Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1445847
MD5:fdc69e7726f37315f2f576a3ca749c48
SHA1:44cb651c3be86b959e4e630e741189ad2c945c44
SHA256:1692db4e522605d93551ddcabeffa92a2cd43e764a134833644808319784b955
Tags:exe
Infos:

Detection

RedLine
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Yara detected RedLine Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for sample
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops certificate files (DER)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 3160 cmdline: "C:\Users\user\Desktop\file.exe" MD5: FDC69E7726F37315F2F576A3CA749C48)
    • RegAsm.exe (PID: 3320 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "5.42.65.115:40551", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    00000002.00000002.3320371970.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      Process Memory Space: file.exe PID: 3160JoeSecurity_RedLineYara detected RedLine StealerJoe Security
        Process Memory Space: RegAsm.exe PID: 3320JoeSecurity_RedLineYara detected RedLine StealerJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          2.2.RegAsm.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            0.2.file.exe.4f0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Found malware configuration
              Source: 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "5.42.65.115:40551", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: RegAsm.exe, 00000002.00000002.3322128878.0000000005A9A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.ServiceModel.pdb693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32d source: RegAsm.exe, 00000002.00000002.3322128878.0000000005A9A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Windows\System.ServiceModel.pdb source: RegAsm.exe, 00000002.00000002.3320507999.0000000001187000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb8D source: RegAsm.exe, 00000002.00000002.3320801748.0000000001445000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.ServiceModel.pdb source: RegAsm.exe, 00000002.00000002.3320801748.0000000001445000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: RegAsm.exe, 00000002.00000002.3320801748.0000000001445000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: RegAsm.exe, 00000002.00000002.3322128878.0000000005A9A000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00504493 FindFirstFileExW,0_2_00504493

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 5.42.65.115:40551
              Source: global trafficTCP traffic: 192.168.2.6:49699 -> 5.42.65.115:40551
              Source: Joe Sandbox ViewASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
              Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.115
              Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.115
              Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.115
              Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.115
              Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.115
              Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.115
              Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.115
              Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.115
              Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.115
              Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.115
              Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.115
              Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.115
              Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.115
              Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.115
              Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.115
              Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.115
              Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.115
              Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.115
              Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.115
              Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.115
              Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.115
              Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.115
              Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.115
              Source: RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
              Source: RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
              Source: RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
              Source: RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
              Source: RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
              Source: RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
              Source: RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
              Source: RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
              Source: RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
              Source: RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
              Source: RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
              Source: RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
              Source: RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
              Source: RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
              Source: RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
              Source: RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10LR
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Responsex
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11LR
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Responsex
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12LR
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Responsex
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
              Source: RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13LR
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Responsex
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14LR
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Responsex
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15LR
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Responsex
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16LR
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Responsex
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17LR
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Responsex
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18LR
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Responsex
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19LR
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Responsex
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1LR
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Responsex
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20LR
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Responsex
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21LR
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Responsex
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22LR
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Responsex
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23LR
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Responsex
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24LR
              Source: RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Responsex
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2LR
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Responsex
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3LR
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Responsex
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4LR
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Responsex
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5LR
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Responsex
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6LR
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Responsex
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7LR
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Responsex
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8LR
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Responsex
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9LR
              Source: RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Responsex
              Source: file.exe, 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000002.00000002.3320371970.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp59F0.tmpJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp5A01.tmpJump to dropped file
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00506AF80_2_00506AF8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005035600_2_00503560
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0308DC742_2_0308DC74
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_06B067D82_2_06B067D8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_06B0A3E82_2_06B0A3E8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_06B03F502_2_06B03F50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_06B0A3D82_2_06B0A3D8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_06B06FF82_2_06B06FF8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_06B06FE82_2_06B06FE8
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 004F51D0 appears 48 times
              Source: file.exe, 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameChazan.exe8 vs file.exe
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: .data ZLIB complexity 0.9890334243527508
              Source: classification engineClassification label: mal96.troj.evad.winEXE@3/4@0/1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp59F0.tmpJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: esdsip.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
              Source: Google Chrome.lnk.2.drLNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: RegAsm.exe, 00000002.00000002.3322128878.0000000005A9A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.ServiceModel.pdb693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32d source: RegAsm.exe, 00000002.00000002.3322128878.0000000005A9A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Windows\System.ServiceModel.pdb source: RegAsm.exe, 00000002.00000002.3320507999.0000000001187000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb8D source: RegAsm.exe, 00000002.00000002.3320801748.0000000001445000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.ServiceModel.pdb source: RegAsm.exe, 00000002.00000002.3320801748.0000000001445000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: RegAsm.exe, 00000002.00000002.3320801748.0000000001445000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: RegAsm.exe, 00000002.00000002.3322128878.0000000005A9A000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F4964 push ecx; ret 0_2_004F4977
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_06B0C711 push es; ret 2_2_06B0C720
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_06B0D413 push es; ret 2_2_06B0D420
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_06B0ECF2 push eax; ret 2_2_06B0ED01

              Persistence and Installation Behavior

              barindex
              Installs new ROOT certificates
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 BlobJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 3020000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 32A0000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 30C0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00504493 FindFirstFileExW,0_2_00504493
              Source: RegAsm.exe, 00000002.00000002.3322128878.0000000005AE3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllP
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F8F06 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004F8F06
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FC35D mov ecx, dword ptr fs:[00000030h]0_2_004FC35D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050560E mov eax, dword ptr fs:[00000030h]0_2_0050560E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00507C0D GetProcessHeap,0_2_00507C0D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F5102 SetUnhandledExceptionFilter,0_2_004F5102
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F5237 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_004F5237
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F8F06 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004F8F06
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F4FA6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004F4FA6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
              Contains functionality to inject code into remote processes
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F018D CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,0_2_007F018D
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E2E008Jump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F4CCC cpuid 0_2_004F4CCC
              Source: C:\Users\user\Desktop\file.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00507047
              Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_004FF01F
              Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_005078DC
              Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_005079AB
              Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_005072E9
              Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00507334
              Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_005073CF
              Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_0050745A
              Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_004FF545
              Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_005076AD
              Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_005077D6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F4EA0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_004F4EA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected RedLine Stealer
              Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.4f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.3320371970.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 3160, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3320, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected RedLine Stealer
              Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.4f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.3320371970.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 3160, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3320, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
              DLL Side-Loading              		411
              Process Injection              		1
              Masquerading              		OS Credential Dumping1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Virtualization/Sandbox Evasion              		LSASS Memory21
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
              Disable or Modify Tools              		Security Account Manager1
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
              Process Injection              		NTDS2
              File and Directory Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets33
              System Information Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
              Obfuscated Files or Information              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Install Root Certificate              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Software Packing              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
              DLL Side-Loading              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe100%AviraHEUR/AGEN.1317026
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
              http://tempuri.org/0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp90%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty0%URL Reputationsafe
              https://api.ip.sb/ip0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous0%URL Reputationsafe
              http://tempuri.org/Entity/Id24Response0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%URL Reputationsafe
              http://tempuri.org/Entity/Id20LR0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id22Responsex0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id9LR0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id19LR0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id24LR0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id22LR0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id17LR0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id15Responsex0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id15LR0%Avira URL Cloudsafe
              http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
              http://tempuri.org/Entity/Id18Responsex0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id13LR0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id10Responsex0%Avira URL Cloudsafe
              http://schemas.xmlsoap.org/ws/2005/02/rm0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage0%URL Reputationsafe
              http://tempuri.org/Entity/Id130%URL Reputationsafe
              http://tempuri.org/Entity/Id7LR0%Avira URL Cloudsafe
              http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence0%URL Reputationsafe
              5.42.65.115:405510%Avira URL Cloudsafe
              http://schemas.xmlsoap.org/soap/actor/next0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%URL Reputationsafe
              http://tempuri.org/Entity/Id1LR0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id11LR0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id6Responsex0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id5LR0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id1Responsex0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id3LR0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id19Responsex0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id23Responsex0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id7Responsex0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id23LR0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id21LR0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id5Responsex0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id11Responsex0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id21Responsex0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id2Responsex0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id20Responsex0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id14Responsex0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id8Responsex0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id13Responsex0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id16Responsex0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id18LR0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id8LR0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id16LR0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id14LR0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id6LR0%Avira URL Cloudsafe
              http://tempuri.org/Entity/0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id9Responsex0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id3Responsex0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id10LR0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id12LR0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id4LR0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id2LR0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id24Responsex0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id17Responsex0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id4Responsex0%Avira URL Cloudsafe
              http://tempuri.org/Entity/Id12Responsex0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              5.42.65.115:40551true
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://tempuri.org/Entity/Id24LRRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id22LRRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id20LRRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id15ResponsexRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id18ResponsexRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/soap/envelope/RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://tempuri.org/RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://tempuri.org/Entity/Id19LRRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id17LRRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id22ResponsexRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id15LRRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id9LRRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id10ResponsexRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id19ResponsexRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id13LRRegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id7LRRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id11LRRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseRegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://tempuri.org/Entity/Id1LRRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceRegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://tempuri.org/Entity/Id5LRRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id3LRRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id6ResponsexRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id7ResponsexRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id1ResponsexRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id21ResponsexRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyRegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://api.ip.sb/ipfile.exe, 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000002.00000002.3320371970.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://tempuri.org/Entity/Id23ResponsexRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgementRegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://tempuri.org/Entity/Id23LRRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id21LRRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id5ResponsexRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousRegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://tempuri.org/Entity/Id14ResponsexRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id2ResponsexRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id11ResponsexRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id20ResponsexRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id24ResponseRegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedRegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://tempuri.org/Entity/Id8ResponsexRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id18LRRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id13ResponsexRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id16ResponsexRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id16LRRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id8LRRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id14LRRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id6LRRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id12LRRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id9ResponsexRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2004/08/addressingRegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://tempuri.org/Entity/Id10LRRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id3ResponsexRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id4LRRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id24ResponsexRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id2LRRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/02/rmRegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessageRegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://tempuri.org/Entity/Id13RegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://tempuri.org/Entity/Id12ResponsexRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/Entity/Id17ResponsexRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceRegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/soap/actor/nextRegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsRegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://tempuri.org/Entity/Id4ResponsexRegAsm.exe, 00000002.00000002.3321344042.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3321344042.00000000034CC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              5.42.65.115
              		unknownRussian Federation
              		39493RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUtrue

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1445847
              Start date and time:2024-05-22 17:04:11 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 4m 45s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:6
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:file.exe
              Detection:MAL
              Classification:mal96.troj.evad.winEXE@3/4@0/1
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 99%
              • Number of executed functions: 83
              • Number of non-executed functions: 43
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • VT rate limit hit for: file.exe

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              5.42.65.115Pp8XG0Vz4D.exeGet hashmaliciousGCleanerBrowse
              • 5.42.65.115/advdlc.php
              mxsujj4FZz.exeGet hashmaliciousGCleaner, RedLineBrowse
              • 5.42.65.115/advdlc.php
              UzMahCzo58.exeGet hashmaliciousLummaC, GCleaner, LummaC StealerBrowse
              • 5.42.65.115/advdlc.php
              hkXE3abs6j.exeGet hashmaliciousGCleaner, RedLineBrowse
              • 5.42.65.115/advdlc.php

