 8b409b _Yarn 13 API calls 17717->17719 17718->17717 17720 8b1c90 17719->17720 17720->17590 17745 8b3ee4 17721->17745 17724 8b740c Concurrency::cancel_current_task RaiseException 17725 8b3fac 17724->17725 17727 8c571e std::_Locinfo::_Locinfo_ctor 5 API calls 17726->17727 17728 8bcfe7 17727->17728 17737 8bcd85 17728->17737 17731 8b409b 17732 8b40a9 17731->17732 17736 8b40d4 _Yarn 17731->17736 17733 8b40b5 17732->17733 17734 8bab3a _Yarn 12 API calls 17732->17734 17735 8bcd7a _Yarn 13 API calls 17733->17735 17733->17736 17734->17733 17735->17736 17736->17716 17738 8bcd91 ___scrt_is_nonwritable_in_current_image 17737->17738 17739 8bcd04 std::_Lockit::_Lockit EnterCriticalSection 17738->17739 17740 8bcd9f 17739->17740 17741 8bcde0 std::_Locinfo::_Locinfo_ctor 66 API calls 17740->17741 17742 8bcdac 17741->17742 17743 8bcdd4 std::_Locinfo::_Locinfo_ctor LeaveCriticalSection 17742->17743 17744 8b424d 17743->17744 17744->17731 17748 8b1df3 17745->17748 17749 8b738a ___std_exception_copy 40 API calls 17748->17749 17750 8b1e1f 17749->17750 17750->17724 17752 8b4298 17751->17752 17753 8b1f8e 17751->17753 17754 8bcfda std::_Locinfo::_Locinfo_ctor 66 API calls 17752->17754 17753->17690 17753->17691 17754->17753 17755->17600 17756->17602 17760 8b1efa 17757->17760 17769 8b1b9a 17760->17769 17767 8b614a __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 17768 8b1e55 17767->17768 17768->17556 17770 8b1bb7 _strlen 17769->17770 17788 8b114d 17770->17788 17772 8b1bc4 17773 8b1cc5 17772->17773 17806 8b1b66 17773->17806 17780 8b2e73 std::ios_base::_Init 39 API calls 17781 8b1d08 17780->17781 17782 8b614a __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 17781->17782 17783 8b1d27 17782->17783 17784 8b2e73 17783->17784 17785 8b1f32 17784->17785 17786 8b2e7e 17784->17786 17785->17767 17837 8b131c 17786->17837 17789 8b11b8 17788->17789 17793 8b115e std::ios_base::_Init 17788->17793 17803 8b2ec2 17789->17803 17791 8b1165 std::ios_base::_Init 17791->17772 17793->17791 17795 8b1100 17793->17795 17796 8b110b 17795->17796 17799 8b1113 17795->17799 17797 8b1122 std::ios_base::_Init 41 API calls 17796->17797 17800 8b1111 17797->17800 17798 8b111f 17798->17791 17799->17798 17801 8b610c codecvt 41 API calls 17799->17801 17800->17791 17802 8b111d 17801->17802 17802->17791 17804 8b3f4d std::ios_base::_Init 41 API calls 17803->17804 17805 8b2ecc 17804->17805 17807 8b1b86 17806->17807 17826 8b1239 17807->17826 17809 8b1b93 17810 8b2c91 17809->17810 17811 8b2cab _strlen 17810->17811 17812 8b2cc2 17810->17812 17833 8b2f50 17811->17833 17814 8b2f50 std::ios_base::_Init 41 API calls 17812->17814 17815 8b2ce9 17814->17815 17816 8b2e73 std::ios_base::_Init 39 API calls 17815->17816 17817 8b2cf1 std::ios_base::_Init 17816->17817 17818 8b2e73 std::ios_base::_Init 39 API calls 17817->17818 17819 8b2d04 17818->17819 17820 8b614a __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 17819->17820 17821 8b1cf5 17820->17821 17822 8b1e79 17821->17822 17823 8b1e86 17822->17823 17824 8b1df3 std::exception::exception 40 API calls 17823->17824 17825 8b1d00 17824->17825 17825->17780 17827 8b129b 17826->17827 17830 8b124a std::ios_base::_Init 17826->17830 17828 8b2ec2 std::ios_base::_Init 41 API calls 17827->17828 17829 8b12a0 17828->17829 17831 8b1100 std::ios_base::_Init 41 API calls 17830->17831 17832 8b1251 _Yarn std::ios_base::_Init 17830->17832 17831->17832 17832->17809 17834 8b2f90 17833->17834 17835 8b2f66 std::ios_base::_Init 17833->17835 17836 8b1890 std::ios_base::_Init 41 API calls 17834->17836 17835->17812 17836->17835 17838 8b1336 codecvt 17837->17838 17839 8b1329 17837->17839 17838->17785 17841 8b24ad 17839->17841 17842 8b24ca 17841->17842 17843 8b24c7 17841->17843 17844 8ba85b __strnicoll 39 API calls 17842->17844 17843->17838 17845 8ba92e 17844->17845 17846 8ba93c _Deallocate 11 API calls 17845->17846 17847 8ba93b 17846->17847 17848->17563 17849 8b7827 17848->17849 17856 8b934c 17849->17856 17851 8b782c 17851->17563 17854 8b2d1f __EH_prolog3_catch 17852->17854 17853 8b2d5b codecvt 17853->17564 17854->17853 17855 8b2fa9 std::ios_base::_Init 41 API calls 17854->17855 17855->17853 17857 8b9358 GetLastError 17856->17857 17858 8b9355 17856->17858 17861 8ba4c3 17857->17861 17858->17851 17862 8ba362 ___vcrt_FlsSetValue 5 API calls 17861->17862 17863 8ba4dd 17862->17863 17864 8ba4f5 TlsGetValue 17863->17864 17865 8b936d SetLastError 17863->17865 17864->17865 17865->17851 17867 8b3caf 17866->17867 17878 8b19d7 17867->17878 17869 8b3cb8 std::ios_base::_Ios_base_dtor 17869->17530 17871 8b3b73 __EH_prolog3_catch 17870->17871 17872 8b1e9a 49 API calls 17871->17872 17874 8b3b85 17872->17874 17873 8b2fa9 std::ios_base::_Init 41 API calls 17875 8b3c18 17873->17875 17874->17873 17876 8b2040 49 API calls 17875->17876 17877 8b3c20 codecvt 17876->17877 17877->17532 17879 8b3dc6 std::_Lockit::_Lockit 7 API calls 17878->17879 17880 8b19e8 17879->17880 17881 8b21b2 int 9 API calls 17880->17881 17882 8b19fb 17881->17882 17883 8b1a0e 17882->17883 17893 8b268e 17882->17893 17884 8b3e1e std::_Lockit::~_Lockit 2 API calls 17883->17884 17885 8b1a44 17884->17885 17885->17869 17888 8b1a4a 17890 8b2e36 RaiseException 17888->17890 17889 8b1a25 17891 8b4111 std::_Facet_Register 41 API calls 17889->17891 17892 8b1a4f 17890->17892 17891->17883 17894 8b1a1e 17893->17894 17895 8b26a2 17893->17895 17894->17888 17894->17889 17895->17894 17896 8b610c codecvt 41 API calls 17895->17896 17898 8b26ae codecvt 17896->17898 17897 8b26d7 17897->17894 17899 8b1f84 std::_Locinfo::~_Locinfo 66 API calls 17897->17899 17898->17897 17900 8b1c4c codecvt 69 API calls 17898->17900 17899->17894 17901 8b26c6 17900->17901 17903 8b286f 17901->17903 17908 8b4356 17903->17908 17930 8bd036 17908->17930 17910 8b435f __Getctype 17911 8b4379 17910->17911 17912 8b4397 17910->17912 17935 8bd012 17911->17935 17914 8bd012 __Getctype 39 API calls 17912->17914 17915 8b4380 17914->17915 17940 8bd05b 17915->17940 17918 8b2883 17920 8b43c1 17918->17920 17921 8b43d4 codecvt 17920->17921 17922 8bd036 __Getctype 39 API calls 17921->17922 17923 8b43dc 17922->17923 17954 8bd082 17923->17954 17926 8bd05b __Getctype 39 API calls 17927 8b43eb 17926->17927 17928 8bd012 __Getctype 39 API calls 17927->17928 17929 8b2895 17927->17929 17928->17929 17929->17897 17931 8c2a40 __Getctype 39 API calls 17930->17931 17932 8bd041 17931->17932 17933 8c3d7e __Getctype 39 API calls 17932->17933 17934 8bd051 17933->17934 17934->17910 17936 8c2a40 __Getctype 39 API calls 17935->17936 17937 8bd01d 17936->17937 17938 8c3d7e __Getctype 39 API calls 17937->17938 17939 8bd02d 17938->17939 17939->17915 17941 8c2a40 __Getctype 39 API calls 17940->17941 17942 8bd066 17941->17942 17943 8c3d7e __Getctype 39 API calls 17942->17943 17944 8b43a8 17943->17944 17944->17918 17945 8bd504 17944->17945 17946 8bd511 17945->17946 17947 8bd54c 17945->17947 17948 8bcd7a _Yarn 13 API calls 17946->17948 17947->17918 17949 8bd534 17948->17949 17949->17947 17950 8c6421 __Getctype 39 API calls 17949->17950 17951 8bd545 17950->17951 17951->17947 17952 8ba93c _Deallocate 11 API calls 17951->17952 17953 8bd562 17952->17953 17955 8c2a40 __Getctype 39 API calls 17954->17955 17956 8bd08d 17955->17956 17957 8c3d7e __Getctype 39 API calls 17956->17957 17958 8b43e3 17957->17958 17958->17926 17960 8c0031 17959->17960 17961 8c0043 17959->17961 17986 8c00cc GetModuleHandleW 17960->17986 17971 8bfecc 17961->17971 17966 8c0080 17966->16726 17970 8c0095 17972 8bfed8 ___scrt_is_nonwritable_in_current_image 17971->17972 17994 8bcd04 EnterCriticalSection 17972->17994 17974 8bfee2 17995 8bff19 17974->17995 17976 8bfeef 17999 8bff0d 17976->17999 17979 8c009b 18024 8c010f 17979->18024 17982 8c00b9 17984 8c0131 __InternalCxxFrameHandler 3 API calls 17982->17984 17983 8c00a9 GetCurrentProcess TerminateProcess 17983->17982 17985 8c00c1 ExitProcess 17984->17985 17987 8c0036 17986->17987 17987->17961 17988 8c0131 GetModuleHandleExW 17987->17988 17989 8c0170 GetProcAddress 17988->17989 17990 8c0191 17988->17990 17989->17990 17991 8c0184 17989->17991 17992 8c0197 FreeLibrary 17990->17992 17993 8c0042 17990->17993 17991->17990 17992->17993 17993->17961 17994->17974 17997 8bff25 ___scrt_is_nonwritable_in_current_image 17995->17997 17996 8bff8c __InternalCxxFrameHandler 17996->17976 17997->17996 18002 8c1d36 17997->18002 18023 8bcd4c LeaveCriticalSection 17999->18023 18001 8bfefb 18001->17966 18001->17979 18003 8c1d42 __EH_prolog3 18002->18003 18006 8c1a8e 18003->18006 18005 8c1d69 codecvt 18005->17996 18007 8c1a9a ___scrt_is_nonwritable_in_current_image 18006->18007 18014 8bcd04 EnterCriticalSection 18007->18014 18009 8c1aa8 18015 8c1c46 18009->18015 18014->18009 18016 8c1c65 18015->18016 18017 8c1ab5 18015->18017 18016->18017 18018 8c3cf6 ___free_lconv_mon 12 API calls 18016->18018 18019 8c1add 18017->18019 18018->18017 18022 8bcd4c LeaveCriticalSection 18019->18022 18021 8c1ac6 18021->18005 18022->18021 18023->18001 18029 8ca021 GetPEB 18024->18029 18027 8c00a5 18027->17982 18027->17983 18028 8c0119 GetPEB 18028->18027 18030 8c0114 18029->18030 18031 8ca03b 18029->18031 18030->18027 18030->18028 18033 8c5339 18031->18033 18034 8c52b6 std::_Locinfo::_Locinfo_ctor 5 API calls 18033->18034 18035 8c5355 18034->18035 18035->18030 18037 8c1ee8 18036->18037 18038 8c1efa ___scrt_uninitialize_crt 18036->18038 18039 8c1ef6 18037->18039 18041 8be292 18037->18041 18038->16781 18039->16781 18044 8be11f 18041->18044 18047 8be013 18044->18047 18048 8be01f ___scrt_is_nonwritable_in_current_image 18047->18048 18055 8bcd04 EnterCriticalSection 18048->18055 18050 8be095 18064 8be0b3 18050->18064 18053 8be029 ___scrt_uninitialize_crt 18053->18050 18056 8bdf87 18053->18056 18055->18053 18057 8bdf93 ___scrt_is_nonwritable_in_current_image 18056->18057 18067 8bd737 EnterCriticalSection 18057->18067 18059 8bdfd6 18081 8be007 18059->18081 18060 8bdf9d ___scrt_uninitialize_crt 18060->18059 18068 8be22d 18060->18068 18183 8bcd4c LeaveCriticalSection 18064->18183 18066 8be0a1 18066->18039 18067->18060 18069 8be242 _Fputc 18068->18069 18070 8be249 18069->18070 18071 8be254 18069->18071 18072 8be11f ___scrt_uninitialize_crt 68 API calls 18070->18072 18084 8be1c4 18071->18084 18074 8be24f 18072->18074 18076 8ba64b _Fputc 39 API calls 18074->18076 18077 8be28c 18076->18077 18077->18059 18079 8be275 18097 8c7022 18079->18097 18182 8bd74b LeaveCriticalSection 18081->18182 18083 8bdff5 18083->18053 18085 8be1dd 18084->18085 18086 8be204 18084->18086 18085->18086 18087 8c4c92 _Ungetc 39 API calls 18085->18087 18086->18074 18090 8c4c92 18086->18090 18088 8be1f9 18087->18088 18108 8c784d 18088->18108 18091 8c4c9e 18090->18091 18092 8c4cb3 18090->18092 18093 8bd600 __dosmaperr 12 API calls 18091->18093 18092->18079 18094 8c4ca3 18093->18094 18095 8ba90f __strnicoll 39 API calls 18094->18095 18096 8c4cae 18095->18096 18096->18079 18098 8c7040 18097->18098 18099 8c7033 18097->18099 18101 8c7089 18098->18101 18103 8c7067 18098->18103 18100 8bd600 __dosmaperr 12 API calls 18099->18100 18107 8c7038 18100->18107 18102 8bd600 __dosmaperr 12 API calls 18101->18102 18104 8c708e 18102->18104 18149 8c6f80 18103->18149 18106 8ba90f __strnicoll 39 API calls 18104->18106 18106->18107 18107->18074 18111 8c7859 ___scrt_is_nonwritable_in_current_image 18108->18111 18109 8c7861 18109->18086 18110 8c791d 18112 8ba892 __strnicoll 27 API calls 18110->18112 18111->18109 18111->18110 18113 8c78ae 18111->18113 18112->18109 18119 8ca1a0 EnterCriticalSection 18113->18119 18115 8c78b4 18116 8c78d1 18115->18116 18120 8c7955 18115->18120 18146 8c7915 18116->18146 18119->18115 18121 8c797a 18120->18121 18144 8c799d ___scrt_uninitialize_crt 18120->18144 18122 8c797e 18121->18122 18124 8c79dc 18121->18124 18123 8ba892 __strnicoll 27 API calls 18122->18123 18123->18144 18125 8c79f3 18124->18125 18126 8c83c8 ___scrt_uninitialize_crt 41 API calls 18124->18126 18127 8c74d9 ___scrt_uninitialize_crt 40 API calls 18125->18127 18126->18125 18128 8c79fd 18127->18128 18129 8c7a43 18128->18129 18130 8c7a03 18128->18130 18131 8c7aa6 WriteFile 18129->18131 18132 8c7a57 18129->18132 18133 8c7a2d 18130->18133 18134 8c7a0a 18130->18134 18137 8c7ac8 GetLastError 18131->18137 18131->18144 18135 8c7a5f 18132->18135 18136 8c7a94 18132->18136 18138 8c709f ___scrt_uninitialize_crt 45 API calls 18133->18138 18141 8c7471 ___scrt_uninitialize_crt 6 API calls 18134->18141 18134->18144 18139 8c7a64 18135->18139 18140 8c7a82 18135->18140 18142 8c7557 ___scrt_uninitialize_crt 7 API calls 18136->18142 18137->18144 18138->18144 18139->18144 18145 8c7632 ___scrt_uninitialize_crt 7 API calls 18139->18145 18143 8c771b ___scrt_uninitialize_crt 8 API calls 18140->18143 18141->18144 18142->18144 18143->18144 18144->18116 18145->18144 18147 8ca1c3 ___scrt_uninitialize_crt LeaveCriticalSection 18146->18147 18148 8c791b 18147->18148 18148->18109 18150 8c6f8c ___scrt_is_nonwritable_in_current_image 18149->18150 18162 8ca1a0 EnterCriticalSection 18150->18162 18152 8c6f9b 18161 8c6fe0 18152->18161 18163 8ca277 18152->18163 18154 8bd600 __dosmaperr 12 API calls 18155 8c6fe7 18154->18155 18179 8c7016 18155->18179 18156 8c6fc7 FlushFileBuffers 18156->18155 18157 8c6fd3 GetLastError 18156->18157 18176 8bd5ed 18157->18176 18161->18154 18162->18152 18164 8ca299 18163->18164 18165 8ca284 18163->18165 18168 8bd5ed __dosmaperr 12 API calls 18164->18168 18170 8ca2be 18164->18170 18166 8bd5ed __dosmaperr 12 API calls 18165->18166 18167 8ca289 18166->18167 18169 8bd600 __dosmaperr 12 API calls 18167->18169 18171 8ca2c9 18168->18171 18172 8ca291 18169->18172 18170->18156 18173 8bd600 __dosmaperr 12 API calls 18171->18173 18172->18156 18174 8ca2d1 18173->18174 18175 8ba90f __strnicoll 39 API calls 18174->18175 18175->18172 18177 8c2b91 __dosmaperr 12 API calls 18176->18177 18178 8bd5f2 18177->18178 18178->18161 18180 8ca1c3 ___scrt_uninitialize_crt LeaveCriticalSection 18179->18180 18181 8c6fff 18180->18181 18181->18107 18182->18083 18183->18066 18967 8b5eb8 18968 8b5ec0 18967->18968 18984 8c0232 18968->18984 18970 8b5ecb 18991 8b62ec 18970->18991 18972 8b5f3d 18973 8b67dd 4 API calls 18972->18973 18983 8b5f5a 18972->18983 18974 8b5f62 18973->18974 18975 8b5ee0 __RTC_Initialize 18975->18972 18997 8b6479 18975->18997 18977 8b5ef9 18977->18972 19000 8b6772 InitializeSListHead 18977->19000 18979 8b5f0f 19001 8b6781 18979->19001 18981 8b5f32 19007 8c0841 18981->19007 18985 8c0264 18984->18985 18986 8c0241 18984->18986 18985->18970 18986->18985 18987 8bd600 __dosmaperr 12 API calls 18986->18987 18988 8c0254 18987->18988 18989 8ba90f __strnicoll 39 API calls 18988->18989 18990 8c025f 18989->18990 18990->18970 18992 8b62f8 18991->18992 18993 8b62fc 18991->18993 18992->18975 18994 8b6309 ___scrt_release_startup_lock 18993->18994 18995 8b67dd 4 API calls 18993->18995 18994->18975 18996 8b6372 18995->18996 19014 8b644c 18997->19014 19000->18979 19049 8c1f0d 19001->19049 19003 8b6792 19004 8b6799 19003->19004 19005 8b67dd 4 API calls 19003->19005 19004->18981 19006 8b67a1 19005->19006 19008 8c2a40 __Getctype 39 API calls 19007->19008 19009 8c084c 19008->19009 19010 8bd600 __dosmaperr 12 API calls 19009->19010 19013 8c0884 19009->19013 19011 8c0879 19010->19011 19012 8ba90f __strnicoll 39 API calls 19011->19012 19012->19013 19013->18972 19015 8b645b 19014->19015 19016 8b6462 19014->19016 19020 8c1d20 19015->19020 19023 8c1d9d 19016->19023 19019 8b6460 19019->18977 19021 8c1d9d 42 API calls 19020->19021 19022 8c1d32 19021->19022 19022->19019 19026 8c1ae9 19023->19026 19027 8c1af5 ___scrt_is_nonwritable_in_current_image 19026->19027 19034 8bcd04 EnterCriticalSection 19027->19034 19029 8c1b03 19035 8c1b44 19029->19035 19031 8c1b10 19045 8c1b38 19031->19045 19034->19029 19036 8c1b5f 19035->19036 19038 8c1bd2 std::_Locinfo::_Locinfo_ctor 19035->19038 19037 8c1bb2 19036->19037 19036->19038 19039 8cc5b3 42 API calls 19036->19039 19037->19038 19040 8cc5b3 42 API calls 19037->19040 19038->19031 19041 8c1ba8 19039->19041 19042 8c1bc8 19040->19042 19043 8c3cf6 ___free_lconv_mon 12 API calls 19041->19043 19044 8c3cf6 ___free_lconv_mon 12 API calls 19042->19044 19043->19037 19044->19038 19048 8bcd4c LeaveCriticalSection 19045->19048 19047 8c1b21 19047->19019 19048->19047 19050 8c1f2b _swprintf 19049->19050 19054 8c1f4b _swprintf 19049->19054 19051 8bd600 __dosmaperr 12 API calls 19050->19051 19052 8c1f41 19051->19052 19053 8ba90f __strnicoll 39 API calls 19052->19053 19053->19054 19054->19003 19271 8bd6eb 19272 8be292 ___scrt_uninitialize_crt 68 API calls 19271->19272 19273 8bd6f3 19272->19273 19281 8c6485 19273->19281 19275 8bd6f8 19291 8c6530 19275->19291 19278 8bd722 19279 8c3cf6 ___free_lconv_mon 12 API calls 19278->19279 19280 8bd72d 19279->19280 19282 8c6491 ___scrt_is_nonwritable_in_current_image 19281->19282 19295 8bcd04 EnterCriticalSection 19282->19295 19284 8c6508 19302 8c6527 19284->19302 19287 8c64dc DeleteCriticalSection 19289 8c3cf6 ___free_lconv_mon 12 API calls 19287->19289 19290 8c649c 19289->19290 19290->19284 19290->19287 19296 8bdf57 19290->19296 19292 8bd707 DeleteCriticalSection 19291->19292 19293 8c6547 19291->19293 19292->19275 19292->19278 19293->19292 19294 8c3cf6 ___free_lconv_mon 12 API calls 19293->19294 19294->19292 19295->19290 19297 8bdf6a _Fputc 19296->19297 19305 8bde32 19297->19305 19299 8bdf76 19300 8ba64b _Fputc 39 API calls 19299->19300 19301 8bdf82 19300->19301 19301->19290 19377 8bcd4c LeaveCriticalSection 19302->19377 19304 8c6514 19304->19275 19306 8bde3e ___scrt_is_nonwritable_in_current_image 19305->19306 19307 8bde6b 19306->19307 19308 8bde48 19306->19308 19310 8bde63 19307->19310 19316 8bd737 EnterCriticalSection 19307->19316 19309 8ba892 __strnicoll 27 API calls 19308->19309 19309->19310 19310->19299 19312 8bde89 19317 8bdec9 19312->19317 19314 8bde96 19331 8bdec1 19314->19331 19316->19312 19318 8bdef9 19317->19318 19319 8bded6 19317->19319 19321 8be1c4 ___scrt_uninitialize_crt 64 API calls 19318->19321 19329 8bdef1 19318->19329 19320 8ba892 __strnicoll 27 API calls 19319->19320 19320->19329 19322 8bdf11 19321->19322 19323 8c6530 12 API calls 19322->19323 19324 8bdf19 19323->19324 19325 8c4c92 _Ungetc 39 API calls 19324->19325 19326 8bdf25 19325->19326 19334 8c6e02 19326->19334 19329->19314 19330 8c3cf6 ___free_lconv_mon 12 API calls 19330->19329 19376 8bd74b LeaveCriticalSection 19331->19376 19333 8bdec7 19333->19310 19335 8c6e2b 19334->19335 19340 8bdf2c 19334->19340 19336 8c6e7a 19335->19336 19338 8c6e52 19335->19338 19337 8ba892 __strnicoll 27 API calls 19336->19337 19337->19340 19341 8c6d71 19338->19341 19340->19329 19340->19330 19342 8c6d7d ___scrt_is_nonwritable_in_current_image 19341->19342 19349 8ca1a0 EnterCriticalSection 19342->19349 19344 8c6d8b 19345 8c6dbc 19344->19345 19350 8c6ea5 19344->19350 19363 8c6df6 19345->19363 19349->19344 19351 8ca277 ___scrt_uninitialize_crt 39 API calls 19350->19351 19353 8c6eb5 19351->19353 19352 8c6ebb 19366 8ca1e6 19352->19366 19353->19352 19355 8c6eed 19353->19355 19356 8ca277 ___scrt_uninitialize_crt 39 API calls 19353->19356 19355->19352 19357 8ca277 ___scrt_uninitialize_crt 39 API calls 19355->19357 19358 8c6ee4 19356->19358 19359 8c6ef9 CloseHandle 19357->19359 19360 8ca277 ___scrt_uninitialize_crt 39 API calls 19358->19360 19359->19352 19361 8c6f05 GetLastError 19359->19361 19360->19355 19361->19352 19362 8c6f13 ___scrt_uninitialize_crt 19362->19345 19375 8ca1c3 LeaveCriticalSection 19363->19375 19365 8c6ddf 19365->19340 19367 8ca25c 19366->19367 19368 8ca1f5 19366->19368 19369 8bd600 __dosmaperr 12 API calls 19367->19369 19368->19367 19374 8ca21f 19368->19374 19370 8ca261 19369->19370 19371 8bd5ed __dosmaperr 12 API calls 19370->19371 19372 8ca24c 19371->19372 19372->19362 19373 8ca246 SetStdHandle 19373->19372 19374->19372 19374->19373 19375->19365 19376->19333 19377->19304 21559 8c2907 21560 8c2922 21559->21560 21561 8c2912 21559->21561 21565 8c2928 21561->21565 21564 8c3cf6 ___free_lconv_mon 12 API calls 21564->21560 21566 8c293d 21565->21566 21567 8c2943 21565->21567 21568 8c3cf6 ___free_lconv_mon 12 API calls 21566->21568 21569 8c3cf6 ___free_lconv_mon 12 API calls 21567->21569 21568->21567 21570 8c294f 21569->21570 21571 8c3cf6 ___free_lconv_mon 12 API calls 21570->21571 21572 8c295a 21571->21572 21573 8c3cf6 ___free_lconv_mon 12 API calls 21572->21573 21574 8c2965 21573->21574 21575 8c3cf6 ___free_lconv_mon 12 API calls 21574->21575 21576 8c2970 21575->21576 21577 8c3cf6 ___free_lconv_mon 12 API calls 21576->21577 21578 8c297b 21577->21578 21579 8c3cf6 ___free_lconv_mon 12 API calls 21578->21579 21580 8c2986 21579->21580 21581 8c3cf6 ___free_lconv_mon 12 API calls 21580->21581 21582 8c2991 21581->21582 21583 8c3cf6 ___free_lconv_mon 12 API calls 21582->21583 21584 8c299c 21583->21584 21585 8c3cf6 ___free_lconv_mon 12 API calls 21584->21585 21586 8c29aa 21585->21586 21591 8c2754 21586->21591 21592 8c2760 ___scrt_is_nonwritable_in_current_image 21591->21592 21607 8bcd04 EnterCriticalSection 21592->21607 21594 8c2794 21608 8c27b3 21594->21608 21595 8c276a 21595->21594 21598 8c3cf6 ___free_lconv_mon 12 API calls 21595->21598 21598->21594 21599 8c27bf 21600 8c27cb ___scrt_is_nonwritable_in_current_image 21599->21600 21612 8bcd04 EnterCriticalSection 21600->21612 21602 8c27d5 21603 8c29f5 __Getctype 12 API calls 21602->21603 21604 8c27e8 21603->21604 21613 8c2808 21604->21613 21607->21595 21611 8bcd4c LeaveCriticalSection 21608->21611 21610 8c27a1 21610->21599 21611->21610 21612->21602 21616 8bcd4c LeaveCriticalSection 21613->21616 21615 8c27f6 21615->21564 21616->21615 20412 8c065a 20415 8c0326 20412->20415 20416 8c0332 ___scrt_is_nonwritable_in_current_image 20415->20416 20423 8bcd04 EnterCriticalSection 20416->20423 20418 8c036a 20424 8c0388 20418->20424 20419 8c033c 20419->20418 20421 8cb30e __Getctype 12 API calls 20419->20421 20421->20419 20423->20419 20427 8bcd4c LeaveCriticalSection 20424->20427 20426 8c0376 20427->20426

                                                                                                                                                      Executed Functions

                                                                                                                                                      Function 008CA021 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 131 8ca021-8ca039 GetPEB 132 8ca04a-8ca04c 131->132 133 8ca03b-8ca03f call 8c5339 131->133 135 8ca04d-8ca051 132->135 136 8ca044-8ca048 133->136 136->132 136->135
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 9395896353acccf952a291b6f0163853f95de6a84289665eef3950dd9f5b70ca
                                                                                                                                                      • Instruction ID: 94e8610925ebdf19c7d74490912a19384d8011454e34e9f553386fe2d68c9026
                                                                                                                                                      • Opcode Fuzzy Hash: 9395896353acccf952a291b6f0163853f95de6a84289665eef3950dd9f5b70ca
                                                                                                                                                      • Instruction Fuzzy Hash: 01E04632911668EBCB18DB9C8944E8AB2BCFB45B84B11449EB501E3200C274DE00C7D2
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008C010F Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 148 8c010f call 8ca021 150 8c0114-8c0117 148->150 151 8c012e-8c0130 150->151 152 8c0119-8c0129 GetPEB 150->152 152->151 153 8c012b-8c012d 152->153
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 60db8ef128b66eb642bb16a09a4d214568f9693845bcad6d0eb7c0ed8f4044be
                                                                                                                                                      • Instruction ID: 1f66ecd61bb7424158fcfd3bcaffd768291cebeee06c30d3a5e0472bedf9736d
                                                                                                                                                      • Opcode Fuzzy Hash: 60db8ef128b66eb642bb16a09a4d214568f9693845bcad6d0eb7c0ed8f4044be
                                                                                                                                                      • Instruction Fuzzy Hash: 68C08C38000A00CACE3989149671BA473F6F3917C2F88248DC4028B642D53EDCC2DB02
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008C51EB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 0 8c51eb-8c51f7 1 8c5289-8c528c 0->1 2 8c51fc-8c520d 1->2 3 8c5292 1->3 5 8c520f-8c5212 2->5 6 8c521a-8c5233 LoadLibraryExW 2->6 4 8c5294-8c5298 3->4 7 8c5218 5->7 8 8c52b2-8c52b4 5->8 9 8c5299-8c52a9 6->9 10 8c5235-8c523e GetLastError 6->10 12 8c5286 7->12 8->4 9->8 11 8c52ab-8c52ac FreeLibrary 9->11 13 8c5277-8c5284 10->13 14 8c5240-8c5252 call 8c26c8 10->14 11->8 12->1 13->12 14->13 17 8c5254-8c5266 call 8c26c8 14->17 17->13 20 8c5268-8c5275 LoadLibraryExW 17->20 20->9 20->13
                                                                                                                                                      APIs
                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,E64169D8,?,008C52F8,?,?,00000000,00000000), ref: 008C52AC
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FreeLibrary
                                                                                                                                                      • String ID: api-ms-$ext-ms-
                                                                                                                                                      • API String ID: 3664257935-537541572
                                                                                                                                                      • Opcode ID: 1d63fa68fe5458f7f103f57f44a95368931515b8c8ce6ffb73a6eb5ea52ccee8
                                                                                                                                                      • Instruction ID: b24ec8e1b4504843bb8be8d143debb86e3099b526ad8c6e7f40d51f787ea2ec5
                                                                                                                                                      • Opcode Fuzzy Hash: 1d63fa68fe5458f7f103f57f44a95368931515b8c8ce6ffb73a6eb5ea52ccee8
                                                                                                                                                      • Instruction Fuzzy Hash: E2218172A02A15ABDF319B659C44F5A37B8FF41760F240229E956EB390D730FD4196E0
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008C009B Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                      • GetCurrentProcess.KERNEL32(?,?,008C0095,00000000,008BA712,?,?,E64169D8,008BA712,?), ref: 008C00AC
                                                                                                                                                      • TerminateProcess.KERNEL32(00000000,?,008C0095,00000000,008BA712,?,?,E64169D8,008BA712,?), ref: 008C00B3
                                                                                                                                                      • ExitProcess.KERNEL32 ref: 008C00C5
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1703294689-0
                                                                                                                                                      • Opcode ID: eef2d279e3eee8f64be0ed06ae96068415d260ef5067c349d4a7e7399369ad71
                                                                                                                                                      • Instruction ID: 1b421326a3c0e51acd4976f8ebac8ee5fd0b40305e0533d68c32d8ee1de467b4
                                                                                                                                                      • Opcode Fuzzy Hash: eef2d279e3eee8f64be0ed06ae96068415d260ef5067c349d4a7e7399369ad71
                                                                                                                                                      • Instruction Fuzzy Hash: 22D06C35014608ABCB216F64EC4EA9D7F2AFA44792B194019B9098A122DB72D992EE81
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008C52B6 Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 28 8c52b6-8c52de 29 8c52e4-8c52e6 28->29 30 8c52e0-8c52e2 28->30 31 8c52ec-8c52f3 call 8c51eb 29->31 32 8c52e8-8c52ea 29->32 33 8c5335-8c5338 30->33 35 8c52f8-8c52fc 31->35 32->33 36 8c52fe-8c530c GetProcAddress 35->36 37 8c531b-8c5332 35->37 36->37 38 8c530e-8c5319 call 8bf81c 36->38 39 8c5334 37->39 38->39 39->33
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 87a331ce20a0dd34887542b63515b3cae326bab8030cb13bc93762e10ef929bc
                                                                                                                                                      • Instruction ID: 2a77c4dc9c28fef3d97938c2769baf070181cf3cc9cd67167572fc35331e3a91
                                                                                                                                                      • Opcode Fuzzy Hash: 87a331ce20a0dd34887542b63515b3cae326bab8030cb13bc93762e10ef929bc
                                                                                                                                                      • Instruction Fuzzy Hash: BD01F533211A155B9F128E7DEC44F9A33E6FBC6360B14822AF904DB295DA70E9828690
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008B3D0A Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 42 8b3d0a-8b3d2e VirtualProtect call 8b3062 44 8b3d33-8b3d52 call 8b3048 42->44
                                                                                                                                                      APIs
                                                                                                                                                      • VirtualProtect.KERNELBASE(0092B028,000004AC,00000040,00000000), ref: 008B3D26
                                                                                                                                                        • Part of subcall function 008B3062: OpenIcon.USER32(00000000), ref: 008B307C
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: IconOpenProtectVirtual
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1301268471-0
                                                                                                                                                      • Opcode ID: 83e3c5ec1d9013b42b441ff9419ee9a61243361edb872896eb5c4658d2afaf43
                                                                                                                                                      • Instruction ID: 194abb1c616fcd81af8f9d0d853d44ab0c68b070617ba9ba05810c44475466ff
                                                                                                                                                      • Opcode Fuzzy Hash: 83e3c5ec1d9013b42b441ff9419ee9a61243361edb872896eb5c4658d2afaf43
                                                                                                                                                      • Instruction Fuzzy Hash: BCE0D86395562077D721A2559C06ECF27ECDFC2721F108035F600E6245DA399F0A83F9
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Non-executed Functions

                                                                                                                                                      Function 008CCD70 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: __floor_pentium4
                                                                                                                                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                      • API String ID: 4168288129-2761157908
                                                                                                                                                      • Opcode ID: a94b5b2bc06b0a6076017c7f0c3c7102b3eae4d636c526e6ae864a5ca3a77082
                                                                                                                                                      • Instruction ID: d740f947d2d024ca12b984728e950e90bdc8ed2ed95356c6e32ddea677578a9e
                                                                                                                                                      • Opcode Fuzzy Hash: a94b5b2bc06b0a6076017c7f0c3c7102b3eae4d636c526e6ae864a5ca3a77082
                                                                                                                                                      • Instruction Fuzzy Hash: 57D2F671E086288BDB65DE28DD40BEAB7B5FB44305F1445EED40EE7240EB78AE858F41
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008CC1E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetLocaleInfoW.KERNEL32(?,2000000B,008CC507,00000002,00000000,?,?,?,008CC507,?,00000000), ref: 008CC282
                                                                                                                                                      • GetLocaleInfoW.KERNEL32(?,20001004,008CC507,00000002,00000000,?,?,?,008CC507,?,00000000), ref: 008CC2AB
                                                                                                                                                      • GetACP.KERNEL32(?,?,008CC507,?,00000000), ref: 008CC2C0
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InfoLocale
                                                                                                                                                      • String ID: ACP$OCP
                                                                                                                                                      • API String ID: 2299586839-711371036
                                                                                                                                                      • Opcode ID: 7a3a2c3738f9f56bc3c9dda11d6ca9d2afbf743b7d822d83a1b4a6223e6a959c
                                                                                                                                                      • Instruction ID: 87eac695e912a2c74883cb14809f67c7b7432296c0092d8cd264b7f3d9af915f
                                                                                                                                                      • Opcode Fuzzy Hash: 7a3a2c3738f9f56bc3c9dda11d6ca9d2afbf743b7d822d83a1b4a6223e6a959c
                                                                                                                                                      • Instruction Fuzzy Hash: 0821AC32A04204AAEB309FE4C901F9773BAFB54F65B5A856CE90ED7200E732DE41D360
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008CC3BE Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 008C2A40: GetLastError.KERNEL32(?,00000008,008C879F,00000000,008BA890), ref: 008C2A44
                                                                                                                                                        • Part of subcall function 008C2A40: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 008C2AE6
                                                                                                                                                      • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 008CC4CA
                                                                                                                                                      • IsValidCodePage.KERNEL32(00000000), ref: 008CC513
                                                                                                                                                      • IsValidLocale.KERNEL32(?,00000001), ref: 008CC522
                                                                                                                                                      • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 008CC56A
                                                                                                                                                      • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 008CC589
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 415426439-0
                                                                                                                                                      • Opcode ID: 0ed17a4620f44a385acfccc6fb5333c44dbb44fa9dbf64a96e8fde55a14dc8e8
                                                                                                                                                      • Instruction ID: 2e09c16d10fdb992aa056d904b25c36380586332001640109ed2a7c793b95c84
                                                                                                                                                      • Opcode Fuzzy Hash: 0ed17a4620f44a385acfccc6fb5333c44dbb44fa9dbf64a96e8fde55a14dc8e8
                                                                                                                                                      • Instruction Fuzzy Hash: 25517D71A00209ABDB24EFA9CC51FBA77B8FF08700F18846DF919E7190EB70D9018B65
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008CBA5A Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 008C2A40: GetLastError.KERNEL32(?,00000008,008C879F,00000000,008BA890), ref: 008C2A44
                                                                                                                                                        • Part of subcall function 008C2A40: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 008C2AE6
                                                                                                                                                      • GetACP.KERNEL32(?,?,?,?,?,?,008C0A4E,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 008CBB1B
                                                                                                                                                      • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,008C0A4E,?,?,?,00000055,?,-00000050,?,?), ref: 008CBB46
                                                                                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 008CBCA9
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ErrorLast$CodeInfoLocalePageValid
                                                                                                                                                      • String ID: utf8
                                                                                                                                                      • API String ID: 607553120-905460609
                                                                                                                                                      • Opcode ID: 49bd243f6d22f02556ac7f6504e36942d7179dad2a6341e2fe3ac6c95f09142d
                                                                                                                                                      • Instruction ID: 343be7dbca2a67a8fdd119ea040f13fe417815ab32a38be11c5347adb313f48e
                                                                                                                                                      • Opcode Fuzzy Hash: 49bd243f6d22f02556ac7f6504e36942d7179dad2a6341e2fe3ac6c95f09142d
                                                                                                                                                      • Instruction Fuzzy Hash: AA71E131640A06AADB28AB79CC87FBA77B8FF44310F14402EF956D7181EB74ED419662
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008C3F3F Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _strrchr
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3213747228-0
                                                                                                                                                      • Opcode ID: 957b6a68e01d3e16632ce3fb5a3ba364fe60901d2c6598131793219a536d9919
                                                                                                                                                      • Instruction ID: b297a5886117734b03756f3a87f2981dbac660330ca72768e4e736e0a6f358a5
                                                                                                                                                      • Opcode Fuzzy Hash: 957b6a68e01d3e16632ce3fb5a3ba364fe60901d2c6598131793219a536d9919
                                                                                                                                                      • Instruction Fuzzy Hash: F8B143329042459FDB158F68C8A2FEEBBB5FF55300F18916EE944EB241C235DD81CBA1
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008B67DD Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 008B67E9
                                                                                                                                                      • IsDebuggerPresent.KERNEL32 ref: 008B68B5
                                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 008B68CE
                                                                                                                                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 008B68D8
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 254469556-0
                                                                                                                                                      • Opcode ID: 56f368164ea70d2564048cd1faca0dc64695380fecc84ede307772ede9a03a3e
                                                                                                                                                      • Instruction ID: 4c2e2406623fe82e179de8e1f12fe46320d425ddee2a73b5e7038198e2ab39f8
                                                                                                                                                      • Opcode Fuzzy Hash: 56f368164ea70d2564048cd1faca0dc64695380fecc84ede307772ede9a03a3e
                                                                                                                                                      • Instruction Fuzzy Hash: C931F775D05229DBDB20DFA4D9897CDBBB8FF08300F1041AAE40DAB250EB749A859F45
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008CBE6D Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 008C2A40: GetLastError.KERNEL32(?,00000008,008C879F,00000000,008BA890), ref: 008C2A44
                                                                                                                                                        • Part of subcall function 008C2A40: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 008C2AE6
                                                                                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 008CBEC1
                                                                                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 008CBF0B
                                                                                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 008CBFD1
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InfoLocale$ErrorLast
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 661929714-0
                                                                                                                                                      • Opcode ID: f9a2c407a9363f89a230b86434605354c51e191757b7213f19ac5d1b554f33ac
                                                                                                                                                      • Instruction ID: 0fdbf50b787e51743e6c6a51ae7b6d18b23559866a1c1a7cd706b93d9a68cf08
                                                                                                                                                      • Opcode Fuzzy Hash: f9a2c407a9363f89a230b86434605354c51e191757b7213f19ac5d1b554f33ac
                                                                                                                                                      • Instruction Fuzzy Hash: 7D617B71910A17DBEB289F28CD82FBAB7B8FF04300F10816DE909C6285EB74D981DB51
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008BA713 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 008BA80B
                                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 008BA815
                                                                                                                                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 008BA822
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3906539128-0
                                                                                                                                                      • Opcode ID: 26ec6bc2c7cda8c8971316f45015e46cc516a36341575b6983336708ffb80d92
                                                                                                                                                      • Instruction ID: d3bf0ac8d445b0da94e1bb09e89ee6f1086d838c623f4e85955d8ad766dd7ba7
                                                                                                                                                      • Opcode Fuzzy Hash: 26ec6bc2c7cda8c8971316f45015e46cc516a36341575b6983336708ffb80d92
                                                                                                                                                      • Instruction Fuzzy Hash: 0631C1749512299BCB25DF28D889BC9BBB8FF08310F5041EAE41CA7290EB749F858F45
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008BEEE0 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: cf5c6875ad8b9aa219ef09fa5f3f671408767bcd021872790bb57096a96beff6
                                                                                                                                                      • Instruction ID: 945d0106b9298cc208f2d1db8f40b880777812838edecad2a665f5ac887e32c3
                                                                                                                                                      • Opcode Fuzzy Hash: cf5c6875ad8b9aa219ef09fa5f3f671408767bcd021872790bb57096a96beff6
                                                                                                                                                      • Instruction Fuzzy Hash: 86F11D75E002199FDF14CFA9D8806EDBBB1FF88314F158269E929E7391D730AE458B90
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008C3653 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,008C364E,?,?,00000008,?,?,008D15F5,00000000), ref: 008C3880
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ExceptionRaise
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3997070919-0
                                                                                                                                                      • Opcode ID: d50a42db6c28b897d5af579da26622a46983333baa31b68b0e82280e66183d4f
                                                                                                                                                      • Instruction ID: 20186e53fcdca56ca1e4c6702deb45e6f2de6fe33e4b5b0334b03380db005094
                                                                                                                                                      • Opcode Fuzzy Hash: d50a42db6c28b897d5af579da26622a46983333baa31b68b0e82280e66183d4f
                                                                                                                                                      • Instruction Fuzzy Hash: 9AB1E7756106099FD719CF28C48AF657BB0FB45364F25C66CE89ACF2A1C335EA92CB40
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008B64BC Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 008B64D2
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FeaturePresentProcessor
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2325560087-0
                                                                                                                                                      • Opcode ID: ff7ce12b7fc2fd5219276feaee041456088b56f08a2c85a0b465492d1ce89271
                                                                                                                                                      • Instruction ID: eb958369d6952f16887c2f6888f43fd96056938e2921565139adc9087950d31a
                                                                                                                                                      • Opcode Fuzzy Hash: ff7ce12b7fc2fd5219276feaee041456088b56f08a2c85a0b465492d1ce89271
                                                                                                                                                      • Instruction Fuzzy Hash: 93516EB19026158FEB28CF68D8857AABBF5FB48310F14866BD405EB355E3789D50CF50
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008C8EA6 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: a55bdaf88aa98df6612d863ef28438ab3c687193df26a393b2903fdb1f5018e5
                                                                                                                                                      • Instruction ID: 19d216a4a5130533eb4f61fe2e92188fb8957951d5d31b5cb7823169af5ee2db
                                                                                                                                                      • Opcode Fuzzy Hash: a55bdaf88aa98df6612d863ef28438ab3c687193df26a393b2903fdb1f5018e5
                                                                                                                                                      • Instruction Fuzzy Hash: 0A41C1B5840219AEDF20DF69CC89FAABBB9FF45300F1442EDE419E3201DA319E848F10
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008BBE6D Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: 0
                                                                                                                                                      • API String ID: 0-4108050209
                                                                                                                                                      • Opcode ID: 8c498c1e6756398407336b0f663cbe07a97cab2f4434ada9889b2e5902105f6d
                                                                                                                                                      • Instruction ID: f26f263bea4144ac7ca2f0bf3ec9a232abdfb414161aad042cde541e8ea8971c
                                                                                                                                                      • Opcode Fuzzy Hash: 8c498c1e6756398407336b0f663cbe07a97cab2f4434ada9889b2e5902105f6d
                                                                                                                                                      • Instruction Fuzzy Hash: 65C17D70600A4A8FCB24CF6CC890AFABBA1FF45314F144619D556EB7A2C7B1ED46CB51
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008CC0C0 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 008C2A40: GetLastError.KERNEL32(?,00000008,008C879F,00000000,008BA890), ref: 008C2A44
                                                                                                                                                        • Part of subcall function 008C2A40: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 008C2AE6
                                                                                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 008CC114
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ErrorLast$InfoLocale
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3736152602-0
                                                                                                                                                      • Opcode ID: 8a2a91db53b75d43899d3022592be69c96c5f93b9fddffd43d03928519198698
                                                                                                                                                      • Instruction ID: 0d1043e90c2a5dc02e779fffe6c13b4f0b981c20b078ef5b0aeb11733fa2858e
                                                                                                                                                      • Opcode Fuzzy Hash: 8a2a91db53b75d43899d3022592be69c96c5f93b9fddffd43d03928519198698
                                                                                                                                                      • Instruction Fuzzy Hash: FC218E32611206ABDB289A2ADC42FBA77B8FF45314F14007EF90AD6142EB34ED458B51
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008CBD47 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 008C2A40: GetLastError.KERNEL32(?,00000008,008C879F,00000000,008BA890), ref: 008C2A44