              Domains

              No context

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU2T6MGxlKZT.exeGet hashmaliciousSmokeLoaderBrowse
              • 5.42.96.170
              file.exeGet hashmaliciousUnknownBrowse
              • 5.42.66.10
              http://0nline.jjwconstructlon.comGet hashmaliciousHTMLPhisherBrowse
              • 5.42.65.53
              file.exeGet hashmaliciousRedLineBrowse
              • 5.42.65.85
              https://url12.mailanyone.net/scanner?m=1s9PCz-0000cD-4j&d=4%7Cmail%2F90%2F1716296400%2F1s9PCz-0000cD-4j%7Cin12g%7C57e1b682%7C11949542%7C14589158%7C664C9C811D87B03FE2E6472997A0C22E&o=%2Fphtl%3A%2Fatsnhtaageeteoilogt.rgsigc%2Faz.&s=1YKQiaLIfHH0tTbjCAvEAnTGAIUGet hashmaliciousHTMLPhisherBrowse
              • 5.42.65.53
              https://url12.mailanyone.net/scanner?m=1s9PCz-0000cD-4j&d=4%7Cmail%2F90%2F1716296400%2F1s9PCz-0000cD-4j%7Cin12g%7C57e1b682%7C11949542%7C14589158%7C664C9C811D87B03FE2E6472997A0C22E&o=%2Fphtl%3A%2Fatsnhtaageeteoilogt.rgsigc%2Faz.&s=1YKQiaLIfHH0tTbjCAvEAnTGAIUGet hashmaliciousHTMLPhisherBrowse
              • 5.42.65.53
              https://url12.mailanyone.net/scanner?m=1s9PCz-0000cD-4j&d=4%7Cmail%2F90%2F1716296400%2F1s9PCz-0000cD-4j%7Cin12g%7C57e1b682%7C11949542%7C14589158%7C664C9C811D87B03FE2E6472997A0C22E&o=%2Fphtl%3A%2Fatsnhtaageeteoilogt.rgsigc%2Faz.&s=1YKQiaLIfHH0tTbjCAvEAnTGAIUGet hashmaliciousHTMLPhisherBrowse
              • 5.42.65.53
              file.exeGet hashmaliciousRisePro StealerBrowse
              • 5.42.96.64
              8a180cbdd2a7a7b4f60d93c574bee9248b17d5c1cb782850441a41fd6db0727a_dump.exeGet hashmaliciousRedLineBrowse
              • 5.42.65.85
              file.exeGet hashmaliciousRedLineBrowse
              • 5.42.65.85

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\Public\Desktop\Google Chrome.lnk

              Download File
              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Thu Oct 5 05:47:14 2023, atime=Wed Sep 27 08:36:54 2023, length=3242272, window=hide
              Category:dropped
              Size (bytes):2104
              Entropy (8bit):3.466670658720131
              Encrypted:false
              SSDEEP:48:8Sgd5TvG90lRYrnvPdAKRkdAGdAKRFdAKR6P:8SKby7
              MD5:9A99616405271EB0054FC2D643C1E318
              SHA1:01EE245CAFDEA8583ADBA3E6D9EADB39A1535CA6
              SHA-256:F715A19DFAE95A93D5E1311973B536EACA050F8EA4E564DFF1407093C1043745
              SHA-512:3D2DE7071BDA8B5ABD22E1546532A5C846F650F6B63AB5237B822CA3985439457DA6481400BFA8758DD8E3E01723B9B99822517B45365BF64A8B1BCCB51FD663
              Malicious:false
              Reputation:low
              Preview:L..................F.@.. ......,......`.W....X.&&... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....EW.3..PROGRA~1..t......O.IEW.5....B...............J.......j.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VEW@2....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.2..Chrome..>......CW.VEW.2....M.....................7...C.h.r.o.m.e.....`.1.....EW.2..APPLIC~1..H......CW.VEW.2..........................7...A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.L .chrome.exe..F......CW.VEW.5.........................l...c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

              C:\Users\user\AppData\Local\Temp\Tmp59F0.tmp

              Download File
              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              File Type:data
              Category:dropped
              Size (bytes):2662
              Entropy (8bit):7.8230547059446645
              Encrypted:false
              SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
              MD5:1420D30F964EAC2C85B2CCFE968EEBCE
              SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
              SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
              SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

              C:\Users\user\AppData\Local\Temp\Tmp5A01.tmp

              Download File
              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              File Type:data
              Category:dropped
              Size (bytes):2662
              Entropy (8bit):7.8230547059446645
              Encrypted:false
              SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
              MD5:1420D30F964EAC2C85B2CCFE968EEBCE
              SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
              SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
              SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

              C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

              Download File
              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              File Type:data
              Category:dropped
              Size (bytes):2251
              Entropy (8bit):7.639756177727786
              Encrypted:false
              SSDEEP:48:S7SjQDUisflUXD96K3k/4HAose4h+E1NuC/+98j1Gm:ASUDnsmIsAoszNzS8j1r
              MD5:04A53B90991289CA4C58FEA4F98E43DA
              SHA1:5C42FA745B224DEACE90B5F8CB70DCCBDAE7E7CC
              SHA-256:D962E99CB275DFE701428CE0012FF544F65C388FA81E57A8B204F00DD824F00A
              SHA-512:2939621133D3361DFCA427E931540D87A0C81A9686272D62F4BD234DD74C16F783243D0E0169F991505B8364AA5DA8E36D3E7AD444793A1FFD9DF1FE78C60111
              Malicious:false
              Reputation:low
              Preview:........'...............P...............{41744BE4-11C5-494C-A213-BA0CE944938E}.....................RSA1..................v..XU~l2_.......vj....b.... ..&...X.Y...=q...).....`.1.0..~......5DL. ..S>.......<..y...*?YOA.... eb.QD..B..<.!..'J..+.'...4fu.z./....]@.y.b...o...).j'......0}B.*j..R..-..2.....'=...@....s....;. .v=..;...\$...G....2S....al.ZQ.Q...w...aXzW.....................z..O......5.1..hG._-Y.*"q....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ....-._.K./..~?.ZA.........s..*................ ...}..T...C-.P9C...=w9.....m..X.'..P....,.....p..GSU.ul..aq.....:..@wi...GM.9.b,sU..X..SE.,.Yyg.=N.Q....=^..J..A....u...O.....W..v&v.=..m..[f1>t..[^..0*.p....l,...L.t#...w.-$.........\.f.x....!q.a.$.B...`O.....~..q0.2H.K.c...\..J1.MVxX{S.~.%.^.u..9C.Bq.. z.Wb..x..1-...V4...l.W...8...........<K...g.....(L.O...EJ;........8..V...b......-..#H......N.$.c.......u.u.7...l.G...>..-8"..Q.....t...(9..._0s....IR[.}.../.M....r).........|.9.-.

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):7.711083644811368
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:file.exe
              File size:470'528 bytes
              MD5:fdc69e7726f37315f2f576a3ca749c48
              SHA1:44cb651c3be86b959e4e630e741189ad2c945c44
              SHA256:1692db4e522605d93551ddcabeffa92a2cd43e764a134833644808319784b955
              SHA512:de974aa0e7cb1393eefacbd90a87f2283af59004de217283b9dbba2c338935aa013ba738065747d2491248ca3d781ee7ede0044082a58da3fa21989e3431dc2f
              SSDEEP:12288:REY+q1cYutAScujVzQ/B02L4dj5w2TUTup:W6ScuJzI028dNNUKp
              TLSH:4BA4F150B4C08072DA72153208F4DAB5AE3EFD708E669AAF77550F7E4F30581DB21A6B
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......jL$..-J,.-J,.-J,._I-"-J,._O-.-J,._N-;-J,._K---J,.-K,u-J,..N-<-J,..I-:-J,..O-`-J,..O-/-J,..H-/-J,Rich.-J,........PE..L.....Mf...

              File Icon

              Icon Hash:00928e8e8686b000

              Static PE Info

              General

              Entrypoint:0x40490e
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Time Stamp:0x664DEC0B [Wed May 22 12:58:51 2024 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:6
              OS Version Minor:0
              File Version Major:6
              File Version Minor:0
              Subsystem Version Major:6
              Subsystem Version Minor:0
              Import Hash:f9531947707a40ed7d1e9b9b8bfcbdb8

              Entrypoint Preview

              Instruction
              call 00007F8398B32B2Fh
              jmp 00007F8398B323C9h
              push ebp
              mov ebp, esp
              jmp 00007F8398B3255Fh
              push dword ptr [ebp+08h]
              call 00007F8398B3B885h
              pop ecx
              test eax, eax
              je 00007F8398B32561h
              push dword ptr [ebp+08h]
              call 00007F8398B3854Eh
              pop ecx
              test eax, eax
              je 00007F8398B32538h
              pop ebp
              ret
              cmp dword ptr [ebp+08h], FFFFFFFFh
              je 00007F8398B2F9F4h
              jmp 00007F8398B32E22h
              push ebp
              mov ebp, esp
              push dword ptr [ebp+08h]
              call 00007F8398B32E34h
              pop ecx
              pop ebp
              ret
              cmp ecx, dword ptr [00473500h]
              jne 00007F8398B32553h
              ret
              jmp 00007F8398B32E50h
              mov ecx, dword ptr [ebp-0Ch]
              mov dword ptr fs:[00000000h], ecx
              pop ecx
              pop edi
              pop edi
              pop esi
              pop ebx
              mov esp, ebp
              pop ebp
              push ecx
              ret
              mov ecx, dword ptr [ebp-10h]
              xor ecx, ebp
              call 00007F8398B32529h
              jmp 00007F8398B32532h
              push eax
              push dword ptr fs:[00000000h]
              lea eax, dword ptr [esp+0Ch]
              sub esp, dword ptr [esp+0Ch]
              push ebx
              push esi
              push edi
              mov dword ptr [eax], ebp
              mov ebp, eax
              mov eax, dword ptr [00473500h]
              xor eax, ebp
              push eax
              push dword ptr [ebp-04h]
              mov dword ptr [ebp-04h], FFFFFFFFh
              lea eax, dword ptr [ebp-0Ch]
              mov dword ptr fs:[00000000h], eax
              ret
              push eax
              push dword ptr fs:[00000000h]
              lea eax, dword ptr [esp+0Ch]
              sub esp, dword ptr [esp+0Ch]
              push ebx
              push esi
              push edi
              mov dword ptr [eax], ebp
              mov ebp, eax
              mov eax, dword ptr [00473500h]

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x25a1c0x28.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x760000x1954.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x240480x1c.rdata
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x23f880x40.rdata
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x1d0000x140.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x1a59f0x1a600f09877de99aa60c1a877d34417309b01False0.5830031842417062data6.602101640381143IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .BSS0x1c0000x31b0x400bc94bcce2d8eb19fefac8aebd3b30246False0.6650390625data5.4866235669189685IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x1d0000x914e0x92006827ac391127c6dcfe7961ef8c64b104False0.3927119006849315data4.70806870293617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x270000x4e2140x4d400cdc41cbbc03b7ace1cc781e8b4ae8e15False0.9890334243527508data7.991764691270708IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .reloc0x760000x19540x1a00e018dc832bba26f2a74757b6af913349False0.7543569711538461data6.483056637438508IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Imports

              DLLImport
              KERNEL32.dllWaitForSingleObject, CreateThread, VirtualAlloc, GetModuleHandleA, GetProcAddress, EncodePointer, DecodePointer, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, MultiByteToWideChar, WideCharToMultiByte, LCMapStringEx, GetStringTypeW, GetCPInfo, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetModuleHandleW, GetCurrentProcess, TerminateProcess, CreateFileW, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, HeapSize, WriteConsoleW