                                                                                                                                                        • Part of subcall function 008C2A40: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 008C2AE6
                                                                                                                                                      • EnumSystemLocalesW.KERNEL32(008CBE6D,00000001,00000000,?,-00000050,?,008CC49E,00000000,?,?,?,00000055,?), ref: 008CBDB9
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2417226690-0
                                                                                                                                                      • Opcode ID: a2a0262931043775f449b2252c4a281a6f00f8cf70a1524daf332289e9338b5e
                                                                                                                                                      • Instruction ID: 19dff60f946463abac367f3d2ded3ab0587d0ceaf948f7d1d64d75a07a1982df
                                                                                                                                                      • Opcode Fuzzy Hash: a2a0262931043775f449b2252c4a281a6f00f8cf70a1524daf332289e9338b5e
                                                                                                                                                      • Instruction Fuzzy Hash: 7611C636200B055FDB189F39C892ABAB7A1FB80759F14442CEA8787A40D771E942DB40
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008CC2EF Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 008C2A40: GetLastError.KERNEL32(?,00000008,008C879F,00000000,008BA890), ref: 008C2A44
                                                                                                                                                        • Part of subcall function 008C2A40: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 008C2AE6
                                                                                                                                                      • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,008CC089,00000000,00000000,?), ref: 008CC31B
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ErrorLast$InfoLocale
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3736152602-0
                                                                                                                                                      • Opcode ID: 544cb3be789793f512fcc331dc74e6178249f01467aa9e4e700758fca3bc3d0b
                                                                                                                                                      • Instruction ID: d6365d8f55a26ea6aa3286501b8bb46589b280d33440b79f7ac25edbedb596b7
                                                                                                                                                      • Opcode Fuzzy Hash: 544cb3be789793f512fcc331dc74e6178249f01467aa9e4e700758fca3bc3d0b
                                                                                                                                                      • Instruction Fuzzy Hash: C6F0D632A10151ABDB289A349845FBA7778FB40764F08842CEC0AE3280EA30FD02C5D0
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008CBDE2 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 008C2A40: GetLastError.KERNEL32(?,00000008,008C879F,00000000,008BA890), ref: 008C2A44
                                                                                                                                                        • Part of subcall function 008C2A40: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 008C2AE6
                                                                                                                                                      • EnumSystemLocalesW.KERNEL32(008CC0C0,00000001,?,?,-00000050,?,008CC462,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 008CBE2C
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2417226690-0
                                                                                                                                                      • Opcode ID: e509d636ced3edae0b60ee3478a8db78f6d890ae5761ed453030487ae92db89b
                                                                                                                                                      • Instruction ID: fd7932e240c14c3b7702c8537c5ccaccb3ed8a4c5e9fc1af95cd1c6ea1af5e12
                                                                                                                                                      • Opcode Fuzzy Hash: e509d636ced3edae0b60ee3478a8db78f6d890ae5761ed453030487ae92db89b
                                                                                                                                                      • Instruction Fuzzy Hash: 16F0C2362007045FDB249F799882FBA7BA5FB80768F05442CFA068B690D7B1DC02DA50
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008C5022 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 008BCD04: EnterCriticalSection.KERNEL32(?,?,008C2718,?,008DC338,00000008,008C28DC,?,?,?), ref: 008BCD13
                                                                                                                                                      • EnumSystemLocalesW.KERNEL32(008C5015,00000001,008DC3F8,0000000C,008C5444,00000000), ref: 008C505A
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1272433827-0
                                                                                                                                                      • Opcode ID: 12ff2ec138f22485273b8f140f0a1963ce07cf522de54a6e1b4290e691cb4340
                                                                                                                                                      • Instruction ID: c9d60ab83d05e32983eccefafa6503a0a4fe30842fd486dfff86a9bcdf7675ee
                                                                                                                                                      • Opcode Fuzzy Hash: 12ff2ec138f22485273b8f140f0a1963ce07cf522de54a6e1b4290e691cb4340
                                                                                                                                                      • Instruction Fuzzy Hash: 54F03732A60604DFDB00EF98E842B9D77B0FB48721F00862AF410EB3A1DB799940DF81
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008CBCFC Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 008C2A40: GetLastError.KERNEL32(?,00000008,008C879F,00000000,008BA890), ref: 008C2A44
                                                                                                                                                        • Part of subcall function 008C2A40: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 008C2AE6
                                                                                                                                                      • EnumSystemLocalesW.KERNEL32(008CBC55,00000001,?,?,?,008CC4C0,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 008CBD33
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2417226690-0
                                                                                                                                                      • Opcode ID: e71f5785e949d37c7466eb220411fad1c370ecda7cc81220ad96ab9fca06466e
                                                                                                                                                      • Instruction ID: 9f88b00a447582f6a095816eb54ea83935c76381ae5b87b0fb2d105de4ac18b6
                                                                                                                                                      • Opcode Fuzzy Hash: e71f5785e949d37c7466eb220411fad1c370ecda7cc81220ad96ab9fca06466e
                                                                                                                                                      • Instruction Fuzzy Hash: 47F0E53630020557CB149F79D846B6A7FA4FFC1720F06406CFA0ACB291CB75D942DB90
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008C5548 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,008C15B4,?,20001004,00000000,00000002,?,?,008C0BB6), ref: 008C557C
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InfoLocale
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2299586839-0
                                                                                                                                                      • Opcode ID: 672eb90673c1f419dcf04331c154bae8c7305faacada697138fa6f03d997777a
                                                                                                                                                      • Instruction ID: c9d59928fb42c35fe86a0300b0d81319a965bcdf9a0c3bf5a58be458713a1d25
                                                                                                                                                      • Opcode Fuzzy Hash: 672eb90673c1f419dcf04331c154bae8c7305faacada697138fa6f03d997777a
                                                                                                                                                      • Instruction Fuzzy Hash: E2E04F31501918BBCF122F64DC08FAE7F26FF44B60F148119FC05A6121CB72EE61AA96
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008B6939 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(Function_00006945,008B5F70), ref: 008B693E
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ExceptionFilterUnhandled
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3192549508-0
                                                                                                                                                      • Opcode ID: 74d09ceb91de3629445a21df3ff40a6496b574e0b7e9f4471efbc9b314d83bb1
                                                                                                                                                      • Instruction ID: 44ea7fafb280caf00457cc6e441a81991008c3a07bc608393f8607174031c443
                                                                                                                                                      • Opcode Fuzzy Hash: 74d09ceb91de3629445a21df3ff40a6496b574e0b7e9f4471efbc9b314d83bb1
                                                                                                                                                      • Instruction Fuzzy Hash:
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008CC620 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: HeapProcess
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 54951025-0
                                                                                                                                                      • Opcode ID: 22cc79b67939fce3e2f2f26fb99e2edd6b248d6c7688ab4f8caa13863b313c58
                                                                                                                                                      • Instruction ID: b5ed8061b4e323dd3e8048e6f40672785e7ead888a01934b33c9496f9aceb47a
                                                                                                                                                      • Opcode Fuzzy Hash: 22cc79b67939fce3e2f2f26fb99e2edd6b248d6c7688ab4f8caa13863b313c58
                                                                                                                                                      • Instruction Fuzzy Hash: 5BA02430103101CF4300CF35DF0430C37D575051C130050155400C5130DF3CC000D701
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008CB50B Relevance: .3, Instructions: 327COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3471368781-0
                                                                                                                                                      • Opcode ID: a905187c0504c9e3f9ab25e459e8e9c0f2f12f850d2bec538fa63973eb08cb89
                                                                                                                                                      • Instruction ID: ce7ca9e03b440cb8e07a04d365578baed9ac97f4bf55befe8a27e0a3799e50a1
                                                                                                                                                      • Opcode Fuzzy Hash: a905187c0504c9e3f9ab25e459e8e9c0f2f12f850d2bec538fa63973eb08cb89
                                                                                                                                                      • Instruction Fuzzy Hash: B7B1C135600B059BDB389A29C893FB7B3B8FF94308F14452DE986C6580EB75E9858B11
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008D1093 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 157 8d1093-8d10a4 158 8d10b6 157->158 159 8d10a6-8d10b4 DecodePointer 157->159 160 8d10bb-8d10c1 158->160 159->160 161 8d11a5-8d11a8 160->161 162 8d10c7 160->162 165 8d11ae-8d11b1 161->165 166 8d123a 161->166 163 8d10cd-8d10d0 162->163 164 8d1199 162->164 167 8d1137-8d113a 163->167 168 8d10d2 163->168 169 8d119b-8d11a0 164->169 170 8d11f4 165->170 171 8d11b3-8d11b6 165->171 172 8d1241 166->172 180 8d113c-8d113f 167->180 181 8d1190-8d1197 167->181 174 8d1124-8d1132 168->174 175 8d10d4-8d10d9 168->175 177 8d1283-8d1286 169->177 176 8d11fb-8d122b 170->176 178 8d11b8-8d11bb 171->178 179 8d11eb-8d11f2 171->179 173 8d1248-8d1271 172->173 204 8d127e-8d1281 173->204 205 8d1273-8d1278 call 8bd600 173->205 174->173 182 8d10db-8d10de 175->182 183 8d1115-8d111f 175->183 176->204 207 8d122d-8d1238 call 8bd600 176->207 185 8d11bd-8d11c0 178->185 186 8d11e2-8d11e9 178->186 179->176 187 8d1184-8d118b 180->187 188 8d1141-8d1144 180->188 184 8d1151-8d117f 181->184 191 8d1109-8d1110 182->191 192 8d10e0-8d10e3 182->192 183->173 184->204 194 8d11d9-8d11e0 185->194 195 8d11c2-8d11c7 185->195 186->176 187->172 188->177 189 8d114a 188->189 189->184 191->176 199 8d10fa-8d1104 192->199 200 8d10e5-8d10e8 192->200 194->176 196 8d11c9-8d11cc 195->196 197 8d11d2-8d11d7 195->197 196->177 196->197 197->169 199->173 200->177 202 8d10ee-8d10f5 200->202 202->176 204->177 205->204 207->204
                                                                                                                                                      APIs
                                                                                                                                                      • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,008D09FF), ref: 008D10AC
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: DecodePointer
                                                                                                                                                      • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                                                                      • API String ID: 3527080286-3064271455
                                                                                                                                                      • Opcode ID: cd40ed23385079ae9d58d73b4b625125ba6d8252e2bb7338d2b0e675d729eabd
                                                                                                                                                      • Instruction ID: f207508f2932efabf8f3b0d4f90f8de686ea84d397ca97018a893b0109658614
                                                                                                                                                      • Opcode Fuzzy Hash: cd40ed23385079ae9d58d73b4b625125ba6d8252e2bb7338d2b0e675d729eabd
                                                                                                                                                      • Instruction Fuzzy Hash: E451667190460EEBCF109FA8E84C1AEBFB4FF05314F104357E691EA365DB718A298B55
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008B9628 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 212 8b9628-8b9653 call 8ba5a0 215 8b9659-8b965c 212->215 216 8b99c7-8b99cc call 8bf3f9 212->216 215->216 217 8b9662-8b966b 215->217 219 8b9768-8b976e 217->219 220 8b9671-8b9675 217->220 223 8b9776-8b9784 219->223 220->219 222 8b967b-8b9682 220->222 224 8b969a-8b969f 222->224 225 8b9684-8b968b 222->225 226 8b978a-8b978e 223->226 227 8b9930-8b9933 223->227 224->219 229 8b96a5-8b96ad call 8b92ac 224->229 225->224 228 8b968d-8b9694 225->228 226->227 232 8b9794-8b979b 226->232 230 8b9956-8b995f call 8b92ac 227->230 231 8b9935-8b9938 227->231 228->219 228->224 244 8b9961-8b9965 229->244 248 8b96b3-8b96cc call 8b92ac * 2 229->248 230->216 230->244 231->216 235 8b993e-8b9953 call 8b99cd 231->235 236 8b979d-8b97a4 232->236 237 8b97b3-8b97b9 232->237 235->230 236->237 238 8b97a6-8b97ad 236->238 240 8b97bf-8b97e6 call 8b7478 237->240 241 8b98d0-8b98d4 237->241 238->227 238->237 240->241 255 8b97ec-8b97ef 240->255 246 8b98e0-8b98ec 241->246 247 8b98d6-8b98df call 8b783b 241->247 246->230 253 8b98ee-8b98f8 246->253 247->246 248->216 270 8b96d2-8b96d8 248->270 257 8b98fa-8b98fc 253->257 258 8b9906-8b9908 253->258 262 8b97f2-8b9807 255->262 257->230 263 8b98fe-8b9902 257->263 260 8b990a-8b991d call 8b92ac * 2 258->260 261 8b991f-8b992c call 8ba046 258->261 288 8b9966 call 8c1f6c 260->288 279 8b998b-8b99a0 call 8b92ac * 2 261->279 280 8b992e 261->280 267 8b980d-8b9810 262->267 268 8b98b1-8b98c4 262->268 263->230 264 8b9904 263->264 264->260 267->268 273 8b9816-8b981e 267->273 268->262 272 8b98ca-8b98cd 268->272 275 8b96da-8b96de 270->275 276 8b9704-8b970c call 8b92ac 270->276 272->241 273->268 278 8b9824-8b9838 273->278 275->276 281 8b96e0-8b96e7 275->281 297 8b970e-8b972e call 8b92ac * 2 call 8ba046 276->297 298 8b9770-8b9773 276->298 283 8b983b-8b984c 278->283 305 8b99a2 279->305 306 8b99a5-8b99c2 call 8b7664 call 8b9f46 call 8ba103 call 8b9ebd 279->306 280->230 286 8b96fb-8b96fe 281->286 287 8b96e9-8b96f0 281->287 289 8b984e-8b985f call 8b9b03 283->289 290 8b9872-8b987f 283->290 286->216 286->276 287->286 295 8b96f2-8b96f9 287->295 302 8b996b-8b9986 call 8b783b call 8b9cb7 call 8b740c 288->302 308 8b9883-8b98ab call 8b95a8 289->308 309 8b9861-8b986a 289->309 290->283 293 8b9881 290->293 301 8b98ae 293->301 295->276 295->286 297->298 326 8b9730-8b9735 297->326 298->223 301->268 302->279 305->306 306->216 308->301 309->289 315 8b986c-8b986f 309->315 315->290 326->288 328 8b973b-8b974e call 8b9ccf 326->328 328->302 333 8b9754-8b9760 328->333 333->288 334 8b9766 333->334 334->328
                                                                                                                                                      APIs
                                                                                                                                                      • type_info::operator==.LIBVCRUNTIME ref: 008B9747
                                                                                                                                                      • ___TypeMatch.LIBVCRUNTIME ref: 008B9855
                                                                                                                                                      • _UnwindNestedFrames.LIBCMT ref: 008B99A7
                                                                                                                                                      • CallUnexpected.LIBVCRUNTIME ref: 008B99C2
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                                                                                      • String ID: csm$csm$csm
                                                                                                                                                      • API String ID: 2751267872-393685449
                                                                                                                                                      • Opcode ID: 0bd95e4958e8e4942759e8076f8e1a1944999f41401777ef88664250ca48f448
                                                                                                                                                      • Instruction ID: 898d08baa881cdfee998c7c7033a82b38dd6ea3d609a484e7748dc1cde8ae8a8
                                                                                                                                                      • Opcode Fuzzy Hash: 0bd95e4958e8e4942759e8076f8e1a1944999f41401777ef88664250ca48f448
                                                                                                                                                      • Instruction Fuzzy Hash: BEB16871800209EFCF25DFA8C8819EEBBB5FF15310F14416AEA95AB312D731DA51CB96
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008D04BA Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 335 8d04ba-8d04ec 336 8d04fe-8d0501 335->336 337 8d04ee-8d04fc call 8bf43d 335->337 339 8d0507-8d050c 336->339 340 8d0702 336->340 337->339 341 8d051e-8d0521 339->341 342 8d050e-8d051c call 8bf43d 339->342 343 8d0704-8d0715 call 8b614a 340->343 341->340 346 8d0527-8d052c 341->346 342->346 349 8d052e-8d0536 346->349 350 8d0539-8d053b 346->350 349->350 352 8d053d-8d053f 350->352 353 8d0545-8d0547 350->353 352->353 354 8d05e4-8d05fc call 8c87cb 352->354 355 8d054d-8d0550 353->355 356 8d0752 353->356 354->340 363 8d0602-8d060e 354->363 357 8d05dc-8d05df 355->357 358 8d0556-8d0559 355->358 357->343 361 8d055b-8d0568 GetCPInfo 358->361 362 8d05a1-8d05a4 358->362 361->340 364 8d056e-8d0570 361->364 362->343 365 8d074e-8d0750 363->365 366 8d0614-8d0619 363->366 367 8d05a9-8d05ab 364->367 368 8d0572-8d0576 364->368 372 8d0747-8d074c call 8b5d1d 365->372 369 8d061b-8d0624 call 8b6490 366->369 370 8d0632 366->370 367->354 371 8d05ad-8d05b1 367->371 368->362 373 8d0578-8d057f 368->373 369->365 385 8d062a-8d0630 369->385 377 8d0633 call 8c3d30 370->377 371->357 376 8d05b3-8d05ba 371->376 386 8d0701 372->386 373->362 378 8d0581 373->378 376->357 382 8d05bc 376->382 383 8d0638-8d063d 377->383 379 8d0584-8d0589 378->379 379->362 384 8d058b-8d058f 379->384 387 8d05bf-8d05c4 382->387 383->365 388 8d0643 383->388 389 8d0599-8d059f 384->389 390 8d0591-8d0593 384->390 391 8d0649-8d064e 385->391 386->340 387->357 392 8d05c6-8d05ca 387->392 388->391 389->362 389->379 390->356 390->389 391->365 395 8d0654-8d066c call 8c87cb 391->395 393 8d05cc-8d05ce 392->393 394 8d05d4-8d05da 392->394 393->356 393->394 394->357 394->387 398 8d0746 395->398 399 8d0672-8d068b call 8c87cb 395->399 398->372 399->398 402 8d0691-8d069d 399->402 403 8d06a3-8d06a8 402->403 404 8d0742-8d0744 402->404 406 8d06aa-8d06b3 call 8b6490 403->406 407 8d06c1 403->407 405 8d06f5-8d0700 call 8b5d1d * 2 404->405 405->386 406->404 415 8d06b9-8d06bf 406->415 410 8d06c2 call 8c3d30 407->410 413 8d06c7-8d06cc 410->413 413->404 416 8d06ce 413->416 418 8d06d4-8d06d9 415->418 416->418 418->404 419 8d06db-8d06f2 call 8c87cb 418->419 422 8d06f4 419->422 423 8d0716-8d0740 call 8c5398 call 8b5d1d * 2 419->423 422->405 423->343
                                                                                                                                                      APIs
                                                                                                                                                      • GetCPInfo.KERNEL32(01024C88,01024C88,?,7FFFFFFF,?,008D078A,01024C88,01024C88,?,01024C88,?,?,?,?,01024C88,?), ref: 008D0560
                                                                                                                                                      • __alloca_probe_16.LIBCMT ref: 008D061B
                                                                                                                                                      • __alloca_probe_16.LIBCMT ref: 008D06AA
                                                                                                                                                      • __freea.LIBCMT ref: 008D06F5
                                                                                                                                                      • __freea.LIBCMT ref: 008D06FB
                                                                                                                                                      • __freea.LIBCMT ref: 008D0731
                                                                                                                                                      • __freea.LIBCMT ref: 008D0737
                                                                                                                                                      • __freea.LIBCMT ref: 008D0747
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: __freea$__alloca_probe_16$Info
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 127012223-0
                                                                                                                                                      • Opcode ID: 1b6db024e46fed92bbd6dcbbd2716e9ce02894e0350d483d22bae5e6011da2ee
                                                                                                                                                      • Instruction ID: 9a1d0fc90c7dc316e681473432824b0547a7eff53b04265b6fe957292ac7c3fa
                                                                                                                                                      • Opcode Fuzzy Hash: 1b6db024e46fed92bbd6dcbbd2716e9ce02894e0350d483d22bae5e6011da2ee
                                                                                                                                                      • Instruction Fuzzy Hash: 2471A3729002099BDF219A989C41FAE77B5FF45314F28021AE944FB341E675EC418F61
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008CEDED Relevance: 9.3, APIs: 6, Instructions: 298COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 829 8ceded-8cedfd 830 8cedff-8cee12 call 8bd5ed call 8bd600 829->830 831 8cee17-8cee19 829->831 845 8cf185 830->845 833 8cf16d-8cf17a call 8bd5ed call 8bd600 831->833 834 8cee1f-8cee25 831->834 851 8cf180 call 8ba90f 833->851 834->833 837 8cee2b-8cee57 834->837 837->833 840 8cee5d-8cee66 837->840 843 8cee68-8cee7b call 8bd5ed call 8bd600 840->843 844 8cee80-8cee82 840->844 843->851 848 8cee88-8cee8c 844->848 849 8cf169-8cf16b 844->849 850 8cf188-8cf18b 845->850 848->849 853 8cee92-8cee96 848->853 849->850 851->845 853->843 854 8cee98-8ceeaf 853->854 857 8ceef4-8ceefa 854->857 858 8ceeb1-8ceeb4 854->858 862 8ceefc-8cef03 857->862 863 8ceecb-8ceee2 call 8bd5ed call 8bd600 call 8ba90f 857->863 860 8ceeb6-8ceebe 858->860 861 8ceec3-8ceec9 858->861 864 8cef74-8cef87 860->864 861->863 865 8ceee7-8ceef2 861->865 867 8cef05 862->867 868 8cef07-8cef25 call 8c3d30 call 8c3cf6 * 2 862->868 894 8cf0a0 863->894 869 8cef8d-8cef99 864->869 870 8cf043-8cf04c call 8ce4d0 864->870 873 8cef71 865->873 867->868 900 8cef27-8cef3d call 8bd600 call 8bd5ed 868->900 901 8cef42-8cef6a call 8c8388 868->901 869->870 874 8cef9f-8cefa1 869->874 885 8cf0bd 870->885 886 8cf04e-8cf060 870->886 873->864 874->870 878 8cefa7-8cefc8 874->878 878->870 882 8cefca-8cefe0 878->882 882->870 887 8cefe2-8cefe4 882->887 890 8cf0c1-8cf0d7 ReadFile 885->890 886->885 891 8cf062-8cf071 GetConsoleMode 886->891 887->870 892 8cefe6-8cf009 887->892 895 8cf0d9-8cf0df 890->895 896 8cf135-8cf140 GetLastError 890->896 891->885 897 8cf073-8cf077 891->897 892->870 899 8cf00b-8cf021 892->899 898 8cf0a3-8cf0ad call 8c3cf6 894->898 895->896 904 8cf0e1 895->904 902 8cf159-8cf15c 896->902 903 8cf142-8cf154 call 8bd600 call 8bd5ed 896->903 897->890 905 8cf079-8cf091 ReadConsoleW 897->905 898->850 899->870 911 8cf023-8cf025 899->911 900->894 901->873 908 8cf099-8cf09f call 8bd5a6 902->908 909 8cf162-8cf164 902->909 903->894 915 8cf0e4-8cf0f6 904->915 906 8cf0b2-8cf0bb 905->906 907 8cf093 GetLastError 905->907 906->915 907->908 908->894 909->898 911->870 918 8cf027-8cf03e 911->918 915->898 922 8cf0f8-8cf0fc 915->922 918->870 926 8cf0fe-8cf10e call 8ceb07 922->926 927 8cf115-8cf122 922->927 936 8cf111-8cf113 926->936 929 8cf12e-8cf133 call 8ce95f 927->929 930 8cf124 call 8cec5e 927->930 937 8cf129-8cf12c 929->937 930->937 936->898 937->936
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: e1c03722af5830c002ecd6b2dfb4ab65d836b0abcf483bbd4a5bcae95b120a28
                                                                                                                                                      • Instruction ID: b97764c51bbb8d268ef30785a1136a403773dc19f64096ddbab5d09cdefa069c
                                                                                                                                                      • Opcode Fuzzy Hash: e1c03722af5830c002ecd6b2dfb4ab65d836b0abcf483bbd4a5bcae95b120a28
                                                                                                                                                      • Instruction Fuzzy Hash: 87B19EB0A04649AFEB11DF98C881FAE7BB2FF45304F18416EE514EB292D771D941CB61
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008B483B Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3.LIBCMT ref: 008B4842
                                                                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 008B484C
                                                                                                                                                      • int.LIBCPMT ref: 008B4863
                                                                                                                                                        • Part of subcall function 008B21B2: std::_Lockit::_Lockit.LIBCPMT ref: 008B21C3
                                                                                                                                                        • Part of subcall function 008B21B2: std::_Lockit::~_Lockit.LIBCPMT ref: 008B21DD
                                                                                                                                                      • codecvt.LIBCPMT ref: 008B4886
                                                                                                                                                      • std::_Facet_Register.LIBCPMT ref: 008B489D
                                                                                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 008B48BD
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 712880209-0
                                                                                                                                                      • Opcode ID: 7d48d8a0e8282d54684eb0e6157501c6675b35d1c35bcc2747b7b6bbcb23d83f
                                                                                                                                                      • Instruction ID: 91ee0825a5895f2f683a24cd32b910cef5938909de696857b5529524b9eb79a0
                                                                                                                                                      • Opcode Fuzzy Hash: 7d48d8a0e8282d54684eb0e6157501c6675b35d1c35bcc2747b7b6bbcb23d83f
                                                                                                                                                      • Instruction Fuzzy Hash: 3511AF719006159BCB11EBACC8467EEB7B5FF44320F14051AF501E7392DF74AE048B82
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008B92BA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetLastError.KERNEL32(?,?,008B92B1,008B79E7,008B6989), ref: 008B92C8
                                                                                                                                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 008B92D6
                                                                                                                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008B92EF
                                                                                                                                                      • SetLastError.KERNEL32(00000000,008B92B1,008B79E7,008B6989), ref: 008B9341
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ErrorLastValue___vcrt_
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3852720340-0
                                                                                                                                                      • Opcode ID: a88230bd33ad9c81493401c99df2f6556513f1f4c8c8f4a0b559dfd1093e2a24
                                                                                                                                                      • Instruction ID: c422b8ba6e8f0b898aaf3451b55b5cbe00f14a3242bc5d33ecbe217228193722
                                                                                                                                                      • Opcode Fuzzy Hash: a88230bd33ad9c81493401c99df2f6556513f1f4c8c8f4a0b559dfd1093e2a24
                                                                                                                                                      • Instruction Fuzzy Hash: 5801FC3224D7116EA728277D7C8AADA3B85FB46375B21532EFA24C53E0EF514C025546
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008C0131 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,E64169D8,?,?,00000000,008D20C7,000000FF,?,008C00C1,?,?,008C0095,00000000), ref: 008C0166
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 008C0178
                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,00000000,008D20C7,000000FF,?,008C00C1,?,?,008C0095,00000000), ref: 008C019A
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                      • API String ID: 4061214504-1276376045
                                                                                                                                                      • Opcode ID: e26dc30d290d832535a56ca9ef607f380e020b98c0a9e5b4f9cca2703baff5f0
                                                                                                                                                      • Instruction ID: 5056dfee07af3375fabf75870231d07d10497080b546da214c6313a73a8d9a4b
                                                                                                                                                      • Opcode Fuzzy Hash: e26dc30d290d832535a56ca9ef607f380e020b98c0a9e5b4f9cca2703baff5f0
                                                                                                                                                      • Instruction Fuzzy Hash: BE01A231A54619EFDB128B50DC45FAEBBB8FB04B21F04462AF821E2390DB789900CA90
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008C61EA Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __alloca_probe_16.LIBCMT ref: 008C6271
                                                                                                                                                      • __alloca_probe_16.LIBCMT ref: 008C6332
                                                                                                                                                      • __freea.LIBCMT ref: 008C6399
                                                                                                                                                        • Part of subcall function 008C3D30: HeapAlloc.KERNEL32(00000000,01020CF0,00000000,?,008B6126,01020CF0,?,008B26AE,00000044,00000000,01020CF0), ref: 008C3D62
                                                                                                                                                      • __freea.LIBCMT ref: 008C63AE
                                                                                                                                                      • __freea.LIBCMT ref: 008C63BE
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1096550386-0
                                                                                                                                                      • Opcode ID: 954d2496d35de2df557798ec08b990ed66e852b9ad6ba8774619d0fbd5c72dc9
                                                                                                                                                      • Instruction ID: c684d4258985732c3d7c3c187a5bf2e83039fcd4395b445b2040f0c15a01e639
                                                                                                                                                      • Opcode Fuzzy Hash: 954d2496d35de2df557798ec08b990ed66e852b9ad6ba8774619d0fbd5c72dc9
                                                                                                                                                      • Instruction Fuzzy Hash: 1D517A7260025AAFEF219EA8DC81FAB3BB9FF44714B19453DFD04D6251FA30DC6096A1
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008B4143 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3.LIBCMT ref: 008B414A
                                                                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 008B4155
                                                                                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 008B41C3
                                                                                                                                                        • Part of subcall function 008B42A6: std::locale::_Locimp::_Locimp.LIBCPMT ref: 008B42BE
                                                                                                                                                      • std::locale::_Setgloballocale.LIBCPMT ref: 008B4170
                                                                                                                                                      • _Yarn.LIBCPMT ref: 008B4186
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1088826258-0
                                                                                                                                                      • Opcode ID: a9546435c6345056cf6b7b93424884395397cf48bd06239cb44efe23f5f0c8f6
                                                                                                                                                      • Instruction ID: c9ddc2ceb5fcfe6b51ca3f111e5de7df8acb10811e5e4282418269d1d92180d6
                                                                                                                                                      • Opcode Fuzzy Hash: a9546435c6345056cf6b7b93424884395397cf48bd06239cb44efe23f5f0c8f6
                                                                                                                                                      • Instruction Fuzzy Hash: AB018F75A015219FDB06FF68D8865BD7B71FF84350B18410AF8119B382DF74AE46CB92
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008BA402 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,008BA3B3,00000000,00000000,?,?,?,?,008BA4DD,00000002,FlsGetValue,008D4CC8,FlsGetValue), ref: 008BA40F
                                                                                                                                                      • GetLastError.KERNEL32(?,008BA3B3,00000000,00000000,?,?,?,?,008BA4DD,00000002,FlsGetValue,008D4CC8,FlsGetValue,00000000,?,008B936D), ref: 008BA419
                                                                                                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000000,008D4CC8,FlsGetValue,00000000,?,008B936D), ref: 008BA441
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: LibraryLoad$ErrorLast
                                                                                                                                                      • String ID: api-ms-
                                                                                                                                                      • API String ID: 3177248105-2084034818
                                                                                                                                                      • Opcode ID: 8e4ff71125f714e5940311e014d9060bd5902d546a774d10bded267b51bd0131
                                                                                                                                                      • Instruction ID: e817819c68bb48092511df01f59bb7f387dff7d1dc1fd110627076c903a5d829
                                                                                                                                                      • Opcode Fuzzy Hash: 8e4ff71125f714e5940311e014d9060bd5902d546a774d10bded267b51bd0131
                                                                                                                                                      • Instruction Fuzzy Hash: 77E01A30294206BBEF201B60EC4AB983A68FF00B41F104020F90DE82E1DFB1D812A69A
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008C709F Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetConsoleOutputCP.KERNEL32(E64169D8,00000000,00000000,00000000), ref: 008C7102
                                                                                                                                                        • Part of subcall function 008C8847: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,008C638F,?,00000000,-00000008), ref: 008C88F3
                                                                                                                                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 008C735D
                                                                                                                                                      • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 008C73A5
                                                                                                                                                      • GetLastError.KERNEL32 ref: 008C7448
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2112829910-0
                                                                                                                                                      • Opcode ID: 85c9c806e2bf395c9bbc70eadeee1aac6b746a68c7d77651f28b4fa528b31bcd
                                                                                                                                                      • Instruction ID: c4dad6f6de7dd7f8988e48b0ac038939160ace02858f455bec3301738e42b4b1
                                                                                                                                                      • Opcode Fuzzy Hash: 85c9c806e2bf395c9bbc70eadeee1aac6b746a68c7d77651f28b4fa528b31bcd
                                                                                                                                                      • Instruction Fuzzy Hash: 58D125B5E04258AFCB15CFA8D880AADBBB5FF49314F18452EE856EB351D630E942CF50
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008B93D1 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AdjustPointer
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1740715915-0
                                                                                                                                                      • Opcode ID: 06263039be665996b1fd75a8c676cd99d63b3e13939400c6925e37fcbab2916e
                                                                                                                                                      • Instruction ID: 69c4a8794e474cc8b8a2701e6546fcae033969ba8602ef525767d06daae9953f
                                                                                                                                                      • Opcode Fuzzy Hash: 06263039be665996b1fd75a8c676cd99d63b3e13939400c6925e37fcbab2916e
                                                                                                                                                      • Instruction Fuzzy Hash: C351DE72604606EFDB2A8F18D851BFA77A4FF44310F14412DEA95D63A1E731EC82CB91
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008C8C63 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 008C8847: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,008C638F,?,00000000,-00000008), ref: 008C88F3
                                                                                                                                                      • GetLastError.KERNEL32 ref: 008C8CC7
                                                                                                                                                      • __dosmaperr.LIBCMT ref: 008C8CCE
                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,?), ref: 008C8D08
                                                                                                                                                      • __dosmaperr.LIBCMT ref: 008C8D0F
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1913693674-0
                                                                                                                                                      • Opcode ID: 86d7f83761179892e69153078b659f6101b83a4d118d29b74adb5a7e1c310a3e
                                                                                                                                                      • Instruction ID: d8638dcb2f9e671c66647c1fb40af9cb213612943ece0f90a940565aa01d0a99
                                                                                                                                                      • Opcode Fuzzy Hash: 86d7f83761179892e69153078b659f6101b83a4d118d29b74adb5a7e1c310a3e
                                                                                                                                                      • Instruction Fuzzy Hash: 7A21B371640619EFDB60AF69C881E6BB7B9FF14364710852CF929D7250DF34EC008BA1
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008BF50B Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: c6ce18b959aa065b6d68c37d49f45fa76f5128d2441c3ba994b8dea8f9867407
                                                                                                                                                      • Instruction ID: c981afb74b9eac516ddb2d0ae59b41fecb8ffd76b1e5021f5f10c88ddbf97bcb
                                                                                                                                                      • Opcode Fuzzy Hash: c6ce18b959aa065b6d68c37d49f45fa76f5128d2441c3ba994b8dea8f9867407
                                                                                                                                                      • Instruction Fuzzy Hash: 7F219F31600209BFCB30AF798C819EA77A8FF51365710453AFA16D7352E730ED018BA1
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008C9BF9 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetEnvironmentStringsW.KERNEL32 ref: 008C9C01
                                                                                                                                                        • Part of subcall function 008C8847: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,008C638F,?,00000000,-00000008), ref: 008C88F3
                                                                                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 008C9C39
                                                                                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 008C9C59
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 158306478-0
                                                                                                                                                      • Opcode ID: 974227c0694320be36f0b42ad281aa3929d95df9bf9d5e24f165a4491f19c759
                                                                                                                                                      • Instruction ID: 075218ceec58e4f94430cb27511c8a960764f3ead10ade2e479907b19f2e6d19
                                                                                                                                                      • Opcode Fuzzy Hash: 974227c0694320be36f0b42ad281aa3929d95df9bf9d5e24f165a4491f19c759
                                                                                                                                                      • Instruction Fuzzy Hash: 8B1104E2504659BE672167B95DCEEAF29BCFF85399311046CF802E2101FE34CE024572
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008B19D7 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 008B19E3
                                                                                                                                                      • int.LIBCPMT ref: 008B19F6
                                                                                                                                                        • Part of subcall function 008B21B2: std::_Lockit::_Lockit.LIBCPMT ref: 008B21C3
                                                                                                                                                        • Part of subcall function 008B21B2: std::_Lockit::~_Lockit.LIBCPMT ref: 008B21DD
                                                                                                                                                      • std::_Facet_Register.LIBCPMT ref: 008B1A29
                                                                                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 008B1A3F
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 459529453-0
                                                                                                                                                      • Opcode ID: e21ead309041ebcbee93eff83a1c1c11827a765e5411fa693f0afc7c883860a8
                                                                                                                                                      • Instruction ID: 507f14ea851602af175cda5f9e032f1afeeae7e1b2f737a33a873e5465a235b9
                                                                                                                                                      • Opcode Fuzzy Hash: e21ead309041ebcbee93eff83a1c1c11827a765e5411fa693f0afc7c883860a8
                                                                                                                                                      • Instruction Fuzzy Hash: AA01A772501524ABCB15FB68DC599EE7768FF44760B20014AF501DB392FF30EE418795
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008B1AC9 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 008B1AD5
                                                                                                                                                      • int.LIBCPMT ref: 008B1AE8
                                                                                                                                                        • Part of subcall function 008B21B2: std::_Lockit::_Lockit.LIBCPMT ref: 008B21C3
                                                                                                                                                        • Part of subcall function 008B21B2: std::_Lockit::~_Lockit.LIBCPMT ref: 008B21DD
                                                                                                                                                      • std::_Facet_Register.LIBCPMT ref: 008B1B1B
                                                                                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 008B1B31
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 459529453-0
                                                                                                                                                      • Opcode ID: 9db2e9d922781765bfdc1e90eba5af5b56d44e116e26df95953a558e17b7bd20
                                                                                                                                                      • Instruction ID: a027ab3c08a41c74e62ce8bd6e72574aac3afcc56f4c1af3da897a9640bcfbde
                                                                                                                                                      • Opcode Fuzzy Hash: 9db2e9d922781765bfdc1e90eba5af5b56d44e116e26df95953a558e17b7bd20