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              May 22, 2024 17:04:57.812869072 CEST4969940551192.168.2.65.42.65.115
              May 22, 2024 17:04:57.818461895 CEST40551496995.42.65.115192.168.2.6
              May 22, 2024 17:04:57.818551064 CEST4969940551192.168.2.65.42.65.115
              May 22, 2024 17:04:57.826517105 CEST4969940551192.168.2.65.42.65.115
              May 22, 2024 17:04:57.843486071 CEST40551496995.42.65.115192.168.2.6
              May 22, 2024 17:05:19.274852991 CEST40551496995.42.65.115192.168.2.6
              May 22, 2024 17:05:19.274940968 CEST4969940551192.168.2.65.42.65.115
              May 22, 2024 17:05:19.407730103 CEST4969940551192.168.2.65.42.65.115
              May 22, 2024 17:05:24.440880060 CEST4970640551192.168.2.65.42.65.115
              May 22, 2024 17:05:24.450691938 CEST40551497065.42.65.115192.168.2.6
              May 22, 2024 17:05:24.450807095 CEST4970640551192.168.2.65.42.65.115
              May 22, 2024 17:05:24.451071024 CEST4970640551192.168.2.65.42.65.115
              May 22, 2024 17:05:24.520884991 CEST40551497065.42.65.115192.168.2.6
              May 22, 2024 17:05:45.906613111 CEST40551497065.42.65.115192.168.2.6
              May 22, 2024 17:05:45.906882048 CEST4970640551192.168.2.65.42.65.115
              May 22, 2024 17:05:46.127964020 CEST4970640551192.168.2.65.42.65.115
              May 22, 2024 17:05:51.143182993 CEST4970740551192.168.2.65.42.65.115
              May 22, 2024 17:05:51.154364109 CEST40551497075.42.65.115192.168.2.6
              May 22, 2024 17:05:51.154583931 CEST4970740551192.168.2.65.42.65.115
              May 22, 2024 17:05:51.154743910 CEST4970740551192.168.2.65.42.65.115
              May 22, 2024 17:05:51.212476969 CEST40551497075.42.65.115192.168.2.6
              May 22, 2024 17:06:12.634043932 CEST40551497075.42.65.115192.168.2.6
              May 22, 2024 17:06:12.634325027 CEST4970740551192.168.2.65.42.65.115
              May 22, 2024 17:06:12.634466887 CEST4970740551192.168.2.65.42.65.115
              May 22, 2024 17:06:17.644033909 CEST4970940551192.168.2.65.42.65.115
              May 22, 2024 17:06:17.649137974 CEST40551497095.42.65.115192.168.2.6
              May 22, 2024 17:06:17.649404049 CEST4970940551192.168.2.65.42.65.115
              May 22, 2024 17:06:17.649651051 CEST4970940551192.168.2.65.42.65.115
              May 22, 2024 17:06:17.702686071 CEST40551497095.42.65.115192.168.2.6
              May 22, 2024 17:06:39.040483952 CEST40551497095.42.65.115192.168.2.6
              May 22, 2024 17:06:39.040663958 CEST4970940551192.168.2.65.42.65.115
              May 22, 2024 17:06:39.041047096 CEST4970940551192.168.2.65.42.65.115
              May 22, 2024 17:06:44.049303055 CEST4971040551192.168.2.65.42.65.115
              May 22, 2024 17:06:44.054541111 CEST40551497105.42.65.115192.168.2.6
              May 22, 2024 17:06:44.054671049 CEST4971040551192.168.2.65.42.65.115
              May 22, 2024 17:06:44.054928064 CEST4971040551192.168.2.65.42.65.115
              May 22, 2024 17:06:44.106388092 CEST40551497105.42.65.115192.168.2.6

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:11:04:55
              Start date:22/05/2024
              Path:C:\Users\user\Desktop\file.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\file.exe"
              Imagebase:0x4f0000
              File size:470'528 bytes
              MD5 hash:FDC69E7726F37315F2F576A3CA749C48
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
              Reputation:low
              Has exited:true

              General

              Target ID:2
              Start time:11:04:55
              Start date:22/05/2024
              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              Wow64 process (32bit):true
              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              Imagebase:0xde0000
              File size:65'440 bytes
              MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.3320371970.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              Reputation:high
              Has exited:false