                                                                                                                                                      • Instruction Fuzzy Hash: A401F772500514ABCF15ABACDD198EE7B69FF48770B100119F502DB391FF30AE018785
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008B1A50 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 008B1A5C
                                                                                                                                                      • int.LIBCPMT ref: 008B1A6F
                                                                                                                                                        • Part of subcall function 008B21B2: std::_Lockit::_Lockit.LIBCPMT ref: 008B21C3
                                                                                                                                                        • Part of subcall function 008B21B2: std::_Lockit::~_Lockit.LIBCPMT ref: 008B21DD
                                                                                                                                                      • std::_Facet_Register.LIBCPMT ref: 008B1AA2
                                                                                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 008B1AB8
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 459529453-0
                                                                                                                                                      • Opcode ID: cf9eb7a24b21f046e176489790910a6ef55071acfdd697e726e2335d55b3efff
                                                                                                                                                      • Instruction ID: 97848af556d5573b2eb701458fe71cab0a8040093a50b2a09c2b492b3847165d
                                                                                                                                                      • Opcode Fuzzy Hash: cf9eb7a24b21f046e176489790910a6ef55071acfdd697e726e2335d55b3efff
                                                                                                                                                      • Instruction Fuzzy Hash: BA01A272901524ABCB15ABACDC1A8EE7778FF85360B540249F902DB391EF30AF4187C2
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008D02EF Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,008CF1AA,00000000,00000001,00000000,00000000,?,008C749C,00000000,00000000,00000000), ref: 008D0306
                                                                                                                                                      • GetLastError.KERNEL32(?,008CF1AA,00000000,00000001,00000000,00000000,?,008C749C,00000000,00000000,00000000,00000000,00000000,?,008C7A23,00000000), ref: 008D0312
                                                                                                                                                        • Part of subcall function 008D02D8: CloseHandle.KERNEL32(FFFFFFFE,008D0322,?,008CF1AA,00000000,00000001,00000000,00000000,?,008C749C,00000000,00000000,00000000,00000000,00000000), ref: 008D02E8
                                                                                                                                                      • ___initconout.LIBCMT ref: 008D0322
                                                                                                                                                        • Part of subcall function 008D029A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,008D02C9,008CF197,00000000,?,008C749C,00000000,00000000,00000000,00000000), ref: 008D02AD
                                                                                                                                                      • WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,008CF1AA,00000000,00000001,00000000,00000000,?,008C749C,00000000,00000000,00000000,00000000), ref: 008D0337
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2744216297-0
                                                                                                                                                      • Opcode ID: 60bbbf10711b688f71ab653078622c52107ade5d2f23268e7108e607e5af448d
                                                                                                                                                      • Instruction ID: b44aec3725e6987993e33b27223d88ae4306f49d81cb893534b1d0e81d4066a9
                                                                                                                                                      • Opcode Fuzzy Hash: 60bbbf10711b688f71ab653078622c52107ade5d2f23268e7108e607e5af448d
                                                                                                                                                      • Instruction Fuzzy Hash: F6F03036145228BFCF226FD9DC48A8D3F26FB083A1F084215FA19D6230C6328821EF91
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008B90C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 008B90FF
                                                                                                                                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 008B91B3
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                      • String ID: csm
                                                                                                                                                      • API String ID: 3480331319-1018135373
                                                                                                                                                      • Opcode ID: 0f2f5d2bf73b8b7486fc2a8f87c0cfaa9d0daafdda51f32471e105207a03b305
                                                                                                                                                      • Instruction ID: f5aca0f37abcd393daf522f051cef59c116ba6be4ad4261b7cb37df95ad2c799
                                                                                                                                                      • Opcode Fuzzy Hash: 0f2f5d2bf73b8b7486fc2a8f87c0cfaa9d0daafdda51f32471e105207a03b305
                                                                                                                                                      • Instruction Fuzzy Hash: B041B234A00209ABCF14DF6CC889ADEBBB5FF45314F148155E968EB392D735EA06CB91
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008B99CD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • EncodePointer.KERNEL32(00000000,?), ref: 008B99F2
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: EncodePointer
                                                                                                                                                      • String ID: MOC$RCC
                                                                                                                                                      • API String ID: 2118026453-2084237596
                                                                                                                                                      • Opcode ID: 48013e9911fd16dfc7caf648ddaeb51f4866b45bb65c0d6a8eed3df3047cb078
                                                                                                                                                      • Instruction ID: 982f790b0c7dc1b6105edb4e85f26f96dde21acbfb6a42f057cb4e432fa3f2fb
                                                                                                                                                      • Opcode Fuzzy Hash: 48013e9911fd16dfc7caf648ddaeb51f4866b45bb65c0d6a8eed3df3047cb078
                                                                                                                                                      • Instruction Fuzzy Hash: C0416772900219EFCF16DF98CC81AEEBBB5FF48300F189099FA59A7221D335A950DB51
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 008B1C4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 008B1C53
                                                                                                                                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 008B1C8B
                                                                                                                                                        • Part of subcall function 008B4241: _Yarn.LIBCPMT ref: 008B4260
                                                                                                                                                        • Part of subcall function 008B4241: _Yarn.LIBCPMT ref: 008B4284
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.2057007559.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.2056993288.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057027095.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.00000000008DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000913000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057040700.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057167155.000000000092B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057180875.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.2057192548.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                                                                                                      • String ID: bad locale name
                                                                                                                                                      • API String ID: 1908188788-1405518554
                                                                                                                                                      • Opcode ID: 16e9b4c1e45c7c2a0e41d5c0308c383357a300a41a975512b0b8caaa3c06e1ef
                                                                                                                                                      • Instruction ID: c23d20b1ebb9479113c7db31b0891b246d5a580764e813d6c3257de9570840a1
                                                                                                                                                      • Opcode Fuzzy Hash: 16e9b4c1e45c7c2a0e41d5c0308c383357a300a41a975512b0b8caaa3c06e1ef
                                                                                                                                                      • Instruction Fuzzy Hash: 86F01D71505B409E83319F6A9481453FBE4FE293103948A2FE1DEC3B11D730A508CB6A
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Execution Graph

                                                                                                                                                      Execution Coverage:7.3%
                                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                      Total number of Nodes:92
                                                                                                                                                      Total number of Limit Nodes:10
                                                                                                                                                      execution_graph 28532 11ed0b8 28533 11ed0fe GetCurrentProcess 28532->28533 28535 11ed149 28533->28535 28536 11ed150 GetCurrentThread 28533->28536 28535->28536 28537 11ed18d GetCurrentProcess 28536->28537 28538 11ed186 28536->28538 28539 11ed1c3 28537->28539 28538->28537 28540 11ed1eb GetCurrentThreadId 28539->28540 28541 11ed21c 28540->28541 28542 11e4668 28543 11e4684 28542->28543 28544 11e4696 28543->28544 28548 11e47a0 28543->28548 28553 11e3e10 28544->28553 28549 11e47c5 28548->28549 28557 11e48b0 28549->28557 28561 11e48a1 28549->28561 28554 11e3e1b 28553->28554 28569 11e5c54 28554->28569 28556 11e46b5 28558 11e48d7 28557->28558 28559 11e49b4 28558->28559 28565 11e4248 28558->28565 28563 11e48d7 28561->28563 28562 11e49b4 28562->28562 28563->28562 28564 11e4248 CreateActCtxA 28563->28564 28564->28562 28566 11e5940 CreateActCtxA 28565->28566 28568 11e5a03 28566->28568 28570 11e5c5f 28569->28570 28573 11e5c64 28570->28573 28572 11e709d 28572->28556 28574 11e5c6f 28573->28574 28577 11e5c94 28574->28577 28576 11e717a 28576->28572 28578 11e5c9f 28577->28578 28581 11e5cc4 28578->28581 28580 11e726d 28580->28576 28582 11e5ccf 28581->28582 28584 11e8653 28582->28584 28587 11ead01 28582->28587 28583 11e8691 28583->28580 28584->28583 28591 11ecde0 28584->28591 28596 11ead38 28587->28596 28600 11ead28 28587->28600 28588 11ead16 28588->28584 28592 11ece11 28591->28592 28593 11ece35 28592->28593 28633 11ecf90 28592->28633 28637 11ecfa0 28592->28637 28593->28583 28605 11eae30 28596->28605 28613 11eae20 28596->28613 28597 11ead47 28597->28588 28601 11ead38 28600->28601 28603 11eae30 2 API calls 28601->28603 28604 11eae20 2 API calls 28601->28604 28602 11ead47 28602->28588 28603->28602 28604->28602 28606 11eae41 28605->28606 28607 11eae64 28605->28607 28606->28607 28621 11eb0b8 28606->28621 28625 11eb0c8 28606->28625 28607->28597 28608 11eae5c 28608->28607 28609 11eb068 GetModuleHandleW 28608->28609 28610 11eb095 28609->28610 28610->28597 28614 11eae41 28613->28614 28615 11eae64 28613->28615 28614->28615 28619 11eb0b8 LoadLibraryExW 28614->28619 28620 11eb0c8 LoadLibraryExW 28614->28620 28615->28597 28616 11eae5c 28616->28615 28617 11eb068 GetModuleHandleW 28616->28617 28618 11eb095 28617->28618 28618->28597 28619->28616 28620->28616 28622 11eb0dc 28621->28622 28623 11eb101 28622->28623 28629 11ea870 28622->28629 28623->28608 28626 11eb0dc 28625->28626 28627 11ea870 LoadLibraryExW 28626->28627 28628 11eb101 28626->28628 28627->28628 28628->28608 28630 11eb2a8 LoadLibraryExW 28629->28630 28632 11eb321 28630->28632 28632->28623 28634 11ecfad 28633->28634 28635 11ecfe7 28634->28635 28641 11ec8d8 28634->28641 28635->28593 28638 11ecfad 28637->28638 28639 11ecfe7 28638->28639 28640 11ec8d8 3 API calls 28638->28640 28639->28593 28640->28639 28642 11ec8dd 28641->28642 28644 11ed8f8 28642->28644 28645 11eca04 28642->28645 28644->28644 28646 11eca0f 28645->28646 28647 11e5cc4 3 API calls 28646->28647 28648 11ed967 28647->28648 28648->28644 28530 11ed300 DuplicateHandle 28531 11ed396 28530->28531

                                                                                                                                                      Executed Functions

                                                                                                                                                      Function 067A67D8 Relevance: .6, Instructions: 561COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: ff276f8aaa998b083d3af4959f540e28970b295f3dd3a5fb8325c26753153bac
                                                                                                                                                      • Instruction ID: 33217190f384d2c3a6ef8a79da472d8748c40dd42b72a8df50ec16a380dca42f
                                                                                                                                                      • Opcode Fuzzy Hash: ff276f8aaa998b083d3af4959f540e28970b295f3dd3a5fb8325c26753153bac
                                                                                                                                                      • Instruction Fuzzy Hash: C5229D31A003099FDB55DF68D890BAEBBF2FF89310F188669E5159B251DB30ED46CB90
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067AA3D8 Relevance: .3, Instructions: 296COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 40daca38a7f6f0f9b72a5cabf71952c2eb8a916a535ac00dc25da2c579dd74c5
                                                                                                                                                      • Instruction ID: f05433e682ba6c49540d704a4e0e7e2e4e302dd7657d16d159d51e427d34c707
                                                                                                                                                      • Opcode Fuzzy Hash: 40daca38a7f6f0f9b72a5cabf71952c2eb8a916a535ac00dc25da2c579dd74c5
                                                                                                                                                      • Instruction Fuzzy Hash: 10D1E774D00318CFCB18EFB8D8546ADBBB2FF8A305F1081A9D51AAB294DB355986CF11
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067AA3E8 Relevance: .3, Instructions: 289COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 76fbd003defa34a018bad44856f2719010dab22647483f9c6bb25c66d918c288
                                                                                                                                                      • Instruction ID: f55f5a205c0a317c4b64e5f060c78aad99b9165614ab6788823bedbf837631c9
                                                                                                                                                      • Opcode Fuzzy Hash: 76fbd003defa34a018bad44856f2719010dab22647483f9c6bb25c66d918c288
                                                                                                                                                      • Instruction Fuzzy Hash: 55D1D874D00318CFCB18EFB8D8546ADBBB2FF8A305F108169D51AAB254DB359986CF51
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 011ED0A8 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 011ED136
                                                                                                                                                      • GetCurrentThread.KERNEL32 ref: 011ED173
                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 011ED1B0
                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 011ED209
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2197409248.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_11e0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Current$ProcessThread
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2063062207-0
                                                                                                                                                      • Opcode ID: d6f5df189159382714082b66e3ce94a0c3e554f9e10556cdb18dd2da314fb359
                                                                                                                                                      • Instruction ID: 6ed98a31227a851816b9714c17ec303ed47b75cd87ba6c634c2f8decd88abec1
                                                                                                                                                      • Opcode Fuzzy Hash: d6f5df189159382714082b66e3ce94a0c3e554f9e10556cdb18dd2da314fb359
                                                                                                                                                      • Instruction Fuzzy Hash: FC5167B0900749CFEB48CFA9E548B9EBBF1EF88314F24845AD119B73A0D7749848CB65
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 011ED0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 011ED136
                                                                                                                                                      • GetCurrentThread.KERNEL32 ref: 011ED173
                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 011ED1B0
                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 011ED209
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2197409248.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_11e0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Current$ProcessThread
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2063062207-0
                                                                                                                                                      • Opcode ID: db88abe16136804a8fb9a0c4a1cbae1ba7574ee2758bf7db0b5653d5a9833cca
                                                                                                                                                      • Instruction ID: f0c91b4603eccf1e6e381fb699dbea0141679b765e3f8c776f9a662f6832e36a
                                                                                                                                                      • Opcode Fuzzy Hash: db88abe16136804a8fb9a0c4a1cbae1ba7574ee2758bf7db0b5653d5a9833cca
                                                                                                                                                      • Instruction Fuzzy Hash: AF5177B0900749CFEB48CFAAE548B9EBBF1EF88314F248459E119B7360D7749848CB65
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 011EAE30 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 44 11eae30-11eae3f 45 11eae6b-11eae6f 44->45 46 11eae41-11eae4e call 11e9838 44->46 48 11eae83-11eaec4 45->48 49 11eae71-11eae7b 45->49 51 11eae64 46->51 52 11eae50 46->52 55 11eaec6-11eaece 48->55 56 11eaed1-11eaedf 48->56 49->48 51->45 101 11eae56 call 11eb0b8 52->101 102 11eae56 call 11eb0c8 52->102 55->56 57 11eaf03-11eaf05 56->57 58 11eaee1-11eaee6 56->58 63 11eaf08-11eaf0f 57->63 60 11eaee8-11eaeef call 11ea814 58->60 61 11eaef1 58->61 59 11eae5c-11eae5e 59->51 62 11eafa0-11eafb7 59->62 65 11eaef3-11eaf01 60->65 61->65 75 11eafb9-11eb018 62->75 66 11eaf1c-11eaf23 63->66 67 11eaf11-11eaf19 63->67 65->63 69 11eaf25-11eaf2d 66->69 70 11eaf30-11eaf39 call 11ea824 66->70 67->66 69->70 76 11eaf3b-11eaf43 70->76 77 11eaf46-11eaf4b 70->77 95 11eb01a-11eb060 75->95 76->77 78 11eaf4d-11eaf54 77->78 79 11eaf69-11eaf76 77->79 78->79 80 11eaf56-11eaf66 call 11ea834 call 11ea844 78->80 86 11eaf78-11eaf96 79->86 87 11eaf99-11eaf9f 79->87 80->79 86->87 96 11eb068-11eb093 GetModuleHandleW 95->96 97 11eb062-11eb065 95->97 98 11eb09c-11eb0b0 96->98 99 11eb095-11eb09b 96->99 97->96 99->98 101->59 102->59
                                                                                                                                                      APIs
                                                                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 011EB086
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2197409248.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_11e0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: HandleModule
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 4139908857-0
                                                                                                                                                      • Opcode ID: 19e94cfbbb6e818cf59d55ea76ea70daa955d546ffa2aa28657b5597d4d1e5d2
                                                                                                                                                      • Instruction ID: 89ea4b9d27af67c97814fef58d78ad04e5ca86d1723f56fafdb061772e9ef552
                                                                                                                                                      • Opcode Fuzzy Hash: 19e94cfbbb6e818cf59d55ea76ea70daa955d546ffa2aa28657b5597d4d1e5d2
                                                                                                                                                      • Instruction Fuzzy Hash: 897167B0A00B058FE728DF69E14879ABBF1FF88304F04892ED15AD7A50D734E849CB91
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 011E5935 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 103 11e5935-11e5a01 CreateActCtxA 105 11e5a0a-11e5a64 103->105 106 11e5a03-11e5a09 103->106 113 11e5a66-11e5a69 105->113 114 11e5a73-11e5a77 105->114 106->105 113->114 115 11e5a88 114->115 116 11e5a79-11e5a85 114->116 118 11e5a89 115->118 116->115 118->118
                                                                                                                                                      APIs
                                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 011E59F1
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2197409248.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_11e0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Create
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                                      • Opcode ID: c3a5f159f958137a5aab1a2e6d9190a4638699120483c2568a3d38ee6b741e0b
                                                                                                                                                      • Instruction ID: af0aba05645f5e663d774c6c93f225591e671c41ec463c4616a7dcefb76c18ce
                                                                                                                                                      • Opcode Fuzzy Hash: c3a5f159f958137a5aab1a2e6d9190a4638699120483c2568a3d38ee6b741e0b
                                                                                                                                                      • Instruction Fuzzy Hash: AA41E270D00719CFEB24CFA9C88879DBBF5BF85304F20806AD508AB254D7756946CF51
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 011E4248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 119 11e4248-11e5a01 CreateActCtxA 122 11e5a0a-11e5a64 119->122 123 11e5a03-11e5a09 119->123 130 11e5a66-11e5a69 122->130 131 11e5a73-11e5a77 122->131 123->122 130->131 132 11e5a88 131->132 133 11e5a79-11e5a85 131->133 135 11e5a89 132->135 133->132 135->135
                                                                                                                                                      APIs
                                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 011E59F1
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2197409248.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_11e0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Create
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                                      • Opcode ID: 45e4ed55948f8310563b4a7de14ced0969c1af347c7d277f74605847aaa4ee35
                                                                                                                                                      • Instruction ID: 85364b02944de47ef1b2581904763e1408432a12429218c88886c1472a65eae5
                                                                                                                                                      • Opcode Fuzzy Hash: 45e4ed55948f8310563b4a7de14ced0969c1af347c7d277f74605847aaa4ee35
                                                                                                                                                      • Instruction Fuzzy Hash: 1341C170D00B19CBEB24CFA9C888B9DBBF5FF85704F20806AD508AB254DB756945CF91
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 011ED300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 136 11ed300-11ed394 DuplicateHandle 137 11ed39d-11ed3ba 136->137 138 11ed396-11ed39c 136->138 138->137
                                                                                                                                                      APIs
                                                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011ED387
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2197409248.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_11e0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: DuplicateHandle
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3793708945-0
                                                                                                                                                      • Opcode ID: 02cf550e34cfdb58cdc615ccc4543502cf84193d5e5630ec6f3b950c549c8e52
                                                                                                                                                      • Instruction ID: ea749527fa96b4715fd1877cbd58fc54829ec3be3d8b11037f22766c02d7a3d1
                                                                                                                                                      • Opcode Fuzzy Hash: 02cf550e34cfdb58cdc615ccc4543502cf84193d5e5630ec6f3b950c549c8e52
                                                                                                                                                      • Instruction Fuzzy Hash: 2721E4B5900248DFDB10CFAAD985ADEFBF4EB48320F14841AE918B3310C378A954CFA5
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 011ED2F9 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 141 11ed2f9-11ed394 DuplicateHandle 142 11ed39d-11ed3ba 141->142 143 11ed396-11ed39c 141->143 143->142
                                                                                                                                                      APIs
                                                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011ED387
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2197409248.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_11e0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: DuplicateHandle
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3793708945-0
                                                                                                                                                      • Opcode ID: 486bce274ead3140f47ea12c2bf8979b7f90f6c07141575c923049f508caaf48
                                                                                                                                                      • Instruction ID: 595444cf284914ceac4bf6fb3c161a09da8940362bdd2a8df9d2d3e3f7f5df78
                                                                                                                                                      • Opcode Fuzzy Hash: 486bce274ead3140f47ea12c2bf8979b7f90f6c07141575c923049f508caaf48
                                                                                                                                                      • Instruction Fuzzy Hash: F721E3B5900249DFDB10CFA9D985ADEBBF4AB48320F14841AE918B3310D378A954CF60
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 011EA870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 146 11ea870-11eb2e8 148 11eb2ea-11eb2ed 146->148 149 11eb2f0-11eb31f LoadLibraryExW 146->149 148->149 150 11eb328-11eb345 149->150 151 11eb321-11eb327 149->151 151->150
                                                                                                                                                      APIs
                                                                                                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,011EB101,00000800,00000000,00000000), ref: 011EB312
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2197409248.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_11e0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: LibraryLoad
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1029625771-0
                                                                                                                                                      • Opcode ID: 33a5e8afb4723422f911ffd7a115eafb84e8a4f5d0a802002846191fe217fffc
                                                                                                                                                      • Instruction ID: 621e0933c62a9218dd9c11ce97639d6dc9acb5d3a2ceacb04af80f9195a69da2
                                                                                                                                                      • Opcode Fuzzy Hash: 33a5e8afb4723422f911ffd7a115eafb84e8a4f5d0a802002846191fe217fffc
                                                                                                                                                      • Instruction Fuzzy Hash: 3D1103B68047499FDB14CF9AC448A9EFBF4EF88710F14842AD919B7200C374A545CFA5
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 011EB2A0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 154 11eb2a0-11eb2e8 155 11eb2ea-11eb2ed 154->155 156 11eb2f0-11eb31f LoadLibraryExW 154->156 155->156 157 11eb328-11eb345 156->157 158 11eb321-11eb327 156->158 158->157
                                                                                                                                                      APIs
                                                                                                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,011EB101,00000800,00000000,00000000), ref: 011EB312
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2197409248.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_11e0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: LibraryLoad
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1029625771-0
                                                                                                                                                      • Opcode ID: 2552c5707b53e03b95a9a5aaccb4dee85e4af606dc22588aaefcf69877b3a3b7
                                                                                                                                                      • Instruction ID: 8097e67fa94b7e7acf8ae6b58eacd938b11ba7d86cd78d70e9899d6a847e176e
                                                                                                                                                      • Opcode Fuzzy Hash: 2552c5707b53e03b95a9a5aaccb4dee85e4af606dc22588aaefcf69877b3a3b7
                                                                                                                                                      • Instruction Fuzzy Hash: FE1100B68046498FDB14CFAAC844ADEBBF4AF88720F14842AD919A7210C379A545CFA5
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 011EB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 161 11eb020-11eb060 162 11eb068-11eb093 GetModuleHandleW 161->162 163 11eb062-11eb065 161->163 164 11eb09c-11eb0b0 162->164 165 11eb095-11eb09b 162->165 163->162 165->164
                                                                                                                                                      APIs
                                                                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 011EB086
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2197409248.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_11e0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: HandleModule
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 4139908857-0
                                                                                                                                                      • Opcode ID: 71ff960972c9fc5ac6941c51c4935d980f3a673723320ee124dd41d82c13ad0a
                                                                                                                                                      • Instruction ID: 2fb38bd68a550ae63d5f5fbd4e7f8f184a21fcf8fc6791c2fad27380a71f27d8
                                                                                                                                                      • Opcode Fuzzy Hash: 71ff960972c9fc5ac6941c51c4935d980f3a673723320ee124dd41d82c13ad0a
                                                                                                                                                      • Instruction Fuzzy Hash: D21110B6C00749CFDB24CF9AC444BDEFBF4AB88620F14842AD528B7210C379A549CFA5
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067A59C8 Relevance: 1.5, Strings: 1, Instructions: 289COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 167 67a59c8-67a59c9 168 67a59cb-67a59f3 167->168 169 67a5a39-67a5a4f 167->169 172 67a59ff-67a5a0e 168->172 173 67a59f5-67a59f7 168->173 170 67a5c88-67a5ccf 169->170 171 67a5a55-67a5a5b 169->171 208 67a5cd1 170->208 209 67a5ce5-67a5cf1 170->209 174 67a5a61-67a5a67 171->174 175 67a5b34-67a5b38 171->175 176 67a5a1a-67a5a2a 172->176 177 67a5a10 172->177 173->172 174->170 178 67a5a6d-67a5a7a 174->178 179 67a5b3a-67a5b43 175->179 180 67a5b5b-67a5b64 175->180 182 67a5a2d-67a5a38 176->182 177->176 183 67a5b13-67a5b1c 178->183 184 67a5a80-67a5a89 178->184 179->170 185 67a5b49-67a5b59 179->185 186 67a5b89-67a5b8c 180->186 187 67a5b66-67a5b86 180->187 182->169 183->170 190 67a5b22-67a5b2e 183->190 184->170 191 67a5a8f-67a5ab0 184->191 189 67a5b8f-67a5b95 185->189 186->189 187->186 189->170 192 67a5b9b-67a5bae 189->192 190->174 190->175 193 67a5abc-67a5ad7 191->193 194 67a5ab2 191->194 192->170 197 67a5bb4-67a5bc4 192->197 193->183 203 67a5ad9-67a5adf 193->203 194->193 197->170 199 67a5bca-67a5bd7 197->199 199->170 202 67a5bdd-67a5c02 199->202 202->170 218 67a5c08-67a5c20 202->218 205 67a5aeb-67a5af1 203->205 206 67a5ae1 203->206 205->170 207 67a5af7-67a5b10 205->207 206->205 211 67a5cd4-67a5cd6 208->211 212 67a5cfd-67a5d19 209->212 213 67a5cf3 209->213 215 67a5d1a-67a5d36 211->215 216 67a5cd8-67a5ce3 211->216 213->212 216->209 216->211 218->170 224 67a5c22-67a5c2d 218->224 225 67a5c7e-67a5c85 224->225 226 67a5c2f-67a5c39 224->226 226->225 228 67a5c3b-67a5c51 226->228 230 67a5c5d-67a5c76 228->230 231 67a5c53 228->231 230->225 231->230
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: d
                                                                                                                                                      • API String ID: 0-2564639436
                                                                                                                                                      • Opcode ID: 0c1198f2733e70859c4dc85ffc591e3f5a7233452aef83f2a230fc219a05fe33
                                                                                                                                                      • Instruction ID: 3a5ab840af97b1602c8346418bc216d2eb5535965b84d3c16817f3a4184678b9
                                                                                                                                                      • Opcode Fuzzy Hash: 0c1198f2733e70859c4dc85ffc591e3f5a7233452aef83f2a230fc219a05fe33
                                                                                                                                                      • Instruction Fuzzy Hash: C6C13734600702DFD764CF18C48096ABBF2FF88314B2ACA59D55A9B666D730FD46CB90
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 06781BA0 Relevance: 1.4, Instructions: 1439COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 234 6781ba0-6781bc3 236 6781bd1-6781c2d 234->236 237 6781bc5-6781bc7 234->237 242 6781c33-6781c69 236->242 243 6782056-678209e 236->243 237->236 242->243 255 6781c6f-6781ca5 242->255 246 67820a0-67820a6 243->246 247 67820b6-6782119 243->247 249 67820a8 246->249 250 67820aa-67820b4 246->250 265 678211f-6782139 247->265 266 6782ea1-6782ec2 247->266 249->247 250->247 255->243 262 6781cab-6781ce2 255->262 262->243 277 6781ce8-6781d1e 262->277 265->266 270 678213f-678216f 265->270 271 6782ec9-6782ee8 266->271 272 6782ec4-6782ec6 266->272 287 6782189-67821d5 270->287 288 6782171-6782187 270->288 274 6782eea-6782ef0 271->274 275 6782f00-6782f78 271->275 272->271 278 6782ef2 274->278 279 6782ef4-6782efe 274->279 300 6782f7a-6782fa0 275->300 301 6782fa2-6782fa9 275->301 277->243 291 6781d24-6781d5a 277->291 278->275 279->275 299 67821dc-67821f9 287->299 288->299 291->243 310 6781d60-6781d9e 291->310 299->266 307 67821ff-6782235 299->307 300->301 316 678224f-678229b 307->316 317 6782237-678224d 307->317 310->243 319 6781da4-6781ded 310->319 325 67822a2-67822bf 316->325 317->325 319->243 336 6781df3-6781e29 319->336 325->266 330 67822c5-67822fb 325->330 339 67822fd-6782313 330->339 340 6782315-6782361 330->340 336->243 346 6781e2f-6781e65 336->346 348 6782368-6782385 339->348 340->348 346->243 357 6781e6b-6781ea1 346->357 348->266 354 678238b-67823c1 348->354 361 67823db-6782427 354->361 362 67823c3-67823d9 354->362 357->243 367 6781ea7-6781edd 357->367 371 678242e-678244b 361->371 362->371 367->243 379 6781ee3-6781efa 367->379 371->266 375 6782451-6782487 371->375 384 6782489-678249f 375->384 385 67824a1-67824f9 375->385 379->243 382 6781f00-6781f32 379->382 394 6781f5c-6781f9e 382->394 395 6781f34-6781f5a 382->395 393 6782500-678251d 384->393 385->393 393->266 401 6782523-6782559 393->401 411 6781fbc-6781fc8 394->411 412 6781fa0-6781fb6 394->412 408 6781fce-6782001 395->408 414 678255b-6782571 401->414 415 6782573-67825d1 401->415 408->243 422 6782003-6782039 408->422 411->408 412->411 423 67825d8-67825f5 414->423 415->423 422->243 432 678203b-6782053 422->432 423->266 429 67825fb-6782631 423->429 436 678264b-67826a9 429->436 437 6782633-6782649 429->437 442 67826b0-67826cd 436->442 437->442 442->266 446 67826d3-6782709 442->446 450 678270b-6782721 446->450 451 6782723-6782781 446->451 456 6782788-67827a5 450->456 451->456 456->266 460 67827ab-67827c5 456->460 460->266 462 67827cb-67827fb 460->462 466 67827fd-6782813 462->466 467 6782815-6782873 462->467 472 678287a-6782897 466->472 467->472 472->266 475 678289d-67828b7 472->475 475->266 478 67828bd-67828ed 475->478 482 67828ef-6782905 478->482 483 6782907-6782965 478->483 488 678296c-6782989 482->488 483->488 488->266 491 678298f-67829a9 488->491 491->266 494 67829af-67829df 491->494 498 67829f9-6782a57 494->498 499 67829e1-67829f7 494->499 504 6782a5e-6782a7b 498->504 499->504 504->266 508 6782a81-6782ab7 504->508 512 6782ab9-6782acf 508->512 513 6782ad1-6782b2f 508->513 518 6782b36-6782b53 512->518 513->518 518->266 522 6782b59-6782b8f 518->522 526 6782ba9-6782c07 522->526 527 6782b91-6782ba7 522->527 532 6782c0e-6782c2b 526->532 527->532 532->266 536 6782c31-6782c67 532->536 540 6782c69-6782c7f 536->540 541 6782c81-6782cdf 536->541 546 6782ce6-6782d03 540->546 541->546 546->266 550 6782d09-6782d3f 546->550 554 6782d59-6782db7 550->554 555 6782d41-6782d57 550->555 560 6782dbe-6782ddb 554->560 555->560 560->266 563 6782de1-6782e13 560->563 568 6782e2d-6782e82 563->568 569 6782e15-6782e2b 563->569 574 6782e89-6782e9e 568->574 569->574
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208493362.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_6780000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: fa0307f4297057f494186a6d9b1167f80c105178be93835d5a3874329b96fdcd
                                                                                                                                                      • Instruction ID: ce740a7ded7d33dce91a66b10a0139904d06b9db645ca524f077b612be0cad7b
                                                                                                                                                      • Opcode Fuzzy Hash: fa0307f4297057f494186a6d9b1167f80c105178be93835d5a3874329b96fdcd
                                                                                                                                                      • Instruction Fuzzy Hash: ECC24F70B502189FCB54DF64C954AEDBBF2EF89700F10409AE616AB3A1DB719E81CF91
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 06783838 Relevance: .8, Instructions: 784COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 872 6783838-6783848 874 678384a-6783850 872->874 875 6783860-67838ac 872->875 876 6783852 874->876 877 6783854-678385e 874->877 883 67839c1-67839e1 875->883 884 67838b2-67838eb 875->884 876->875 877->875 887 67839e3-6783a0e 883->887 888 6783a55-6783a7f 883->888 884->883 899 67838f1-678392a 884->899 889 6783a10-6783a16 887->889 890 6783a26-6783a54 887->890 901 6783a85-6783ac4 888->901 902 6784027-678403e 888->902 893 6783a18 889->893 894 6783a1a-6783a24 889->894 890->888 893->890 894->890 899->883 912 6783930-6783957 899->912 901->902 914 6783aca-6783ae6 901->914 907 6784040-6784044 902->907 908 6784046-67840b8 902->908 907->908 934 6784189-6784190 908->934 935 67840be-67840da 908->935 923 678395f-6783969 912->923 914->902 919 6783aec-6783b23 914->919 932 6783b4e-6783bb5 919->932 933 6783b25-6783b49 919->933 923->883 925 678396b-67839a4 923->925 925->883 939 67839a6-67839be 925->939 954 6783bd7-6783be5 932->954 955 6783bb7-6783bd1 932->955 949 6783beb-6783c05 933->949 947 67840dc-6784100 935->947 948 6784102-6784140 935->948 962 678416a-6784183 947->962 966 678415b-6784164 948->966 967 6784142-6784155 948->967 949->902 956 6783c0b-6783c42 949->956 954->949 955->954 970 6783c6d-6783cd0 956->970 971 6783c44-6783c68 956->971 962->934 962->935 966->962 967->966 980 6783cf2-6783d00 970->980 981 6783cd2-6783cec 970->981 978 6783d06-6783d20 971->978 978->902 983 6783d26-6783d5d 978->983 980->978 981->980 987 6783d88-6783deb 983->987 988 6783d5f-6783d83 983->988 997 6783e0d-6783e1b 987->997 998 6783ded-6783e07 987->998 995 6783e21-6783e3b 988->995 995->902 1000 6783e41-6783e78 995->1000 997->995 998->997 1004 6783e7a-6783e9e 1000->1004 1005 6783ea3-6783f06 1000->1005 1012 6783f3c-6783f56 1004->1012 1014 6783f28-6783f36 1005->1014 1015 6783f08-6783f22 1005->1015 1012->902 1017 6783f5c-6783f90 1012->1017 1014->1012 1015->1014 1021 6783fb8-6784008 1017->1021 1022 6783f92-6783fb6 1017->1022 1029 678400f-6784024 1021->1029 1022->1029
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208493362.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_6780000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 9d94e6e828dffffb83eba914497fd74c1904a08ea8204198f972ae39a94b1965
                                                                                                                                                      • Instruction ID: e0f3c3d8ad714dff325bfdbf2124d455d6edf522be542729a6cd1253ee96d95f
                                                                                                                                                      • Opcode Fuzzy Hash: 9d94e6e828dffffb83eba914497fd74c1904a08ea8204198f972ae39a94b1965
                                                                                                                                                      • Instruction Fuzzy Hash: 15621975B402149FCB44DFA8C894EAEBBF6EF89700F118099E606DB3A5DA71ED41CB50
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067800D8 Relevance: .7, Instructions: 676COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 1032 67800d8-67800fc 1034 67800fe-6780104 1032->1034 1035 6780114-6780135 1032->1035 1036 6780108-678010a 1034->1036 1037 6780106 1034->1037 1040 6780138-6780145 1035->1040 1036->1035 1037->1035 1042 678076a-6780774 1040->1042 1043 678014b-6780160 1040->1043 1043->1040 1045 6780162 1043->1045 1046 6780169-678018c 1045->1046 1047 67803aa-67803cd 1045->1047 1048 678049a-67804bd 1045->1048 1049 67801de-6780204 1045->1049 1050 6780251-678027f 1045->1050 1051 6780422-6780445 1045->1051 1052 6780512-6780535 1045->1052 1053 67802c4-67802f2 1045->1053 1054 6780337-678035d 1045->1054 1100 6780192-6780196 1046->1100 1101 6780777-67807a6 1046->1101 1103 6780819-6780848 1047->1103 1104 67803d3-67803d7 1047->1104 1105 678095d-678098c 1048->1105 1106 67804c3-67804c7 1048->1106 1072 678020a-678020c 1049->1072 1077 6780281-6780287 1050->1077 1078 6780297-67802bf 1050->1078 1095 67808bb-67808ea 1051->1095 1096 678044b-678044f 1051->1096 1097 678053b-678053f 1052->1097 1098 67809ff-6780a2e 1052->1098 1075 678030a-6780332 1053->1075 1076 67802f4-67802fa 1053->1076 1068 6780363-6780365 1054->1068 1073 678037d-67803a5 1068->1073 1074 6780367-678036d 1068->1074 1079 678020e-6780214 1072->1079 1080 6780224-678024c 1072->1080 1073->1040 1083 678036f 1074->1083 1084 6780371-6780373 1074->1084 1075->1040 1090 67802fc 1076->1090 1091 67802fe-6780300 1076->1091 1085 6780289 1077->1085 1086 678028b-678028d 1077->1086 1078->1040 1092 6780218-678021a 1079->1092 1093 6780216 1079->1093 1080->1040 1083->1073 1084->1073 1085->1078 1086->1078 1090->1075 1091->1075 1092->1080 1093->1080 1121 67808f1-6780920 1095->1121 1108 6780455-678045f 1096->1108 1109 6780927-6780956 1096->1109 1110 6780a6b-6780d2e 1097->1110 1111 6780545-678054f 1097->1111 1123 6780a35-6780a64 1098->1123 1112 678019c-67801a6 1100->1112 1113 67807e3-6780812 1100->1113 1128 67807ad-67807dc 1101->1128 1133 678084f-678087e 1103->1133 1114 67803dd-67803e7 1104->1114 1115 6780885-67808b4 1104->1115 1135 6780993-67809c2 1105->1135 1116 67809c9-67809f8 1106->1116 1117 67804cd-67804d7 1106->1117 1108->1121 1122 6780465-6780495 1108->1122 1109->1105 1111->1123 1124 6780555-6780585 1111->1124 1127 67801ac-67801d9 1112->1127 1112->1128 1113->1103 1132 67803ed-678041d 1114->1132 1114->1133 1115->1095 1116->1098 1134 67804dd-678050d 1117->1134 1117->1135 1121->1109 1122->1040 1123->1110 1124->1040 1127->1040 1128->1113 1132->1040 1133->1115 1134->1040 1135->1116
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208493362.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_6780000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 2f94eee2086daa182d13f6242d92ec0bb4c1381a24a2c98541115783f64abb26
                                                                                                                                                      • Instruction ID: 37fd67b33a94aff72767030d0cede85dd6f8eedb706406a8f2d23f72387ea55b
                                                                                                                                                      • Opcode Fuzzy Hash: 2f94eee2086daa182d13f6242d92ec0bb4c1381a24a2c98541115783f64abb26
                                                                                                                                                      • Instruction Fuzzy Hash: F042AB707507199FEB64AB78D4A462E7BF2FFC6204B40891CD5079B390DB7AED068B81
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 06780D80 Relevance: .6, Instructions: 622COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208493362.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_6780000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: a6ba858fd09c483b1a162c299c64b6e51343e696bb86218571c15b502f73ef56
                                                                                                                                                      • Instruction ID: 3450ff04cd66799813426d8be22bd60f3dfaa1c6e7261888751d494e4a5f904a
                                                                                                                                                      • Opcode Fuzzy Hash: a6ba858fd09c483b1a162c299c64b6e51343e696bb86218571c15b502f73ef56
                                                                                                                                                      • Instruction Fuzzy Hash: 20329370B402059FEB55EB69C858A7E7BF6BF89704B14845AE506CB3A2DF34DC02CB91
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067A48A8 Relevance: .5, Instructions: 511COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 3d635f7c9ba2e994b1fe9eb4175722ee718140689e2021dc1561eb1fd96bb386
                                                                                                                                                      • Instruction ID: 4be6fdb5b861afba9199f03522cf70a7a05c9010e6b97e2b3886d24c784a3f3b
                                                                                                                                                      • Opcode Fuzzy Hash: 3d635f7c9ba2e994b1fe9eb4175722ee718140689e2021dc1561eb1fd96bb386
                                                                                                                                                      • Instruction Fuzzy Hash: EC124634B00605CFCB54DF39C998A6ABBF2BF89301B1585A9E506CB366DB71EC45CB90
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067A3F50 Relevance: .4, Instructions: 399COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: f6c13791fe5e335643fe33217ade95d9601486ff594fd982b7047686ab292644
                                                                                                                                                      • Instruction ID: ce7da23780e6851de2e27af0c652e8ed222dba98ed872e8e56e2cadca423f10f
                                                                                                                                                      • Opcode Fuzzy Hash: f6c13791fe5e335643fe33217ade95d9601486ff594fd982b7047686ab292644
                                                                                                                                                      • Instruction Fuzzy Hash: D7E15D34F102158FCB54DF69C894AAEBBF6BFC9600B148169E906EB369DB71DC41CB90
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 06781582 Relevance: .3, Instructions: 334COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208493362.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_6780000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 7e46064b1acd0a7a97ac14cbd99a53cc433bb07aa896044590b4f4901027ce8e
                                                                                                                                                      • Instruction ID: 2b534de45275cd398c143bc2836a73f978467ae5b96919ef46b9c153dca5c6e4