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:3.6%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:1.6%
                Total number of Nodes:1543
                Total number of Limit Nodes:18
                execution_graph 17081 4feb57 17082 4feb62 17081->17082 17086 4feb72 17081->17086 17087 4feb78 17082->17087 17085 4fefd8 ___free_lconv_mon 14 API calls 17085->17086 17088 4feb8d 17087->17088 17089 4feb93 17087->17089 17090 4fefd8 ___free_lconv_mon 14 API calls 17088->17090 17091 4fefd8 ___free_lconv_mon 14 API calls 17089->17091 17090->17089 17092 4feb9f 17091->17092 17093 4fefd8 ___free_lconv_mon 14 API calls 17092->17093 17094 4febaa 17093->17094 17095 4fefd8 ___free_lconv_mon 14 API calls 17094->17095 17096 4febb5 17095->17096 17097 4fefd8 ___free_lconv_mon 14 API calls 17096->17097 17098 4febc0 17097->17098 17099 4fefd8 ___free_lconv_mon 14 API calls 17098->17099 17100 4febcb 17099->17100 17101 4fefd8 ___free_lconv_mon 14 API calls 17100->17101 17102 4febd6 17101->17102 17103 4fefd8 ___free_lconv_mon 14 API calls 17102->17103 17104 4febe1 17103->17104 17105 4fefd8 ___free_lconv_mon 14 API calls 17104->17105 17106 4febec 17105->17106 17107 4fefd8 ___free_lconv_mon 14 API calls 17106->17107 17108 4febfa 17107->17108 17113 4fe9a4 17108->17113 17114 4fe9b0 __FrameHandler3::FrameUnwindToState 17113->17114 17129 4fa8b5 EnterCriticalSection 17114->17129 17116 4fe9e4 17130 4fea03 17116->17130 17117 4fe9ba 17117->17116 17120 4fefd8 ___free_lconv_mon 14 API calls 17117->17120 17120->17116 17121 4fea0f 17122 4fea1b __FrameHandler3::FrameUnwindToState 17121->17122 17134 4fa8b5 EnterCriticalSection 17122->17134 17124 4fea25 17125 4fec45 __dosmaperr 14 API calls 17124->17125 17126 4fea38 17125->17126 17135 4fea58 17126->17135 17129->17117 17133 4fa8fd LeaveCriticalSection 17130->17133 17132 4fe9f1 17132->17121 17133->17132 17134->17124 17138 4fa8fd LeaveCriticalSection 17135->17138 17137 4fea46 17137->17085 17138->17137 15201 4f1068 15206 4f3c02 15201->15206 15207 4f106d 15206->15207 15208 4f3c12 15206->15208 15210 4f4c8a 15207->15210 15208->15207 15213 4f448d InitializeCriticalSectionEx 15208->15213 15214 4f4c5d 15210->15214 15213->15208 15215 4f4c6c 15214->15215 15216 4f4c73 15214->15216 15220 4fdf70 15215->15220 15223 4fdfed 15216->15223 15219 4f1077 15221 4fdfed 44 API calls 15220->15221 15222 4fdf82 15221->15222 15222->15219 15226 4fdd39 15223->15226 15227 4fdd45 __FrameHandler3::FrameUnwindToState 15226->15227 15234 4fa8b5 EnterCriticalSection 15227->15234 15229 4fdd53 15235 4fdd94 15229->15235 15231 4fdd60 15245 4fdd88 15231->15245 15234->15229 15236 4fddaf 15235->15236 15237 4fde22 std::_Lockit::_Lockit 15235->15237 15236->15237 15244 4fde02 15236->15244 15248 507ba0 15236->15248 15237->15231 15238 507ba0 44 API calls 15240 4fde18 15238->15240 15242 4fefd8 ___free_lconv_mon 14 API calls 15240->15242 15241 4fddf8 15243 4fefd8 ___free_lconv_mon 14 API calls 15241->15243 15242->15237 15243->15244 15244->15237 15244->15238 15276 4fa8fd LeaveCriticalSection 15245->15276 15247 4fdd71 15247->15219 15249 507bc8 15248->15249 15250 507bad 15248->15250 15252 507bd7 15249->15252 15257 5093cf 15249->15257 15250->15249 15251 507bb9 15250->15251 15253 4fb318 __dosmaperr 14 API calls 15251->15253 15264 503ba6 15252->15264 15256 507bbe __fread_nolock 15253->15256 15256->15241 15258 5093da 15257->15258 15259 5093ef HeapSize 15257->15259 15260 4fb318 __dosmaperr 14 API calls 15258->15260 15259->15252 15261 5093df 15260->15261 15262 4f9102 __strnicoll 41 API calls 15261->15262 15263 5093ea 15262->15263 15263->15252 15265 503bb3 15264->15265 15266 503bbe 15264->15266 15267 502001 std::_Locinfo::_Locinfo_ctor 15 API calls 15265->15267 15268 503bc6 15266->15268 15274 503bcf __dosmaperr 15266->15274 15272 503bbb 15267->15272 15269 4fefd8 ___free_lconv_mon 14 API calls 15268->15269 15269->15272 15270 503bd4 15273 4fb318 __dosmaperr 14 API calls 15270->15273 15271 503bf9 HeapReAlloc 15271->15272 15271->15274 15272->15256 15273->15272 15274->15270 15274->15271 15275 4fdc55 ctype 2 API calls 15274->15275 15275->15274 15276->15247 15288 4f1079 15293 4f2456 15288->15293 15290 4f108c 15291 4f4c8a 44 API calls 15290->15291 15292 4f1096 15291->15292 15294 4f2462 __EH_prolog3 15293->15294 15297 4f3180 15294->15297 15296 4f24b4 ctype 15296->15290 15306 4f2e24 15297->15306 15299 4f318b 15314 4f37dd 15299->15314 15301 4f319e 15302 4f1eb1 std::ios_base::_Init 43 API calls 15301->15302 15303 4f31b7 15301->15303 15302->15303 15304 4f31c3 15303->15304 15318 4f42a8 15303->15318 15304->15296 15307 4f2e30 __EH_prolog3 15306->15307 15308 4f1eb1 std::ios_base::_Init 43 API calls 15307->15308 15309 4f2e61 15308->15309 15310 4f4918 ctype 43 API calls 15309->15310 15311 4f2e68 15310->15311 15313 4f2e79 ctype 15311->15313 15323 4f3e12 15311->15323 15313->15299 15315 4f37e9 __EH_prolog3 15314->15315 15439 4f239c 15315->15439 15317 4f3801 std::ios_base::_Ios_base_dtor ctype 15317->15301 15319 4f3c2f std::_Lockit::_Lockit 7 API calls 15318->15319 15320 4f42b8 15319->15320 15321 4f3c87 std::_Lockit::~_Lockit 2 API calls 15320->15321 15322 4f42f6 15321->15322 15322->15304 15324 4f3e1e __EH_prolog3 15323->15324 15335 4f3c2f 15324->15335 15329 4f3e3c 15347 4f3f98 15329->15347 15330 4f3e97 ctype 15330->15313 15334 4f3e5a 15357 4f3c87 15334->15357 15336 4f3c3e 15335->15336 15337 4f3c45 15335->15337 15364 4fa914 15336->15364 15339 4f3c43 15337->15339 15369 4f44a2 EnterCriticalSection 15337->15369 15339->15334 15341 4f3f75 15339->15341 15342 4f4918 ctype 43 API calls 15341->15342 15343 4f3f80 15342->15343 15344 4f3f94 15343->15344 15421 4f3ca6 15343->15421 15344->15329 15348 4f3e44 15347->15348 15349 4f3fa4 15347->15349 15351 4f3d6a 15348->15351 15424 4f4450 15349->15424 15352 4f3d78 15351->15352 15356 4f3da3 _Yarn 15351->15356 15353 4fa859 std::locale::_Locimp::~_Locimp 14 API calls 15352->15353 15354 4f3d84 15352->15354 15353->15354 15355 4fa92b _Yarn 15 API calls 15354->15355 15354->15356 15355->15356 15356->15334 15358 4fa922 15357->15358 15359 4f3c91 15357->15359 15438 4fa8fd LeaveCriticalSection 15358->15438 15363 4f3ca4 15359->15363 15437 4f44b0 LeaveCriticalSection 15359->15437 15362 4fa929 15362->15330 15363->15330 15370 4ff71b 15364->15370 15369->15339 15391 4ff0ca 15370->15391 15390 4ff74d 15390->15390 15392 4ff2b3 std::_Lockit::_Lockit 5 API calls 15391->15392 15393 4ff0e0 15392->15393 15394 4ff0e4 15393->15394 15395 4ff2b3 std::_Lockit::_Lockit 5 API calls 15394->15395 15396 4ff0fa 15395->15396 15397 4ff0fe 15396->15397 15398 4ff2b3 std::_Lockit::_Lockit 5 API calls 15397->15398 15399 4ff114 15398->15399 15400 4ff118 15399->15400 15401 4ff2b3 std::_Lockit::_Lockit 5 API calls 15400->15401 15402 4ff12e 15401->15402 15403 4ff132 15402->15403 15404 4ff2b3 std::_Lockit::_Lockit 5 API calls 15403->15404 15405 4ff148 15404->15405 15406 4ff14c 15405->15406 15407 4ff2b3 std::_Lockit::_Lockit 5 API calls 15406->15407 15408 4ff162 15407->15408 15409 4ff166 15408->15409 15410 4ff2b3 std::_Lockit::_Lockit 5 API calls 15409->15410 15411 4ff17c 15410->15411 15412 4ff180 15411->15412 15413 4ff2b3 std::_Lockit::_Lockit 5 API calls 15412->15413 15414 4ff196 15413->15414 15415 4ff1b4 15414->15415 15416 4ff2b3 std::_Lockit::_Lockit 5 API calls 15415->15416 15417 4ff1ca 15416->15417 15418 4ff19a 15417->15418 15419 4ff2b3 std::_Lockit::_Lockit 5 API calls 15418->15419 15420 4ff1b0 15419->15420 15420->15390 15422 4f3d6a _Yarn 15 API calls 15421->15422 15423 4f3ce0 15422->15423 15423->15329 15425 4fb237 15424->15425 15426 4f4460 EncodePointer 15424->15426 15427 502f8a __FrameHandler3::FrameUnwindToState 2 API calls 15425->15427 15426->15348 15426->15425 15428 4fb23c 15427->15428 15429 4fb247 15428->15429 15431 502fcf __FrameHandler3::FrameUnwindToState 41 API calls 15428->15431 15430 4fb251 IsProcessorFeaturePresent 15429->15430 15436 4fb270 15429->15436 15432 4fb25d 15430->15432 15431->15429 15434 4f8f06 __FrameHandler3::FrameUnwindToState 8 API calls 15432->15434 15433 4fc42e __FrameHandler3::FrameUnwindToState 23 API calls 15435 4fb27a 15433->15435 15434->15436 15436->15433 15437->15363 15438->15362 15440 4f23a8 __EH_prolog3 15439->15440 15441 4f3c2f std::_Lockit::_Lockit 7 API calls 15440->15441 15442 4f23b2 15441->15442 15455 4f2867 15442->15455 15444 4f23c9 15446 4f23dc 15444->15446 15461 4f2cbe 15444->15461 15445 4f3c87 std::_Lockit::~_Lockit 2 API calls 15448 4f2423 ctype 15445->15448 15446->15445 15448->15317 15449 4f23ec 15450 4f242b 15449->15450 15451 4f23f3 15449->15451 15474 4f2f6e 15450->15474 15471 4f3de0 15451->15471 15456 4f2897 15455->15456 15457 4f2873 15455->15457 15456->15444 15458 4f3c2f std::_Lockit::_Lockit 7 API calls 15457->15458 15459 4f287d 15458->15459 15460 4f3c87 std::_Lockit::~_Lockit 2 API calls 15459->15460 15460->15456 15463 4f2cca __EH_prolog3 15461->15463 15462 4f2d1b ctype 15462->15449 15463->15462 15464 4f4918 ctype 43 API calls 15463->15464 15465 4f2ce3 ctype 15464->15465 15470 4f2d0a 15465->15470 15478 4f25a5 15465->15478 15468 4f2cff 15490 4f252f 15468->15490 15470->15462 15493 4f2781 15470->15493 15472 4f4918 ctype 43 API calls 15471->15472 15473 4f3deb 15472->15473 15473->15446 15475 4f2f7c Concurrency::cancel_current_task 15474->15475 15476 4f5a72 std::_Xinvalid_argument RaiseException 15475->15476 15477 4f2f8a 15476->15477 15479 4f25b1 __EH_prolog3 15478->15479 15480 4f3c2f std::_Lockit::_Lockit 7 API calls 15479->15480 15481 4f25be 15480->15481 15482 4f2607 15481->15482 15483 4f25f2 15481->15483 15519 4f21c9 15482->15519 15510 4f3f10 15483->15510 15487 4f25fb ctype 15487->15468 15566 4f4025 15490->15566 15611 4f3f5b 15493->15611 15496 4f27bc 15497 4f27cf 15496->15497 15499 4fa859 std::locale::_Locimp::~_Locimp 14 API calls 15496->15499 15500 4f27e0 15497->15500 15501 4fa859 std::locale::_Locimp::~_Locimp 14 API calls 15497->15501 15498 4fa859 std::locale::_Locimp::~_Locimp 14 API calls 15498->15496 15499->15497 15502 4f27f1 15500->15502 15503 4fa859 std::locale::_Locimp::~_Locimp 14 API calls 15500->15503 15501->15500 