                                                                                                                                                      • Opcode Fuzzy Hash: 7e46064b1acd0a7a97ac14cbd99a53cc433bb07aa896044590b4f4901027ce8e
                                                                                                                                                      • Instruction Fuzzy Hash: 6AC1C5747402069FEB54AB64C8A4A3E7BE6FF86304F54846AE6078B392DF75DC02C791
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067800B9 Relevance: .3, Instructions: 333COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208493362.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_6780000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 77adde00d93804721dbd4235c937115a32d087e56cf939a2b948b35e4d7dac21
                                                                                                                                                      • Instruction ID: 1ed0475127cfc12b45575c2b363fcd1186e1731b755b8c729467fb6a9bd67b68
                                                                                                                                                      • Opcode Fuzzy Hash: 77adde00d93804721dbd4235c937115a32d087e56cf939a2b948b35e4d7dac21
                                                                                                                                                      • Instruction Fuzzy Hash: 7AC18F34B50204DFDB44AB64C859B7A7BF6FF8A701F108059EA068B3A1CBB5DD45CB91
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067A7D58 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 80b469784c6b187550786b534378c46a425f2f5b1fc9e53288d9c9de5cff3d4a
                                                                                                                                                      • Instruction ID: fa509dd34e332dc04e5d68e3895291aa8f0f080f143f8277987e8fa6b79451b3
                                                                                                                                                      • Opcode Fuzzy Hash: 80b469784c6b187550786b534378c46a425f2f5b1fc9e53288d9c9de5cff3d4a
                                                                                                                                                      • Instruction Fuzzy Hash: E9514375E00318DFDB58CFA9C884BEEBBF5AF88710F148229D415AB244DB749942CF80
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067834D8 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208493362.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_6780000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 4d06b85e4414df14970b8a2f75a1391951e7474bdddb071c64a001ebcd603d7a
                                                                                                                                                      • Instruction ID: 59f54875cddeb9d34c5495f8388392120ea8e84f03dec80417bfffb4e4c0d807
                                                                                                                                                      • Opcode Fuzzy Hash: 4d06b85e4414df14970b8a2f75a1391951e7474bdddb071c64a001ebcd603d7a
                                                                                                                                                      • Instruction Fuzzy Hash: 9A513835B506159FCB44DFA9C894DAEBBF2EF89710B118069E906AB361EB30EC05CB50
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 06782FC8 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208493362.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_6780000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: f9469811e9d8655232f358020791158d8961b46b2aaae1ddad52cb46704f49c7
                                                                                                                                                      • Instruction ID: 40a713144692c18712c1bf281b375ebec3f4a1518c9c2af0b79114f2e3746988
                                                                                                                                                      • Opcode Fuzzy Hash: f9469811e9d8655232f358020791158d8961b46b2aaae1ddad52cb46704f49c7
                                                                                                                                                      • Instruction Fuzzy Hash: 1F514A35B516149FCB44DFA9C894DAEBBF2FF89710B1180A9E906AB361DB31EC05CB50
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 06783819 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208493362.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_6780000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 854add6c5279c627a1d6f8a5ce51b8d8780c4581541e26c1ee9a90d1c0552603
                                                                                                                                                      • Instruction ID: 956d8b7275fe4f46e74391c4d2254aec81af31c512eb7c7ae43cfb8cf81e0418
                                                                                                                                                      • Opcode Fuzzy Hash: 854add6c5279c627a1d6f8a5ce51b8d8780c4581541e26c1ee9a90d1c0552603
                                                                                                                                                      • Instruction Fuzzy Hash: 3F515E75B442009FCB44EF98C994E7F7BF6EF89A10B118085F6069B7A6CA71DC01CB62
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067A6E72 Relevance: .1, Instructions: 134COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 90f9b56b25c2e8d7eee42d79fa1f22fe4d7a80c2e6a87e50a629bdf7a4c20a34
                                                                                                                                                      • Instruction ID: ec202d279acd024a00cd53f3928d997b05199f2a9239a5c6d75e22f58112a5c4
                                                                                                                                                      • Opcode Fuzzy Hash: 90f9b56b25c2e8d7eee42d79fa1f22fe4d7a80c2e6a87e50a629bdf7a4c20a34
                                                                                                                                                      • Instruction Fuzzy Hash: D5514D71505F849FC726CF6EC440897FFF4AF9A204B04896EE5DA87B22D274E904CB61
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067A7D4C Relevance: .1, Instructions: 132COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 84d4c02abc556fa70b8d8df9ffd2156d4f641f80161a9107ad3cfc6b993e4ea0
                                                                                                                                                      • Instruction ID: c9ed295fd9669ecfd6698386cfe90783bb5fccd18218235e3ad730f2a2392043
                                                                                                                                                      • Opcode Fuzzy Hash: 84d4c02abc556fa70b8d8df9ffd2156d4f641f80161a9107ad3cfc6b993e4ea0
                                                                                                                                                      • Instruction Fuzzy Hash: 03515674D04359DFDB58CFA9C884BEEBBF5AF88700F148629E405AB240DB749942CF91
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067A3DE0 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: aa0b66ffb1f26f33ee5d4febef3f46fe69dac5058dfb7e9891d0c86e1b767a92
                                                                                                                                                      • Instruction ID: 966442710f158642c4b3b683ff768705cd2a5565cf7f66d89330cfebe0493685
                                                                                                                                                      • Opcode Fuzzy Hash: aa0b66ffb1f26f33ee5d4febef3f46fe69dac5058dfb7e9891d0c86e1b767a92
                                                                                                                                                      • Instruction Fuzzy Hash: 1531F2317053504FC329AB38E8605AE7BEBDFCA22030945AAE546CB341CE35ED07C7A1
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067A5579 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 00e77b4bbda2c2fdcaf0398e9e008f20012fdab7fd7bf3de57064ccf34b45182
                                                                                                                                                      • Instruction ID: ae070a63076e83e6ad66dd814c6da00c59a41afdb08b5d6d2a9c7fc1e4371b04
                                                                                                                                                      • Opcode Fuzzy Hash: 00e77b4bbda2c2fdcaf0398e9e008f20012fdab7fd7bf3de57064ccf34b45182
                                                                                                                                                      • Instruction Fuzzy Hash: 63319E35B01210AFDB55DF34D8449AEBBB3BF8A301B148169EA05CB365DB30DD05CBA1
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067A84C8 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: ddcfd5d04d8fce86a564c8aa95e11df513196a730503551082477024e1ed7fc1
                                                                                                                                                      • Instruction ID: 48bda96fedc5b694670b0c6673086616cc532182360c2d04834c83bfe5f0255a
                                                                                                                                                      • Opcode Fuzzy Hash: ddcfd5d04d8fce86a564c8aa95e11df513196a730503551082477024e1ed7fc1
                                                                                                                                                      • Instruction Fuzzy Hash: C231AF757012458FCB08EB79A4645AF77E7ABC8200B544439E606CB385EF35AE0687E2
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067A5588 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 8315a2fc21652535dbf353b889f71ae546469219fbd1511996d2a831f374e3c6
                                                                                                                                                      • Instruction ID: 59b743dbd33ebceb7954fdf854ffa347e46488b394359f2379c846a168ae36e9
                                                                                                                                                      • Opcode Fuzzy Hash: 8315a2fc21652535dbf353b889f71ae546469219fbd1511996d2a831f374e3c6
                                                                                                                                                      • Instruction Fuzzy Hash: 55315734B01211AFDB55DF38D88896EBBB3BF8A301B108569EA06CB355DB31ED01CB90
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067A87A0 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 2640ae5ed421a97d36198cae781c2a9be6c8fd62323c1e8b70a7076104c0b31e
                                                                                                                                                      • Instruction ID: c202fb9d4934edc74b9209439db6522af2d5d39ad5610af479d6123328106b31
                                                                                                                                                      • Opcode Fuzzy Hash: 2640ae5ed421a97d36198cae781c2a9be6c8fd62323c1e8b70a7076104c0b31e
                                                                                                                                                      • Instruction Fuzzy Hash: E4410FB1D11248DFDB58CFAAD944ADEFBF6AF88310F14802AE415BB250DB34A945CF91
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067A8796 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 77190dc0c2de123027051ea294db7b4a1b9f0107695c528025767a0e9d47643e
                                                                                                                                                      • Instruction ID: a167530dcf75ed63c016a93983c94ebea7e4bda40c44fe397806772901e17764
                                                                                                                                                      • Opcode Fuzzy Hash: 77190dc0c2de123027051ea294db7b4a1b9f0107695c528025767a0e9d47643e
                                                                                                                                                      • Instruction Fuzzy Hash: 963133B0D113489FDB14CFAAC954BDEBBF6AF88310F14812AE414B7290DB309945CF91
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067A8A98 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: b46e7f51a3665fbd8b59e514d1a5270bee839d05ac6d4e7bfa74a33f47d11b73
                                                                                                                                                      • Instruction ID: 40417d9a78daf36a984cfccd3d4437581807de5d61c8f7d703356cbb73f16566
                                                                                                                                                      • Opcode Fuzzy Hash: b46e7f51a3665fbd8b59e514d1a5270bee839d05ac6d4e7bfa74a33f47d11b73
                                                                                                                                                      • Instruction Fuzzy Hash: 9B31E1B1D01358DFDB54CFA9D894B9EBBB5AF88310F14862AE405B7240C774A945CB91
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 0118D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2197230523.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_118d000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: ddb1b2b18d096922a09c3830b343fc4bed2bfc7db2981ebe2639ff54cdfebdb3
                                                                                                                                                      • Instruction ID: cc33586d574242171e5d79f4443204264c94111384cfc7030a1328baceb7b076
                                                                                                                                                      • Opcode Fuzzy Hash: ddb1b2b18d096922a09c3830b343fc4bed2bfc7db2981ebe2639ff54cdfebdb3
                                                                                                                                                      • Instruction Fuzzy Hash: C021F471504304EFDF09EF58E9C0B56BB65FB84324F24C569D9090B696C336E456CAA2
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 0119D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2197261181.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_119d000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 161fe9d2524891a5f9798d0d7468aea74f2d4526a182b837c4dc382bbf6abfaf
                                                                                                                                                      • Instruction ID: e7191019f42be3da2c20774f1a54f03151ba23b044fcf61b0e3ac509ae61f103
                                                                                                                                                      • Opcode Fuzzy Hash: 161fe9d2524891a5f9798d0d7468aea74f2d4526a182b837c4dc382bbf6abfaf
                                                                                                                                                      • Instruction Fuzzy Hash: 16213471604300EFDF19DF68E9C0B26BB61FB84354F28C56DD90A4B242C33AD847CA62
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067A8F42 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: ba072146e98517e60a92b31dde9704f9ddd3369f2eb5f5ab2e55b41bb1746838
                                                                                                                                                      • Instruction ID: 55d04696e40572c7d932f93cede08e5e14c0eb955a740943909b52735ee1751e
                                                                                                                                                      • Opcode Fuzzy Hash: ba072146e98517e60a92b31dde9704f9ddd3369f2eb5f5ab2e55b41bb1746838
                                                                                                                                                      • Instruction Fuzzy Hash: A2213078D0425ADFCB00CFA8D584AEEBBB1FF49311F2041AAE421AB391D7341A81CF91
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067A8A8C Relevance: .1, Instructions: 70COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 8d81bbd475c931224bd2fdefdfdbeba83f2c57fc3d6b3742a836b6fb20d75de5
                                                                                                                                                      • Instruction ID: 408fa7052de01b2bf66125e9588db31a69a93a4f44899134d96478f258b84b93
                                                                                                                                                      • Opcode Fuzzy Hash: 8d81bbd475c931224bd2fdefdfdbeba83f2c57fc3d6b3742a836b6fb20d75de5
                                                                                                                                                      • Instruction Fuzzy Hash: E22120B0D01348EFDB14CFA9C895BDEBBF9AF88310F14822AE405A7240CB749945CBA1
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067ABC5F Relevance: .1, Instructions: 59COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: c9830d1ae79eae52f56aa2ce6f8496f39c3f51ab2e7633d93c5d882d0c6f0c19
                                                                                                                                                      • Instruction ID: de2c2c65691b0b7d9a0ddcddb1cf3f1e44fd8a5b7d3edd93c363fcfa96d7ff41
                                                                                                                                                      • Opcode Fuzzy Hash: c9830d1ae79eae52f56aa2ce6f8496f39c3f51ab2e7633d93c5d882d0c6f0c19
                                                                                                                                                      • Instruction Fuzzy Hash: 5211A0302113269FC789A734E864ABE3BB7FEC2284348481DD247CBA40DE24A90787A1
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 0118D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2197230523.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_118d000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: a994b626c5b1a2b6fd6d27e6a0f022d141ef464c75df6f036bdb8b2bbfaa7e2a
                                                                                                                                                      • Instruction ID: 5c46bcb1e4ab738330e4124b6ed366146897cdbbe31af7600fb2dc42777b667c
                                                                                                                                                      • Opcode Fuzzy Hash: a994b626c5b1a2b6fd6d27e6a0f022d141ef464c75df6f036bdb8b2bbfaa7e2a
                                                                                                                                                      • Instruction Fuzzy Hash: 5D11CD72504280DFCF06DF48D9C0B56BF61FB84224F24C6A9D8090A656C33AE45ACFA2
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 0119D017 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2197261181.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_119d000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: ac9c5df3739d9922357d97ee08fe41b46f5237faea4d682c3f3ac9d5e7d34632
                                                                                                                                                      • Instruction ID: 6377fc0a87e6b8a28a3027d07599bf3114e6d3593d2cef60b8ed2aae56fd033f
                                                                                                                                                      • Opcode Fuzzy Hash: ac9c5df3739d9922357d97ee08fe41b46f5237faea4d682c3f3ac9d5e7d34632
                                                                                                                                                      • Instruction Fuzzy Hash: 6611DD75904280DFDF16CF58E5C4B15FFA1FB84314F28C6AAD8094B656C33AD44ACBA2
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067AC499 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 04eef46d46d3ec95fd5e14925449bfa4fc756c1043279cb86f5a9a6aeb782cab
                                                                                                                                                      • Instruction ID: 967fe1d1dba62332efd81324532ecdc07dd9aa80f085427bfaed1acc2d454bae
                                                                                                                                                      • Opcode Fuzzy Hash: 04eef46d46d3ec95fd5e14925449bfa4fc756c1043279cb86f5a9a6aeb782cab
                                                                                                                                                      • Instruction Fuzzy Hash: 9311E1302083118FE325AB34E4186AE3BB3EFC5755B148A2DD146CBA81DF74AC0ACB91
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067A8350 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 61ce9ee03deffa8a9aec7faf9e82b971c5e0211b771d2c2fb0369297ade3367f
                                                                                                                                                      • Instruction ID: 600b657a759cc16c60e31a5a15db3ca77ea1c3700f801cf3548ebe8cc8c4b2f2
                                                                                                                                                      • Opcode Fuzzy Hash: 61ce9ee03deffa8a9aec7faf9e82b971c5e0211b771d2c2fb0369297ade3367f
                                                                                                                                                      • Instruction Fuzzy Hash: 3A018F32B001199BDB14DEA9EC44ABFBBFBEBD4651B14813AE614D3240EB30991587A1
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067ABC70 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: a1c747511fe53787704910a1686a16fba31d45277e8ee05aecac36d9366a0739
                                                                                                                                                      • Instruction ID: d4270861d45920ce3196e4bd2b21a9d7ca64bf35364b123c2d33d42ce64754e1
                                                                                                                                                      • Opcode Fuzzy Hash: a1c747511fe53787704910a1686a16fba31d45277e8ee05aecac36d9366a0739
                                                                                                                                                      • Instruction Fuzzy Hash: AE01BC312103128BC688B778E46467E3AF7FFC2298348882CD2078BE00DE34BC478B91
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 0118DB09 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2197230523.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_118d000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 7a973db9b811c2eb29b9586d004f3ba16fc9a7d2b388c8e8de5033fe3e39bd79
                                                                                                                                                      • Instruction ID: b83650fce5c351f3afcb339dd37a6d10655d53151b58ba31b749b94a3610d8d5
                                                                                                                                                      • Opcode Fuzzy Hash: 7a973db9b811c2eb29b9586d004f3ba16fc9a7d2b388c8e8de5033fe3e39bd79
                                                                                                                                                      • Instruction Fuzzy Hash: 0A01A771005344DAEF185B69ED84B66FF98EF42764F18C45AED085B2C6C7789484CA72
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067AE8B0 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: fff91a4206e277e5223a720fedfe8a604bc8ee4803eb5939309c0141260569de
                                                                                                                                                      • Instruction ID: 7eb019602ff2522d05cd01ccb9d16f1d42ea4f880e2a79e5be2d6cda4a6bc0aa
                                                                                                                                                      • Opcode Fuzzy Hash: fff91a4206e277e5223a720fedfe8a604bc8ee4803eb5939309c0141260569de
                                                                                                                                                      • Instruction Fuzzy Hash: 890126342083059FCB029F74D8148697FBAEF86200B1484EAE541CF662DB32DD11D791
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067AB358 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 50582a7226150d85dd90b9c24cb89b83903d34a11650cca92b2c3f3b78e38fd7
                                                                                                                                                      • Instruction ID: 3b5b11665aede282a6cb8189ccae730ebc725b173ad8a0e571b6a9daf185599a
                                                                                                                                                      • Opcode Fuzzy Hash: 50582a7226150d85dd90b9c24cb89b83903d34a11650cca92b2c3f3b78e38fd7
                                                                                                                                                      • Instruction Fuzzy Hash: 5401F130A0A34AEFCB45FBB8E85459C7FB5FB45204B1441AAD401D7251DB305E46CB91
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067AC4A8 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: feba0a6e116fe805ed1f8f987730735e357aa00a6709c35c4effb0eef36294f8
                                                                                                                                                      • Instruction ID: ab2ae18b2c04c58614122351715d1fb08926c23935f0b4babf22d4594a804d48
                                                                                                                                                      • Opcode Fuzzy Hash: feba0a6e116fe805ed1f8f987730735e357aa00a6709c35c4effb0eef36294f8