15504 4f2802 15502->15504 15505 4fa859 std::locale::_Locimp::~_Locimp 14 API calls 15502->15505 15503->15502 15506 4fa859 std::locale::_Locimp::~_Locimp 14 API calls 15504->15506 15508 4f2813 15504->15508 15505->15504 15506->15508 15507 4f3c87 std::_Lockit::~_Lockit 2 API calls 15509 4f281e 15507->15509 15508->15507 15509->15462 15524 4fab8b 15510->15524 15513 4f3d6a _Yarn 15 API calls 15514 4f3f34 15513->15514 15515 4f3f44 15514->15515 15516 4fab8b std::_Locinfo::_Locinfo_ctor 69 API calls 15514->15516 15517 4f3d6a _Yarn 15 API calls 15515->15517 15516->15515 15518 4f3f58 15517->15518 15518->15487 15563 4f215d 15519->15563 15522 4f5a72 std::_Xinvalid_argument RaiseException 15523 4f21e8 15522->15523 15525 4ff71b std::_Lockit::_Lockit 5 API calls 15524->15525 15526 4fab98 15525->15526 15529 4fa936 15526->15529 15530 4fa942 __FrameHandler3::FrameUnwindToState 15529->15530 15537 4fa8b5 EnterCriticalSection 15530->15537 15532 4fa950 15538 4fa991 15532->15538 15537->15532 15539 4faaf0 std::_Locinfo::_Locinfo_ctor 69 API calls 15538->15539 15540 4fa9ac 15539->15540 15541 4fec90 __Getctype 41 API calls 15540->15541 15557 4fa95d 15540->15557 15542 4fa9b9 15541->15542 15543 5026bc std::_Locinfo::_Locinfo_ctor 43 API calls 15542->15543 15544 4fa9de 15543->15544 15545 502001 std::_Locinfo::_Locinfo_ctor 15 API calls 15544->15545 15553 4fa9e5 15544->15553 15548 4faa0a 15545->15548 15546 4f912f __Getctype 11 API calls 15547 4faaef 15546->15547 15549 5026bc std::_Locinfo::_Locinfo_ctor 43 API calls 15548->15549 15548->15557 15550 4faa26 15549->15550 15551 4faa2d 15550->15551 15552 4faa48 15550->15552 15551->15553 15554 4faa3f 15551->15554 15556 4fefd8 ___free_lconv_mon 14 API calls 15552->15556 15558 4faa73 15552->15558 15553->15546 15553->15557 15555 4fefd8 ___free_lconv_mon 14 API calls 15554->15555 15555->15557 15556->15558 15560 4fa985 15557->15560 15558->15557 15559 4fefd8 ___free_lconv_mon 14 API calls 15558->15559 15559->15557 15561 4fa8fd std::_Lockit::~_Lockit LeaveCriticalSection 15560->15561 15562 4f3f1c 15561->15562 15562->15513 15564 4f19ca std::exception::exception 42 API calls 15563->15564 15565 4f216f 15564->15565 15565->15522 15578 4fad24 15566->15578 15568 4f402e __Getctype 15569 4f4048 15568->15569 15570 4f4066 15568->15570 15583 4fabc3 15569->15583 15571 4fabc3 __Getctype 41 API calls 15570->15571 15573 4f404f 15571->15573 15588 4fad49 15573->15588 15576 4f2552 15576->15470 15579 4fec90 __Getctype 41 API calls 15578->15579 15580 4fad2f 15579->15580 15581 5026fa __Getctype 41 API calls 15580->15581 15582 4fad3f 15581->15582 15582->15568 15584 4fec90 __Getctype 41 API calls 15583->15584 15585 4fabce 15584->15585 15586 5026fa __Getctype 41 API calls 15585->15586 15587 4fabde 15586->15587 15587->15573 15589 4fec90 __Getctype 41 API calls 15588->15589 15590 4fad54 15589->15590 15591 5026fa __Getctype 41 API calls 15590->15591 15592 4f4077 15591->15592 15592->15576 15593 4fb1d8 15592->15593 15594 4fb1e5 15593->15594 15595 4fb220 15593->15595 15596 4fa92b _Yarn 15 API calls 15594->15596 15595->15576 15597 4fb208 15596->15597 15597->15595 15602 502e58 15597->15602 15600 4f912f __Getctype 11 API calls 15601 4fb236 15600->15601 15603 502e66 15602->15603 15604 502e74 15602->15604 15603->15604 15609 502e8e 15603->15609 15605 4fb318 __dosmaperr 14 API calls 15604->15605 15606 502e7e 15605->15606 15607 4f9102 __strnicoll 41 API calls 15606->15607 15608 4fb219 15607->15608 15608->15595 15608->15600 15609->15608 15610 4fb318 __dosmaperr 14 API calls 15609->15610 15610->15606 15612 4f3f67 15611->15612 15613 4f27ad 15611->15613 15614 4fab8b std::_Locinfo::_Locinfo_ctor 69 API calls 15612->15614 15613->15496 15613->15498 15614->15613 14997 4f48c7 14998 4f50c0 GetModuleHandleW 14997->14998 14999 4f48cf 14998->14999 15000 4f4905 14999->15000 15001 4f48d3 14999->15001 15002 4fc42e __FrameHandler3::FrameUnwindToState 23 API calls 15000->15002 15003 4f48de 15001->15003 15006 4fc410 15001->15006 15005 4f490d 15002->15005 15007 4fc252 __FrameHandler3::FrameUnwindToState 23 API calls 15006->15007 15008 4fc41b 15007->15008 15008->15003 16206 4f92d3 16207 4f97ed ___scrt_uninitialize_crt 70 API calls 16206->16207 16208 4f92db 16207->16208 16216 4ff79c 16208->16216 16210 4f92e0 16226 4ff847 16210->16226 16213 4f930a 16214 4fefd8 ___free_lconv_mon 14 API calls 16213->16214 16215 4f9315 16214->16215 16217 4ff7a8 __FrameHandler3::FrameUnwindToState 16216->16217 16230 4fa8b5 EnterCriticalSection 16217->16230 16219 4ff81f 16237 4ff83e 16219->16237 16222 4ff7f3 DeleteCriticalSection 16224 4fefd8 ___free_lconv_mon 14 API calls 16222->16224 16225 4ff7b3 16224->16225 16225->16219 16225->16222 16231 4f94b2 16225->16231 16227 4ff85e 16226->16227 16229 4f92ef DeleteCriticalSection 16226->16229 16228 4fefd8 ___free_lconv_mon 14 API calls 16227->16228 16227->16229 16228->16229 16229->16210 16229->16213 16230->16225 16232 4f94c5 _Fputc 16231->16232 16240 4f938d 16232->16240 16234 4f94d1 16235 4f8e3b _Fputc 41 API calls 16234->16235 16236 4f94dd 16235->16236 16236->16225 16312 4fa8fd LeaveCriticalSection 16237->16312 16239 4ff82b 16239->16210 16241 4f9399 __FrameHandler3::FrameUnwindToState 16240->16241 16242 4f93c6 16241->16242 16243 4f93a3 16241->16243 16250 4f93be 16242->16250 16251 4f9365 EnterCriticalSection 16242->16251 16244 4f9085 _Deallocate 29 API calls 16243->16244 16244->16250 16246 4f93e4 16252 4f9424 16246->16252 16248 4f93f1 16266 4f941c 16248->16266 16250->16234 16251->16246 16253 4f9454 16252->16253 16254 4f9431 16252->16254 16256 4f944c 16253->16256 16257 4f971f ___scrt_uninitialize_crt 66 API calls 16253->16257 16255 4f9085 _Deallocate 29 API calls 16254->16255 16255->16256 16256->16248 16258 4f946c 16257->16258 16259 4ff847 14 API calls 16258->16259 16260 4f9474 16259->16260 16261 4ffa79 __fread_nolock 41 API calls 16260->16261 16262 4f9480 16261->16262 16269 4ffb31 16262->16269 16265 4fefd8 ___free_lconv_mon 14 API calls 16265->16256 16311 4f9379 LeaveCriticalSection 16266->16311 16268 4f9422 16268->16250 16270 4ffb5a 16269->16270 16275 4f9487 16269->16275 16271 4ffba9 16270->16271 16273 4ffb81 16270->16273 16272 4f9085 _Deallocate 29 API calls 16271->16272 16272->16275 16276 4ffaa0 16273->16276 16275->16256 16275->16265 16277 4ffaac __FrameHandler3::FrameUnwindToState 16276->16277 16284 50578d EnterCriticalSection 16277->16284 16279 4ffaba 16280 4ffaeb 16279->16280 16285 4ffbd4 16279->16285 16298 4ffb25 16280->16298 16284->16279 16286 505864 __fread_nolock 41 API calls 16285->16286 16287 4ffbe4 16286->16287 16288 4ffbea 16287->16288 16290 4ffc1c 16287->16290 16291 505864 __fread_nolock 41 API calls 16287->16291 16301 5057d3 16288->16301 16290->16288 16292 505864 __fread_nolock 41 API calls 16290->16292 16293 4ffc13 16291->16293 16294 4ffc28 CloseHandle 16292->16294 16295 505864 __fread_nolock 41 API calls 16293->16295 16294->16288 16296 4ffc34 GetLastError 16294->16296 16295->16290 16296->16288 16297 4ffc42 __fread_nolock 16297->16280 16310 5057b0 LeaveCriticalSection 16298->16310 16300 4ffb0e 16300->16275 16302 5057e2 16301->16302 16303 505849 16301->16303 16302->16303 16309 50580c 16302->16309 16304 4fb318 __dosmaperr 14 API calls 16303->16304 16305 50584e 16304->16305 16306 4fb305 __dosmaperr 14 API calls 16305->16306 16307 505839 16306->16307 16307->16297 16308 505833 SetStdHandle 16308->16307 16309->16307 16309->16308 16310->16300 16311->16268 16312->16239 17777 4ff9ed 17778 4ff9f9 __FrameHandler3::FrameUnwindToState 17777->17778 17789 4fa8b5 EnterCriticalSection 17778->17789 17780 4ffa00 17790 5056ef 17780->17790 17788 4ffa1e 17814 4ffa44 17788->17814 17789->17780 17791 5056fb __FrameHandler3::FrameUnwindToState 17790->17791 17792 505704 17791->17792 17793 505725 17791->17793 17795 4fb318 __dosmaperr 14 API calls 17792->17795 17817 4fa8b5 EnterCriticalSection 17793->17817 17796 505709 17795->17796 17797 4f9102 __strnicoll 41 API calls 17796->17797 17798 4ffa0f 17797->17798 17798->17788 17803 4ff887 GetStartupInfoW 17798->17803 17801 505731 17802 50575d 17801->17802 17818 50563f 17801->17818 17825 505784 17802->17825 17804 4ff938 17803->17804 17805 4ff8a4 17803->17805 17809 4ff93d 17804->17809 17805->17804 17806 5056ef 42 API calls 17805->17806 17807 4ff8cc 17806->17807 17807->17804 17808 4ff8fc GetFileType 17807->17808 17808->17807 17813 4ff944 17809->17813 17810 4ff987 GetStdHandle 17810->17813 17811 4ff9e9 17811->17788 17812 4ff99a GetFileType 17812->17813 17813->17810 17813->17811 17813->17812 17829 4fa8fd LeaveCriticalSection 17814->17829 17816 4ffa2f 17817->17801 17819 4fef7b __dosmaperr 14 API calls 17818->17819 17824 505651 17819->17824 17820 50565e 17821 4fefd8 ___free_lconv_mon 14 API calls 17820->17821 17822 5056b3 17821->17822 17822->17801 17823 4ff5c0 6 API calls 17823->17824 17824->17820 17824->17823 17828 4fa8fd LeaveCriticalSection 17825->17828 17827 50578b 17827->17798 17828->17827 17829->17816 14991 504ee4 14992 504f1f 14991->14992 14993 504eed 14991->14993 14994 4fed4b 41 API calls 14993->14994 14995 504f10 14994->14995 14996 504cef 52 API calls 14995->14996 14996->14992 13669 4f478c 13670 4f4798 __FrameHandler3::FrameUnwindToState 13669->13670 13694 4f4ac4 13670->13694 13672 4f479f 13673 4f48f8 13672->13673 13683 4f47c9 ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState ___scrt_release_startup_lock 13672->13683 13744 4f4fa6 IsProcessorFeaturePresent 13673->13744 13675 4f48ff 13676 4f4905 13675->13676 13724 4fc46a 13675->13724 13748 4fc42e 13676->13748 13680 4f47e8 13681 4f4869 13702 4fc0a8 13681->13702 13683->13680 13683->13681 13727 4fc444 13683->13727 13685 4f486f 13706 50c26a 13685->13706 13690 4f4894 13691 4f489d 13690->13691 13735 4fc41f 13690->13735 13738 4f4c35 13691->13738 13695 4f4acd 13694->13695 13751 4f4ccc IsProcessorFeaturePresent 13695->13751 13699 4f4ade 13700 4f4ae2 13699->13700 13761 4f7a2d 13699->13761 13700->13672 13703 4fc0b6 13702->13703 13704 4fc0b1 13702->13704 13703->13685 13821 4fbe02 13704->13821 14480 4f116f 13706->14480 13708 50c28d GetModuleHandleA 14488 4f1852 13708->14488 13710 50c2a9 _strlen 14492 4f1e58 13710->14492 13712 50c2bf _strlen 13713 4f1e58 std::ios_base::_Init 43 API calls 13712->13713 13714 50c2d5 GetProcAddress 13713->13714 13715 50c2f0 13714->13715 13716 4f116f 51 API calls 13715->13716 13717 50c2fb 13716->13717 14496 50c20e VirtualAlloc 13717->14496 13719 50c302 14501 4f1dfe 13719->14501 13722 4f4956 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 13723 4f4886 13722->13723 13733 4f50c0 GetModuleHandleW 13723->13733 14766 4fc252 13724->14766 13728 4fc45a __FrameHandler3::FrameUnwindToState std::_Lockit::_Lockit 13727->13728 13728->13681 13729 4fec90 __Getctype 41 API calls 13728->13729 13732 4fe1cd 13729->13732 13730 4fb237 __FrameHandler3::FrameUnwindToState 41 API calls 13731 4fe1f7 13730->13731 13732->13730 13734 4f4890 13733->13734 13734->13675 13734->13690 13736 4fc252 __FrameHandler3::FrameUnwindToState 23 API calls 13735->13736 13737 4fc42a 13736->13737 13737->13691 13739 4f4c41 13738->13739 13740 4f4c57 13739->13740 14843 4fe12d 13739->14843 13740->13680 13742 4f4c4f 13743 4f7a2d ___scrt_uninitialize_crt 7 API calls 13742->13743 13743->13740 13745 4f4fbc __fread_nolock __FrameHandler3::FrameUnwindToState 13744->13745 13746 4f5067 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 13745->13746 13747 4f50ab __FrameHandler3::FrameUnwindToState 13746->13747 13747->13675 13749 4fc252 __FrameHandler3::FrameUnwindToState 23 API calls 13748->13749 13750 4f490d 13749->13750 13752 4f4ad9 13751->13752 13753 4f7a0e 13752->13753 13767 4f8ae7 13753->13767 13756 4f7a17 13756->13699 13758 4f7a1f 13759 4f7a2a 13758->13759 13781 4f8b23 13758->13781 13759->13699 13762 4f7a36 13761->13762 13763 4f7a40 13761->13763 13764 4f7ba6 ___vcrt_uninitialize_ptd 6 API calls 13762->13764 13763->13700 13765 4f7a3b 13764->13765 13766 4f8b23 ___vcrt_uninitialize_locks DeleteCriticalSection 13765->13766 13766->13763 13768 4f8af0 13767->13768 13770 4f8b19 13768->13770 13771 4f7a13 13768->13771 13785 4f8d2c 13768->13785 13772 4f8b23 ___vcrt_uninitialize_locks DeleteCriticalSection 13770->13772 13771->13756 13773 4f7b73 13771->13773 13772->13771 13802 4f8c3d 13773->13802 13778 4f7ba3 13778->13758 13780 4f7b88 13780->13758 13782 4f8b4d 13781->13782 13783 4f8b2e 13781->13783 13782->13756 13784 4f8b38 DeleteCriticalSection 13783->13784 13784->13782 13784->13784 13790 4f8b52 13785->13790 13788 4f8d64 InitializeCriticalSectionAndSpinCount 13789 4f8d4f 13788->13789 13789->13768 13791 4f8b6f 13790->13791 13794 4f8b73 13790->13794 13791->13788 13791->13789 13792 4f8bdb GetProcAddress 13792->13791 13794->13791 13794->13792 13795 4f8bcc 13794->13795 13797 4f8bf2 LoadLibraryExW 13794->13797 13795->13792 13796 4f8bd4 FreeLibrary 13795->13796 13796->13792 13798 4f8c09 GetLastError 13797->13798 13799 4f8c39 13797->13799 13798->13799 13800 4f8c14 ___vcrt_FlsSetValue 13798->13800 13799->13794 13800->13799 13801 4f8c2a LoadLibraryExW 13800->13801 13801->13794 13803 4f8b52 ___vcrt_FlsSetValue 5 API calls 13802->13803 13804 4f8c57 13803->13804 13805 4f8c70 TlsAlloc 13804->13805 13806 4f7b7d 13804->13806 13806->13780 13807 4f8cee 13806->13807 13808 4f8b52 ___vcrt_FlsSetValue 5 API calls 13807->13808 13809 4f8d08 13808->13809 13810 4f8d23 TlsSetValue 13809->13810 13811 4f7b96 13809->13811 13810->13811 13811->13778 13812 4f7ba6 13811->13812 13813 4f7bb6 13812->13813 13814 4f7bb0 13812->13814 13813->13780 13816 4f8c78 13814->13816 13817 4f8b52 ___vcrt_FlsSetValue 5 API calls 13816->13817 13818 4f8c92 13817->13818 13819 4f8caa TlsFree 13818->13819 13820 4f8c9e 13818->13820 13819->13820 13820->13813 13822 4fbe0b 13821->13822 13825 4fbe21 13821->13825 13822->13825 13827 4fbe2e 13822->13827 13824 4fbe18 13824->13825 13844 4fbf99 13824->13844 13825->13703 13828 4fbe3a 13827->13828 13829 4fbe37 13827->13829 13852 504ee4 13828->13852 13829->13824 13834 4fbe4b 13879 4fefd8 13834->13879 13835 4fbe57 13885 4fbe88 13835->13885 13840 4fefd8 ___free_lconv_mon 14 API calls 13841 4fbe7b 13840->13841 13842 4fefd8 ___free_lconv_mon 14 API calls 13841->13842 13843 4fbe81 13842->13843 13843->13824 13845 4fc00a 13844->13845 13850 4fbfa8 13844->13850 13845->13825 13846 503e34 WideCharToMultiByte std::_Locinfo::_Locinfo_ctor 13846->13850 13847 4fef7b __dosmaperr 14 API calls 13847->13850 13848 4fc00e 13849 4fefd8 ___free_lconv_mon 14 API calls 13848->13849 13849->13845 13850->13845 13850->13846 13850->13847 13850->13848 13851 4fefd8 ___free_lconv_mon 14 API calls 13850->13851 13851->13850 13853 4fbe40 13852->13853 13854 504eed 13852->13854 13858 5051e6 GetEnvironmentStringsW 13853->13858 13907 4fed4b 13854->13907 13859 5051fe 13858->13859 13872 4fbe45 13858->13872 13860 503e34 std::_Locinfo::_Locinfo_ctor WideCharToMultiByte 13859->13860 13861 50521b 13860->13861 13862 505230 13861->13862 13863 505225 FreeEnvironmentStringsW 13861->13863 13864 502001 std::_Locinfo::_Locinfo_ctor 15 API calls 13862->13864 13863->13872 13865 505237 13864->13865 13866 505250 13865->13866 13867 50523f 13865->13867 13869 503e34 std::_Locinfo::_Locinfo_ctor WideCharToMultiByte 13866->13869 13868 4fefd8 ___free_lconv_mon 14 API calls 13867->13868 13870 505244 FreeEnvironmentStringsW 13868->13870 13871 505260 13869->13871 13870->13872 13873 505267 13871->13873 13874 50526f 13871->13874 13872->13834 13872->13835 13875 4fefd8 ___free_lconv_mon 14 API calls 13873->13875 13876 4fefd8 ___free_lconv_mon 14 API calls 13874->13876 13877 50526d FreeEnvironmentStringsW 13875->13877 13876->13877 13877->13872 13880 4fefe3 HeapFree 13879->13880 13881 4fbe51 13879->13881 13880->13881 13882 4feff8 GetLastError 13880->13882 13881->13824 13883 4ff005 __dosmaperr 13882->13883 13884 4fb318 __dosmaperr 12 API calls 13883->13884 13884->13881 13886 4fbe9d 13885->13886 13887 4fef7b __dosmaperr 14 API calls 13886->13887 13888 4fbec4 13887->13888 13889 4fbecc 13888->13889 13898 4fbed6 13888->13898 13890 4fefd8 ___free_lconv_mon 14 API calls 13889->13890 13906 4fbe5e 13890->13906 13891 4fbf33 13892 4fefd8 ___free_lconv_mon 14 API calls 13891->13892 13892->13906 13893 4fef7b __dosmaperr 14 API calls 13893->13898 13894 4fbf42 14470 4fbf6a 13894->14470 13898->13891 13898->13893 13898->13894 13900 4fbf5d 13898->13900 13902 4fefd8 ___free_lconv_mon 14 API calls 13898->13902 14461 4fe1f8 13898->14461 13899 4fefd8 ___free_lconv_mon 14 API calls 13901 4fbf4f 13899->13901 14476 4f912f IsProcessorFeaturePresent 13900->14476 13904 4fefd8 ___free_lconv_mon 14 API calls 13901->13904 13902->13898 13904->13906 13905 4fbf69 13906->13840 13908 4fed5c 13907->13908 13909 4fed56 13907->13909 13913 4fed62 13908->13913 13963 4ff503 13908->13963 13958 4ff4c4 13909->13958 13918 4fed67 13913->13918 13980 4fb237 13913->13980 13914 4fed7a 13968 4fef7b 13914->13968 13935 504cef 13918->13935 13920 4fed8e 13922 4ff503 __dosmaperr 6 API calls 13920->13922 13921 4feda3 13923 4ff503 __dosmaperr 6 API calls 13921->13923 13924 4fed9a 13922->13924 13925 4fedaf 13923->13925 13928 4fefd8 ___free_lconv_mon 14 API calls 13924->13928 13926 4fedb3 13925->13926 13927 4fedc2 13925->13927 13929 4ff503 __dosmaperr 6 API calls 13926->13929 13975 4feabe 13927->13975 13931 4feda0 13928->13931 13929->13924 13931->13913 13933 4fefd8 ___free_lconv_mon 14 API calls 13934 4fedd4 13933->13934 13934->13918 14261 504e44 13935->14261 13942 504d59 14288 504f3f 13942->14288 13943 504d4b 13944 4fefd8 ___free_lconv_mon 14 API calls 13943->13944 13946 504d32 13944->13946 13946->13853 13948 504d91 13949 4fb318 __dosmaperr 14 API calls 13948->13949 13951 504d96 13949->13951 13950 504dd8 13953 504e21 13950->13953 14299 504961 13950->14299 13954 4fefd8 ___free_lconv_mon 14 API calls 13951->13954 13952 504dac 13952->13950 13955 4fefd8 ___free_lconv_mon 14 API calls 13952->13955 13957 4fefd8 ___free_lconv_mon 14 API calls 13953->13957 13954->13946 13955->13950 13957->13946 13991 4ff2b3 13958->13991 13961 4ff4fb TlsGetValue 13962 4ff4e9 13962->13908 13964 4ff2b3 std::_Lockit::_Lockit 5 API calls 13963->13964 13965 4ff51f 13964->13965 13966 4ff53d TlsSetValue 13965->13966 13967 4fed76 13965->13967 13967->13913 13967->13914 13974 4fef88 __dosmaperr 13968->13974 13969 4fefc8 14009 4fb318 13969->14009 13970 4fefb3 HeapAlloc 13972 4fed86 13970->13972 13970->13974 13972->13920 13972->13921 13974->13969 13974->13970 14006 4fdc55 13974->14006 14046 4fe952 13975->14046 14148 502f8a 13980->14148 13983 4fb251 IsProcessorFeaturePresent 13986 4fb25d 13983->13986 13985 4fb247 13985->13983 13990 4fb270 13985->13990 14178 4f8f06 13986->14178 13987 4fc42e __FrameHandler3::FrameUnwindToState 23 API calls 13989 4fb27a 13987->13989 13990->13987 13992 4ff2dd 13991->13992 13993 4ff2e1 13991->13993 13992->13961 13992->13962 13993->13992 13998 4ff1e8 13993->13998 13996 4ff2fb GetProcAddress 13996->13992 13997 4ff30b std::_Lockit::_Lockit 13996->13997 13997->13992 14004 4ff1f9 ___vcrt_FlsSetValue 13998->14004 13999 4ff217 LoadLibraryExW 14001 4ff296 13999->14001 14002 4ff232 GetLastError 13999->14002 14000 4ff28f 14000->13992 14000->13996 14001->14000 14003 4ff2a8 FreeLibrary 14001->14003 14002->14004 14003->14000 14004->13999 14004->14000 14005 4ff265 LoadLibraryExW 14004->14005 14005->14001 14005->14004 14012 4fdc82 14006->14012 14023 4fede1 GetLastError 14009->14023 14011 4fb31d 14011->13972 14013 4fdc8e __FrameHandler3::FrameUnwindToState 14012->14013 14018 4fa8b5 EnterCriticalSection 14013->14018 14015 4fdc99 14019 4fdcd5 14015->14019 14018->14015 14022 4fa8fd LeaveCriticalSection 14019->14022 14021 4fdc60 14021->13974 14022->14021 14024 4fedf7 14023->14024 14025 4fedfd 14023->14025 14027 4ff4c4 __dosmaperr 6 API calls 14024->14027 14026 4ff503 __dosmaperr 6 API calls 14025->14026 14029 4fee01 SetLastError 14025->14029 14028 4fee19 14026->14028 14027->14025 14028->14029 14031 4fef7b __dosmaperr 12 API calls 14028->14031 14029->14011 14032 4fee2e 14031->14032 14033 4fee47 14032->14033 14034 4fee36 14032->14034 14036 4ff503 __dosmaperr 6 API calls 14033->14036 14035 4ff503 __dosmaperr 6 API calls 14034->14035 14037 4fee44 14035->14037 14038 4fee53 