                                                                                                                                                      • Instruction Fuzzy Hash: 46018C302046058FE324AB78E0586AE77E3EBC9755B148A2DC25A87A44DF74A80ACB91
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067A5508 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 04b7cf6fb8ab7a5e8b39fef2f77688a7b0fad1a1277104dede31ffc5695eec79
                                                                                                                                                      • Instruction ID: 2ff02dc7201a772dafee06e5fd84e02fec2541148fada3b006c9b4033c2bc328
                                                                                                                                                      • Opcode Fuzzy Hash: 04b7cf6fb8ab7a5e8b39fef2f77688a7b0fad1a1277104dede31ffc5695eec79
                                                                                                                                                      • Instruction Fuzzy Hash: 91016D30E01702CFE7A99E79A414637B7F7BFC4215B188A2CE50686614DA71E8C4CB90
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067A67C8 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 6de2aa1a071f9b5d78e1a6252f735041d6aef17711cb896abe28e8559c93f7aa
                                                                                                                                                      • Instruction ID: 9990069db805be4e290c28ac0b0ed2af3161a9bf0d943c00dede03f177e6a503
                                                                                                                                                      • Opcode Fuzzy Hash: 6de2aa1a071f9b5d78e1a6252f735041d6aef17711cb896abe28e8559c93f7aa
                                                                                                                                                      • Instruction Fuzzy Hash: 30F09631B413006BD7308B68EC45F967FEAAB86714F158266F314CB1E2D7B1D8059790
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067AC170 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 9b9a09cab247ed67aae530026868742226446a89767142a940cd12e1ce5a0340
                                                                                                                                                      • Instruction ID: 33eee0841ac24889236d570f91a98759d932651c8f8363c822fdd9a3434b7ae0
                                                                                                                                                      • Opcode Fuzzy Hash: 9b9a09cab247ed67aae530026868742226446a89767142a940cd12e1ce5a0340
                                                                                                                                                      • Instruction Fuzzy Hash: F601F430109B558FD716DF26E818466BFF6FF89340700866EE886C3A51DB70AA0ACFD4
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067A8F50 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 47e6757c524582e048799a62764e58e303b8187ace3ded7a6984eb8e4561bcce
                                                                                                                                                      • Instruction ID: d0950e72d2eb9e41a43eec9ad565ee6512db72c079deda3666393adc166b3c05
                                                                                                                                                      • Opcode Fuzzy Hash: 47e6757c524582e048799a62764e58e303b8187ace3ded7a6984eb8e4561bcce
                                                                                                                                                      • Instruction Fuzzy Hash: 9C01C4B4D0421ADFDB54DFA9D9496AEFBF5BB88301F1081A99415B3340E7740A41CF91
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 0118DB08 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2197230523.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_118d000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 3fcbd994be39303a8b23afbc4593d18dadbfa2bc30855ac35b3db1e217aaa3bb
                                                                                                                                                      • Instruction ID: cdca826ccf2abaad4336d9f567eb1994bd70949f17140ce57313ecd14ba87841
                                                                                                                                                      • Opcode Fuzzy Hash: 3fcbd994be39303a8b23afbc4593d18dadbfa2bc30855ac35b3db1e217aaa3bb
                                                                                                                                                      • Instruction Fuzzy Hash: 07F0C271004344EFEB248E0AEC84B62FF98EF81774F18C45AED084B282C3789884CA71
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067AC110 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: dab37f03a8ab7ea76c121debea50952c026595377786690e847aeb0d127e4d77
                                                                                                                                                      • Instruction ID: 5ee73a8bc1b0484adee655314937480727c16a5dc9ebff1f4f103dc979aafed8
                                                                                                                                                      • Opcode Fuzzy Hash: dab37f03a8ab7ea76c121debea50952c026595377786690e847aeb0d127e4d77
                                                                                                                                                      • Instruction Fuzzy Hash: 65F09C302097E59FC3129739F81469F7FF6DF82244B04056EE242CB652CA555D0587A5
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067A6EA0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 2242fd8c939a20a03aea4a38bbcc7e5993c0df42606cd85ec9b10a38b2136d3a
                                                                                                                                                      • Instruction ID: 6f80f6b5c12e165d0fcabfe03bd118747d70ad962e57cefaf599c71a2108f6ad
                                                                                                                                                      • Opcode Fuzzy Hash: 2242fd8c939a20a03aea4a38bbcc7e5993c0df42606cd85ec9b10a38b2136d3a
                                                                                                                                                      • Instruction Fuzzy Hash: BBF037722041E83F8B555E9A5C10CFB7FEDDA8E5657084156FFE8D2141C42DC921ABB0
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067AACB8 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 68371335fd06fd5769120faa2e20d09720392267509ef645d9054b119012ec5d
                                                                                                                                                      • Instruction ID: b9e0a59fcd43169f3ac141123ed1cad4d8535f7d1f771f9c4392584607b0011a
                                                                                                                                                      • Opcode Fuzzy Hash: 68371335fd06fd5769120faa2e20d09720392267509ef645d9054b119012ec5d
                                                                                                                                                      • Instruction Fuzzy Hash: 31F0BE726092A59FC716273C68280BD7FA9E9C6A5134841DFD283CB292CA589906D7A2
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067AADE9 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: de8af2d52320baf084050e5579709b7deef4ed1e9dc2aa1ad0237d37742906be
                                                                                                                                                      • Instruction ID: 310f8119a868312fc1ba47061fabb8c18bcfa00e3ad601abb6d960888df83d6a
                                                                                                                                                      • Opcode Fuzzy Hash: de8af2d52320baf084050e5579709b7deef4ed1e9dc2aa1ad0237d37742906be
                                                                                                                                                      • Instruction Fuzzy Hash: D0F02E31204141AFC314376DE85879F7FEAEFCA654F04403DE35AC7283CA655806C7A5
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067A8FC0 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 1e181fd58c3ae271d2b7adecb02043e2f129f0267c7721baae7fad9d25ea980a
                                                                                                                                                      • Instruction ID: 8de6d40bb834fd3964f2d0e54facc515f602767fe5a375227e8f73cbc7d7de28
                                                                                                                                                      • Opcode Fuzzy Hash: 1e181fd58c3ae271d2b7adecb02043e2f129f0267c7721baae7fad9d25ea980a
                                                                                                                                                      • Instruction Fuzzy Hash: F4F0A9B5C0824ADFDB00CBA4D8591BEBFB0EF9A201F00828AE402EB391E7354A01CF41
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067AB368 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 3d05d19795bcc6e3b2512c43fcac9b23071ed93b50dd430d8dcd27353e7c258c
                                                                                                                                                      • Instruction ID: 5f5a6195c9c0c9c12d6f52d9298f9cbde1b8fb9d465dbd7aea3cd7699ea36999
                                                                                                                                                      • Opcode Fuzzy Hash: 3d05d19795bcc6e3b2512c43fcac9b23071ed93b50dd430d8dcd27353e7c258c
                                                                                                                                                      • Instruction Fuzzy Hash: ECF04F74A0524EEFCB08FFF8E85859C7BB6FB48205B1445A9C506E7754EB305E45CB41
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067A8341 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: d8d34f862cdc713a522174fb6d3f0f4673f5d6283814f10c1517390eac81cd65
                                                                                                                                                      • Instruction ID: 980b4459b58fe81ddca8fe819b77f9eb041baffa8d0a7351672fcde1bfa16790
                                                                                                                                                      • Opcode Fuzzy Hash: d8d34f862cdc713a522174fb6d3f0f4673f5d6283814f10c1517390eac81cd65
                                                                                                                                                      • Instruction Fuzzy Hash: C5F0E572F101154BCF10DAB8AD48AFF7FEAAF8419170C0137DA54D3201FB30891983A1
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067AAC60 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: ae44ed1d3dade41bdcc659e68b198742944948a7b1618f81440338adf5a56427
                                                                                                                                                      • Instruction ID: f05c56262421d8ad0f93a91d6662d68774db45ad7b4700e265f50f754756c7e6
                                                                                                                                                      • Opcode Fuzzy Hash: ae44ed1d3dade41bdcc659e68b198742944948a7b1618f81440338adf5a56427
                                                                                                                                                      • Instruction Fuzzy Hash: 97F082212082E54FC617673C68240ED3F7ADAC751430800DFD286CB283C9580A06C7E6
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067AADF8 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 48adaf215617017c5d4f59cf52ca5f7f56c8a614e3aeb36aebd281a787edbe3a
                                                                                                                                                      • Instruction ID: f7047b958e6d9e148ac43027e4f901b8a04c05b7693a7093589c7377e473f6f9
                                                                                                                                                      • Opcode Fuzzy Hash: 48adaf215617017c5d4f59cf52ca5f7f56c8a614e3aeb36aebd281a787edbe3a
                                                                                                                                                      • Instruction Fuzzy Hash: 71E09231200205AFD3187AAAE488A9E7AEAEBCA795B00402DE30EC3241CA65580687A5
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067AC180 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 61df6f42a761bf72bf69f3c7f54fffa7d26454753233349f58d5cbf049acab54
                                                                                                                                                      • Instruction ID: 7832ebb94d32ab7aa937c61a0658b029942f80a097ead3eefedbdf45834ab2d6
                                                                                                                                                      • Opcode Fuzzy Hash: 61df6f42a761bf72bf69f3c7f54fffa7d26454753233349f58d5cbf049acab54
                                                                                                                                                      • Instruction Fuzzy Hash: DCF09A74504B158FD725EF26E448512BBF6FB8C380B00C62EE98B82A10DB70A90ACF84
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067ACC38 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 80065bcd25547a8af0c6c78feef90a09050fdbba753d0dabb489861db48ccf3e
                                                                                                                                                      • Instruction ID: ef72a1e04c673d4c67e4f4363e530ce327b43b3b3534388f2cff38a980c71ccb
                                                                                                                                                      • Opcode Fuzzy Hash: 80065bcd25547a8af0c6c78feef90a09050fdbba753d0dabb489861db48ccf3e
                                                                                                                                                      • Instruction Fuzzy Hash: 55E0D8312063659FC702AB24FC21AEA3B61F786515B004166D000C7A46CB381D078FD1
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067AB500 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 14b617807bb2dbe21bab167daad43ecc7d7c2f38d53ca353e98e1cebd4ea7a05
                                                                                                                                                      • Instruction ID: 99c05178287a9189f79cb5d7a12151035b216d29942ab712c208eaaac1b8b96b
                                                                                                                                                      • Opcode Fuzzy Hash: 14b617807bb2dbe21bab167daad43ecc7d7c2f38d53ca353e98e1cebd4ea7a05
                                                                                                                                                      • Instruction Fuzzy Hash: F9F03935D0520DBFCB01DFF4D9488CDBFB9EB44244F1082A6E845E7650EA705B55DB91
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067AC120 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 68a432ab05573608e98ef464a5e49ef3aafa32f7ea920318fb78e58eae5ebbd1
                                                                                                                                                      • Instruction ID: d30b62d7257f33e5a555d72da9b8584364ff61af423e428c3d92690de6d7f0d2
                                                                                                                                                      • Opcode Fuzzy Hash: 68a432ab05573608e98ef464a5e49ef3aafa32f7ea920318fb78e58eae5ebbd1
                                                                                                                                                      • Instruction Fuzzy Hash: 64E06D302047658FC711AB3DF4187AE7BE6EF86358F04052DE2478BA51DBA5A8068BA5
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067ACE88 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: b31081756b523b50124491d350aa17671ea536dd583deda7f81d1b2f339bdbf7
                                                                                                                                                      • Instruction ID: a7ba91425c4052841a5187510d373d0df7b1b0393d9e4e2647e6423b8fb1079f
                                                                                                                                                      • Opcode Fuzzy Hash: b31081756b523b50124491d350aa17671ea536dd583deda7f81d1b2f339bdbf7
                                                                                                                                                      • Instruction Fuzzy Hash: 9CE0D83010A3A9FFD703B724F8255A93F75DF83511704415AE801CBA55C7348C4687D1
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067AE1FF Relevance: .0, Instructions: 22COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 5600c1f5fa2929c77a0f54cb5a54b59bc6af2ad38335271eca26fe8906235dc7
                                                                                                                                                      • Instruction ID: 6c16a62e9d7a3f4708fc95558a5a0d2c36fafc38002f78ce1f43c43e0d1425ed
                                                                                                                                                      • Opcode Fuzzy Hash: 5600c1f5fa2929c77a0f54cb5a54b59bc6af2ad38335271eca26fe8906235dc7
                                                                                                                                                      • Instruction Fuzzy Hash: 5CE0DF71E49358EFCB11DF68EC509AE3BB1EB8220272042EBD809D76A0E6300F119B52
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067AE8F8 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: e1b0df37abbeec309c63f12acb589afad451e159dfeb29baa8ca173af1cbed69
                                                                                                                                                      • Instruction ID: 44ea531861580dd3a72b5ebe45d69ba78f23860c83ba7ad4049547cff8811cf5
                                                                                                                                                      • Opcode Fuzzy Hash: e1b0df37abbeec309c63f12acb589afad451e159dfeb29baa8ca173af1cbed69
                                                                                                                                                      • Instruction Fuzzy Hash: 2EE08C3925A254AFC7029B18CC008697FB8EF5A60030440CAF580CF2B3C221ED21DBA0
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067AAC80 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 953964ad11e50ae3fbb621177aa5402c552ede857c773e1393d814eb3d19457e
                                                                                                                                                      • Instruction ID: 91e341fa193f182a330b5e16746f7af213bb88002a301bdad143fd3323123178
                                                                                                                                                      • Opcode Fuzzy Hash: 953964ad11e50ae3fbb621177aa5402c552ede857c773e1393d814eb3d19457e
                                                                                                                                                      • Instruction Fuzzy Hash: 32D05E3531012D9FCA1A776DF8184BE7BABEBC5A62304402EE70BC3280CF696D0687D5
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067AB510 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 3194c1f9244d9b3f467a32bc14411355ec0d8191ad1c78e4cc3d1b9dcb118a6e
                                                                                                                                                      • Instruction ID: 84cd2133a28abff34afe2585b094109804a96b50a1a47e7bee058b5e3bc27169
                                                                                                                                                      • Opcode Fuzzy Hash: 3194c1f9244d9b3f467a32bc14411355ec0d8191ad1c78e4cc3d1b9dcb118a6e
                                                                                                                                                      • Instruction Fuzzy Hash: 21E09275D0420CEFCB40DFE5E9448DDBBB9FB48204F1082AAD909A3210EB306B55DF80
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067AE280 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: eda28b4da88bc09a6cd17eae19ebb1c0827782ed2c4c2d29369499d1313beeb6
                                                                                                                                                      • Instruction ID: 6fa99b65e9bf6ebffeaaa8306cbbf7e972593fd5c59092b0902e4b8df45f3ff8
                                                                                                                                                      • Opcode Fuzzy Hash: eda28b4da88bc09a6cd17eae19ebb1c0827782ed2c4c2d29369499d1313beeb6
                                                                                                                                                      • Instruction Fuzzy Hash: C0E086311107158FD748FB14FD65B4433A2E789B19F215159D4028B6B8C77119569BC0
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067848EE Relevance: .0, Instructions: 16COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208493362.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_6780000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 30649bda9aa68b9206648d2f247a9fa0b89282cb0ace2dba77f321e65153fcda
                                                                                                                                                      • Instruction ID: 3484e2f644597094948739253f91c2ab30ef81cabee1f33635f17e6ac007f3e1
                                                                                                                                                      • Opcode Fuzzy Hash: 30649bda9aa68b9206648d2f247a9fa0b89282cb0ace2dba77f321e65153fcda
                                                                                                                                                      • Instruction Fuzzy Hash: E3D012373540155F8344EA9DF484C96B3DEFFD9A313614067F518CB220C972E805C760
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067AE210 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 217b6ca006fb3c83a4cbbf750a6ba3afc39583a6f69b339ce9086a171802c6e9
                                                                                                                                                      • Instruction ID: 6d590b80bb768e07796c3ee843267a35dc710fd680e5240f081ec47d3f72320c
                                                                                                                                                      • Opcode Fuzzy Hash: 217b6ca006fb3c83a4cbbf750a6ba3afc39583a6f69b339ce9086a171802c6e9
                                                                                                                                                      • Instruction Fuzzy Hash: B6D01771A0030DFB8B40EFA8E910A9DB7B9EB45206B1081AA9509E3600EA316E009B90
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067AF8EA Relevance: .0, Instructions: 15COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 7eae7b4f5cba76a95a5f9e44f8f2be4a759a2c37d6e8d50264269b9754e18ca3
                                                                                                                                                      • Instruction ID: 3d56d7b3d8ceee54f5c6db15ac5789ab0368b051727ddceafe12650571c918a5
                                                                                                                                                      • Opcode Fuzzy Hash: 7eae7b4f5cba76a95a5f9e44f8f2be4a759a2c37d6e8d50264269b9754e18ca3
                                                                                                                                                      • Instruction Fuzzy Hash: 39C012327442311F028CB66CB41806D76D7D3CC9E339A803EE60EC3388DEA08C835780
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067A3721 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 6471265e88a1f465d76a8e72b852a7f3be28561ebe3386334d83e3e789e39ac7
                                                                                                                                                      • Instruction ID: eb9af7a9292902f3110ffbb496ed2306c009933d828dd7c3ed9eda5cfb878b3e
                                                                                                                                                      • Opcode Fuzzy Hash: 6471265e88a1f465d76a8e72b852a7f3be28561ebe3386334d83e3e789e39ac7
                                                                                                                                                      • Instruction Fuzzy Hash: B6C0127800A3807FC7024A205E01D927E272B82B00B0A0182B7828A0A386620A64D2B2
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 067ADFD1 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000001.00000002.2208511822.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_1_2_67a0000_RegAsm.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 93f717f1c7bcaf431b4be191a8a182b26f313ba46ff5dab1a8f7c53a71544084
                                                                                                                                                      • Instruction ID: b3ff89fc39c9feb5d47ccc3aec3e866d4b9e03c486351247be0d416ea7bd4f5f
                                                                                                                                                      • Opcode Fuzzy Hash: 93f717f1c7bcaf431b4be191a8a182b26f313ba46ff5dab1a8f7c53a71544084
                                                                                                                                                      • Instruction Fuzzy Hash: 7EC04C3158F2E56EDB0246248C0D4453E159B5265571500DAA6418F4A2E6A144158695
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%