14036->14038 14042 4fefd8 ___free_lconv_mon 12 API calls 14037->14042 14039 4fee6e 14038->14039 14040 4fee57 14038->14040 14043 4feabe __dosmaperr 12 API calls 14039->14043 14041 4ff503 __dosmaperr 6 API calls 14040->14041 14041->14037 14042->14029 14044 4fee79 14043->14044 14045 4fefd8 ___free_lconv_mon 12 API calls 14044->14045 14045->14029 14047 4fe95e __FrameHandler3::FrameUnwindToState 14046->14047 14060 4fa8b5 EnterCriticalSection 14047->14060 14049 4fe968 14061 4fe998 14049->14061 14052 4fea64 14053 4fea70 __FrameHandler3::FrameUnwindToState 14052->14053 14065 4fa8b5 EnterCriticalSection 14053->14065 14055 4fea7a 14066 4fec45 14055->14066 14057 4fea92 14070 4feab2 14057->14070 14060->14049 14064 4fa8fd LeaveCriticalSection 14061->14064 14063 4fe986 14063->14052 14064->14063 14065->14055 14067 4fec7b __Getctype 14066->14067 14068 4fec54 __Getctype 14066->14068 14067->14057 14068->14067 14073 50662e 14068->14073 14147 4fa8fd LeaveCriticalSection 14070->14147 14072 4feaa0 14072->13933 14074 506644 14073->14074 14097 5066ae 14073->14097 14077 506677 14074->14077 14082 4fefd8 ___free_lconv_mon 14 API calls 14074->14082 14074->14097 14076 4fefd8 ___free_lconv_mon 14 API calls 14078 5066d0 14076->14078 14079 506699 14077->14079 14088 4fefd8 ___free_lconv_mon 14 API calls 14077->14088 14080 4fefd8 ___free_lconv_mon 14 API calls 14078->14080 14081 4fefd8 ___free_lconv_mon 14 API calls 14079->14081 14083 5066e3 14080->14083 14084 5066a3 14081->14084 14086 50666c 14082->14086 14089 4fefd8 ___free_lconv_mon 14 API calls 14083->14089 14092 4fefd8 ___free_lconv_mon 14 API calls 14084->14092 14085 50676a 14093 4fefd8 ___free_lconv_mon 14 API calls 14085->14093 14101 5058e4 14086->14101 14087 50670a 14087->14085 14100 4fefd8 14 API calls ___free_lconv_mon 14087->14100 14090 50668e 14088->14090 14091 5066f1 14089->14091 14129 505d98 14090->14129 14096 4fefd8 ___free_lconv_mon 14 API calls 14091->14096 14092->14097 14098 506770 14093->14098 14099 5066fc 14096->14099 14097->14076 14097->14099 14098->14067 14141 50679f 14099->14141 14100->14087 14102 5058f5 14101->14102 14128 5059de 14101->14128 14103 505906 14102->14103 14105 4fefd8 ___free_lconv_mon 14 API calls 14102->14105 14104 505918 14103->14104 14106 4fefd8 ___free_lconv_mon 14 API calls 14103->14106 14107 50592a 14104->14107 14108 4fefd8 ___free_lconv_mon 14 API calls 14104->14108 14105->14103 14106->14104 14109 50593c 14107->14109 14110 4fefd8 ___free_lconv_mon 14 API calls 14107->14110 14108->14107 14111 50594e 14109->14111 14113 4fefd8 ___free_lconv_mon 14 API calls 14109->14113 14110->14109 14112 505960 14111->14112 14114 4fefd8 ___free_lconv_mon 14 API calls 14111->14114 14115 505972 14112->14115 14116 4fefd8 ___free_lconv_mon 14 API calls 14112->14116 14113->14111 14114->14112 14117 505984 14115->14117 14118 4fefd8 ___free_lconv_mon 14 API calls 14115->14118 14116->14115 14119 505996 14117->14119 14121 4fefd8 ___free_lconv_mon 14 API calls 14117->14121 14118->14117 14120 5059a8 14119->14120 14122 4fefd8 ___free_lconv_mon 14 API calls 14119->14122 14123 5059ba 14120->14123 14124 4fefd8 ___free_lconv_mon 14 API calls 14120->14124 14121->14119 14122->14120 14125 4fefd8 ___free_lconv_mon 14 API calls 14123->14125 14126 5059cc 14123->14126 14124->14123 14125->14126 14127 4fefd8 ___free_lconv_mon 14 API calls 14126->14127 14126->14128 14127->14128 14128->14077 14130 505da5 14129->14130 14131 505dfd 14129->14131 14132 505db5 14130->14132 14133 4fefd8 ___free_lconv_mon 14 API calls 14130->14133 14131->14079 14134 505dc7 14132->14134 14135 4fefd8 ___free_lconv_mon 14 API calls 14132->14135 14133->14132 14136 505dd9 14134->14136 14137 4fefd8 ___free_lconv_mon 14 API calls 14134->14137 14135->14134 14138 505deb 14136->14138 14139 4fefd8 ___free_lconv_mon 14 API calls 14136->14139 14137->14136 14138->14131 14140 4fefd8 ___free_lconv_mon 14 API calls 14138->14140 14139->14138 14140->14131 14142 5067ac 14141->14142 14143 5067cb 14141->14143 14142->14143 14144 5062b3 __Getctype 14 API calls 14142->14144 14143->14087 14145 5067c5 14144->14145 14146 4fefd8 ___free_lconv_mon 14 API calls 14145->14146 14146->14143 14147->14072 14184 502ebc 14148->14184 14151 502fcf 14152 502fdb __FrameHandler3::FrameUnwindToState 14151->14152 14153 4fede1 __dosmaperr 14 API calls 14152->14153 14154 503002 __FrameHandler3::FrameUnwindToState 14152->14154 14157 503008 __FrameHandler3::FrameUnwindToState 14152->14157 14153->14154 14155 50304f 14154->14155 14154->14157 14177 503039 14154->14177 14156 4fb318 __dosmaperr 14 API calls 14155->14156 14158 503054 14156->14158 14159 50307b 14157->14159 14198 4fa8b5 EnterCriticalSection 14157->14198 14195 4f9102 14158->14195 14163 5030bd 14159->14163 14164 5031ae 14159->14164 14174 5030ec 14159->14174 14163->14174 14199 4fec90 GetLastError 14163->14199 14166 5031b9 14164->14166 14230 4fa8fd LeaveCriticalSection 14164->14230 14168 4fc42e __FrameHandler3::FrameUnwindToState 23 API calls 14166->14168 14169 5031c1 14168->14169 14171 4fec90 __Getctype 41 API calls 14175 503141 14171->14175 14173 4fec90 __Getctype 41 API calls 14173->14174 14226 50315b 14174->14226 14176 4fec90 __Getctype 41 API calls 14175->14176 14175->14177 14176->14177 14177->13985 14179 4f8f22 __fread_nolock __FrameHandler3::FrameUnwindToState 14178->14179 14180 4f8f4e IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 14179->14180 14183 4f901f __FrameHandler3::FrameUnwindToState 14180->14183 14182 4f903d 14182->13990 14253 4f4956 14183->14253 14185 502ec8 __FrameHandler3::FrameUnwindToState 14184->14185 14190 4fa8b5 EnterCriticalSection 14185->14190 14187 502ed6 14191 502f14 14187->14191 14190->14187 14194 4fa8fd LeaveCriticalSection 14191->14194 14193 4fb23c 14193->13985 14193->14151 14194->14193 14231 4f904e 14195->14231 14198->14159 14200 4feca6 14199->14200 14201 4fecac 14199->14201 14202 4ff4c4 __dosmaperr 6 API calls 14200->14202 14203 4ff503 __dosmaperr 6 API calls 14201->14203 14205 4fecb0 SetLastError 14201->14205 14202->14201 14204 4fecc8 14203->14204 14204->14205 14207 4fef7b __dosmaperr 14 API calls 14204->14207 14209 4fed45 14205->14209 14210 4fed40 14205->14210 14208 4fecdd 14207->14208 14212 4fecf6 14208->14212 14213 4fece5 14208->14213 14211 4fb237 __FrameHandler3::FrameUnwindToState 39 API calls 14209->14211 14210->14173 14215 4fed4a 14211->14215 14214 4ff503 __dosmaperr 6 API calls 14212->14214 14216 4ff503 __dosmaperr 6 API calls 14213->14216 14217 4fed02 14214->14217 14223 4fecf3 14216->14223 14218 4fed1d 14217->14218 14219 4fed06 14217->14219 14222 4feabe __dosmaperr 14 API calls 14218->14222 14220 4ff503 __dosmaperr 6 API calls 14219->14220 14220->14223 14221 4fefd8 ___free_lconv_mon 14 API calls 14221->14205 14224 4fed28 14222->14224 14223->14221 14225 4fefd8 ___free_lconv_mon 14 API calls 14224->14225 14225->14205 14227 503161 14226->14227 14228 503132 14226->14228 14252 4fa8fd LeaveCriticalSection 14227->14252 14228->14171 14228->14175 14228->14177 14230->14166 14232 4f9060 _Fputc 14231->14232 14237 4f9085 14232->14237 14238 4f9095 14237->14238 14240 4f909c 14237->14240 14239 4f8ea0 _Fputc 16 API calls 14238->14239 14239->14240 14241 4f8e77 _Deallocate GetLastError SetLastError 14240->14241 14245 4f9078 14240->14245 14242 4f90d1 14241->14242 14243 4f912f __Getctype 11 API calls 14242->14243 14242->14245 14244 4f9101 14243->14244 14246 4f8e3b 14245->14246 14247 4f8e47 14246->14247 14248 4f8e5e 14247->14248 14250 4f8ee6 _Fputc 41 API calls 14247->14250 14249 4f8e71 14248->14249 14251 4f8ee6 _Fputc 41 API calls 14248->14251 14249->14177 14250->14248 14251->14249 14252->14228 14254 4f495f IsProcessorFeaturePresent 14253->14254 14255 4f495e 14253->14255 14257 4f5274 14254->14257 14255->14182 14260 4f5237 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 14257->14260 14259 4f5357 14259->14182 14260->14259 14262 504e50 __FrameHandler3::FrameUnwindToState 14261->14262 14263 504e6a 14262->14263 14307 4fa8b5 EnterCriticalSection 14262->14307 14266 504d19 14263->14266 14267 4fb237 __FrameHandler3::FrameUnwindToState 41 API calls 14263->14267 14265 504e7a 14270 4fefd8 ___free_lconv_mon 14 API calls 14265->14270 14271 504ea6 14265->14271 14272 504a6f 14266->14272 14269 504ee3 14267->14269 14270->14271 14308 504ec3 14271->14308 14312 4fb32b 14272->14312 14275 504a90 GetOEMCP 14278 504ab9 14275->14278 14276 504aa2 14277 504aa7 GetACP 14276->14277 14276->14278 14277->14278 14278->13946 14279 502001 14278->14279 14280 50203f 14279->14280 14281 50200f 14279->14281 14282 4fb318 __dosmaperr 14 API calls 14280->14282 14283 50202a HeapAlloc 14281->14283 14286 502013 __dosmaperr 14281->14286 14285 502044 14282->14285 14284 50203d 14283->14284 14283->14286 14284->14285 14285->13942 14285->13943 14286->14280 14286->14283 14287 4fdc55 ctype 2 API calls 14286->14287 14287->14286 14289 504a6f 43 API calls 14288->14289 14290 504f5f 14289->14290 14292 504f9c IsValidCodePage 14290->14292 14296 504fd8 __fread_nolock 14290->14296 14291 4f4956 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 14293 504d86 14291->14293 14294 504fae 14292->14294 14292->14296 14293->13948 14293->13952 14295 504fdd GetCPInfo 14294->14295 14298 504fb7 __fread_nolock 14294->14298 14295->14296 14295->14298 14296->14291 14354 504b43 14298->14354 14300 50496d __FrameHandler3::FrameUnwindToState 14299->14300 14435 4fa8b5 EnterCriticalSection 14300->14435 14302 504977 14436 5049ae 14302->14436 14307->14265 14311 4fa8fd LeaveCriticalSection 14308->14311 14310 504eca 14310->14263 14311->14310 14313 4fb342 14312->14313 14314 4fb349 14312->14314 14313->14275 14313->14276 14314->14313 14315 4fec90 __Getctype 41 API calls 14314->14315 14316 4fb36a 14315->14316 14320 5026fa 14316->14320 14321 4fb380 14320->14321 14322 50270d 14320->14322 14324 502758 14321->14324 14322->14321 14328 50687a 14322->14328 14325 502780 14324->14325 14326 50276b 14324->14326 14325->14313 14326->14325 14349 504f2c 14326->14349 14329 506886 __FrameHandler3::FrameUnwindToState 14328->14329 14330 4fec90 __Getctype 41 API calls 14329->14330 14331 50688f 14330->14331 14338 5068d5 14331->14338 14341 4fa8b5 EnterCriticalSection 14331->14341 14333 5068ad 14342 5068fb 14333->14342 14338->14321 14339 4fb237 __FrameHandler3::FrameUnwindToState 41 API calls 14340 5068fa 14339->14340 14341->14333 14343 506909 __Getctype 14342->14343 14345 5068be 14342->14345 14344 50662e __Getctype 14 API calls 14343->14344 14343->14345 14344->14345 14346 5068da 14345->14346 14347 4fa8fd std::_Lockit::~_Lockit LeaveCriticalSection 14346->14347 14348 5068d1 14347->14348 14348->14338 14348->14339 14350 4fec90 __Getctype 41 API calls 14349->14350 14351 504f31 14350->14351 14352 504e44 __strnicoll 41 API calls 14351->14352 14353 504f3c 14352->14353 14353->14325 14355 504b6b GetCPInfo 14354->14355 14356 504c34 14354->14356 14355->14356 14357 504b83 14355->14357 14358 4f4956 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 14356->14358 14365 502b18 14357->14365 14360 504ced 14358->14360 14360->14296 14364 502e0f 46 API calls 14364->14356 14366 4fb32b __strnicoll 41 API calls 14365->14366 14367 502b38 14366->14367 14385 503db8 14367->14385 14369 502bfc 14371 4f4956 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 14369->14371 14370 502bf4 14388 4f46a9 14370->14388 14375 502c1f 14371->14375 14372 502b65 14372->14369 14372->14370 14374 502001 std::_Locinfo::_Locinfo_ctor 15 API calls 14372->14374 14376 502b8a __fread_nolock __alloca_probe_16 14372->14376 14374->14376 14380 502e0f 14375->14380 14376->14370 14377 503db8 __strnicoll MultiByteToWideChar 14376->14377 14378 502bd5 14377->14378 14378->14370 14379 502be0 GetStringTypeW 14378->14379 14379->14370 14381 4fb32b __strnicoll 41 API calls 14380->14381 14382 502e22 14381->14382 14395 502c21 14382->14395 14386 503dc9 MultiByteToWideChar 14385->14386 14386->14372 14389 4f46b3 14388->14389 14391 4f46c4 14388->14391 14389->14391 14392 4fa859 14389->14392 14391->14369 14393 4fefd8 ___free_lconv_mon 14 API calls 14392->14393 14394 4fa871 14393->14394 14394->14391 14396 502c3c ctype 14395->14396 14397 503db8 __strnicoll MultiByteToWideChar 14396->14397 14401 502c82 14397->14401 14398 502dfa 14399 4f4956 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 14398->14399 14400 502e0d 14399->14400 14400->14364 14401->14398 14402 502001 std::_Locinfo::_Locinfo_ctor 15 API calls 14401->14402 14404 502ca8 __alloca_probe_16 14401->14404 14412 502d2e 14401->14412 14402->14404 14403 4f46a9 __freea 14 API calls 14403->14398 14405 503db8 __strnicoll MultiByteToWideChar 14404->14405 14404->14412 14406 502ced 14405->14406 14406->14412 14423 4ff682 14406->14423 14409 502d57 14411 502de2 14409->14411 14413 502001 std::_Locinfo::_Locinfo_ctor 15 API calls 14409->14413 14416 502d69 __alloca_probe_16 14409->14416 14410 502d1f 14410->14412 14415 4ff682 std::_Locinfo::_Locinfo_ctor 7 API calls 14410->14415 14414 4f46a9 __freea 14 API calls 14411->14414 14412->14403 14413->14416 14414->14412 14415->14412 14416->14411 14417 4ff682 std::_Locinfo::_Locinfo_ctor 7 API calls 14416->14417 14418 502dac 14417->14418 14418->14411 14432 503e34 14418->14432 14420 502dc6 14420->14411 14421 502dcf 14420->14421 14422 4f46a9 __freea 14 API calls 14421->14422 14422->14412 14424 4ff1b4 std::_Lockit::_Lockit 5 API calls 14423->14424 14425 4ff68d 14424->14425 14426 4ff6ba 14425->14426 14427 4ff693 LCMapStringEx 14425->14427 14428 4ff6df __strnicoll 5 API calls 14426->14428 14431 4ff6da 14427->14431 14430 4ff6d3 LCMapStringW 14428->14430 14430->14431 14431->14409 14431->14410 14431->14412 14433 503e4b WideCharToMultiByte 14432->14433 14433->14420 14435->14302 14446 4f9e1c 14436->14446 14438 5049d0 14439 4f9e1c __fread_nolock 41 API calls 14438->14439 14440 5049ef 14439->14440 14441 504984 14440->14441 14442 4fefd8 ___free_lconv_mon 14 API calls 14440->14442 14443 5049a2 14441->14443 14442->14441 14460 4fa8fd LeaveCriticalSection 14443->14460 14445 504990 14445->13953 14447 4f9e2d 14446->14447 14456 4f9e29 _Yarn 14446->14456 14448 4f9e34 14447->14448 14451 4f9e47 __fread_nolock 14447->14451 14449 4fb318 __dosmaperr 14 API calls 14448->14449 14450 4f9e39 14449->14450 14452 4f9102 __strnicoll 41 API calls 14450->14452 14453 4f9e7e 14451->14453 14454 4f9e75 14451->14454 14451->14456 14452->14456 14453->14456 14458 4fb318 __dosmaperr 14 API calls 14453->14458 14455 4fb318 __dosmaperr 14 API calls 14454->14455 14457 4f9e7a 14455->14457 14456->14438 14459 4f9102 __strnicoll 41 API calls 14457->14459 14458->14457 14459->14456 14460->14445 14462 4fe214 14461->14462 14463 4fe206 14461->14463 14464 4fb318 __dosmaperr 14 API calls 14462->14464 14463->14462 14468 4fe22c 14463->14468 14465 4fe21c 14464->14465 14466 4f9102 __strnicoll 41 API calls 14465->14466 14467 4fe226 14466->14467 14467->13898 14468->14467 14469 4fb318 __dosmaperr 14 API calls 14468->14469 14469->14465 14471 4fbf77 14470->14471 14475 4fbf48 14470->14475 14472 4fbf8e 14471->14472 14474 4fefd8 ___free_lconv_mon 14 API calls 14471->14474 14473 4fefd8 ___free_lconv_mon 14 API calls 14472->14473 14473->14475 14474->14471 14475->13899 14477 4f913b 14476->14477 14478 4f8f06 __FrameHandler3::FrameUnwindToState 8 API calls 14477->14478 14479 4f9150 GetCurrentProcess TerminateProcess 14478->14479 14479->13905 14482 4f117b __EH_prolog3_catch _strlen 14480->14482 14505 4f1a71 14482->14505 14486 4f11d4 14509 4f1eb1 14486->14509 14487 4f130c ctype 14487->13708 14489 4f186f _strlen 14488->14489 14663 4f137d 14489->14663 14491 4f187c 14491->13710 14493 4f1e98 14492->14493 14495 4f1e6e std::ios_base::_Init 14492->14495 14670 4f1746 14493->14670 14495->13712 14690 50c168 14496->14690 14498 50c236 _Yarn 14696 50c14e 14498->14696 14502 4f1e09 14501->14502 14503 4f1e12 14501->14503 14504 4f1478 _Deallocate 41 API calls 14502->14504 14503->13722 14504->14503 14506 4f1a80 14505->14506 14507 4f1a9e 14506->14507 14521 4f1f9c 14506->14521 14507->14486 14510 4f1304 14509->14510 14511 4f1ec8 std::ios_base::_Init 14509->14511 14516 4f1b4b 14510->14516 14515 4f1f01 14511->14515 14529 4f1a17 14511->14529 14513 4f1f1a 14532 4f5a72 14515->14532 14645 4f21e9 14516->14645 14518 4f1b53 14519 4f1b25 14518->14519 14649 4f1d61 14518->14649 14519->14487 14522 4f1fa8 __EH_prolog3_catch 14521->14522 14523 4f204d ctype 14522->14523 14524 4f1a71 51 API calls 14522->14524 14523->14507 14527 4f1fc7 14524->14527 14525 4f2045 14526 4f1b4b 51 API calls 14525->14526 14526->14523 14527->14525 14528 4f1eb1 std::ios_base::_Init 43 API calls 14527->14528 14528->14525 14535 4f1ad1 14529->14535 14533 4f5a8c 14532->14533 14534 4f5ab9 RaiseException 14532->14534 14533->14534 14534->14513 14536 4f1852 std::ios_base::_Init 43 API calls 14535->14536 14537 4f1af0 14536->14537 14544 4f18cc 14537->14544 14540 4f1dfe std::ios_base::_Init 41 API calls 14541 4f1b09 14540->14541 14542 4f4956 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 14541->14542 14543 4f1a2c 14542->14543 14543->14515 14555 4f181e 14544->14555 14551 4f1dfe std::ios_base::_Init 41 API calls 14552 4f190f 14551->14552 14553 4f4956 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 14552->14553 14554 4f192e 14553->14554 14554->14540 14556 4f183e 14555->14556 14575 4f13ee 14556->14575 14558 4f184b 14559 4f1cdf 14558->14559 14560 4f1cf9 _strlen 14559->14560 14561 4f1d10 14559->14561 14562 4f1e58 std::ios_base::_Init 43 API calls 14560->14562 14563 4f1e58 std::ios_base::_Init 43 API calls 14561->14563 14562->14561 14564 4f1d37 14563->14564 14565 4f1dfe std::ios_base::_Init 41 API calls 14564->14565 14566 4f1d3f std::ios_base::_Init 14565->14566 14567 4f1dfe std::ios_base::_Init 41 API calls 14566->14567 14568 4f1d52 14567->14568 14569 4f4956 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 14568->14569 14570 4f18fc 14569->14570 14571 4f1a50 14570->14571 14572 4f1a5d 14571->14572 14627 4f19ca 14572->14627 14576 4f1450 14575->14576 14579 4f13ff std::ios_base::_Init 14575->14579 14590 4f1e24 14576->14590 14581 4f1406 _Yarn std::ios_base::_Init 14579->14581 14582 4f1319 14579->14582 14581->14558 14583 4f1324 14582->14583 14586 4f132c 14582->14586 14593 4f133b 14583->14593 14585 4f1338 14585->14581 14586->14585 14608 4f4918 14586->14608 14587 4f132a 14587->14581 14589 4f1336 14589->14581 14622 4f21a9 14590->14622 14594 4f134a 14593->14594 14595 4f1de1 Concurrency::cancel_current_task 14593->14595 14596 4f4918 ctype 43 API calls 14594->14596 14598 4f5a72 std::_Xinvalid_argument RaiseException 14595->14598 14597 4f1350 14596->14597 14597->14595 14599 4f1357 14597->14599 14601 4f9112 14597->14601 14600 4f1dfd 14598->14600 14599->14587 14604 4f1e12 14600->14604 14606 4f1478 _Deallocate 41 API calls 14600->14606 14602 4f904e _Deallocate 41 API calls 14601->14602 14603 4f9121 14602->14603 14605 4f912f __Getctype 11 API calls 14603->14605 14604->14587 14607 4f912e 14605->14607 14606->14604 14610 4f491d 14608->14610 14609 4fa92b _Yarn 15 API calls 14609->14610 14610->14609 14611 4f4937 14610->14611 14612 4fdc55 ctype EnterCriticalSection LeaveCriticalSection 14610->14612 14613 4f4939 14610->14613 14611->14589 14612->14610 14614 4f1de1 Concurrency::cancel_current_task 14613->14614 14615 4f4943 ctype 14613->14615 14616 4f5a72 std::_Xinvalid_argument RaiseException 14614->14616 14618 4f5a72 std::_Xinvalid_argument RaiseException 14615->14618 14617 4f1dfd 14616->14617 14620 4f1e12 14617->14620 14621 4f1478 _Deallocate 41 API calls 14617->14621 14619 4f5231 14618->14619 14620->14589 14621->14620 14623 4f2123 std::invalid_argument::invalid_argument 42 API calls 14622->14623 14624 4f21ba 14623->14624 14625 4f5a72 std::_Xinvalid_argument RaiseException 14624->14625 14626 4f21c8 14625->14626 14630 4f59f0 14627->14630 14631 4f1907 14630->14631 14632 4f59fd 14630->14632 14631->14551 14632->14631 14638 4fa92b 14632->14638 14635 4f5a2a 14637 4fa859 std::locale::_Locimp::~_Locimp 14 API calls 14635->14637 14636 4fe1f8 ___std_exception_copy 41 API calls 14636->14635 14637->14631 14643 502001 __dosmaperr 14638->14643 14639 50203f 14640 4fb318 __dosmaperr 14 API calls 14639->14640 14642 4f5a1a 14640->14642 14641 50202a HeapAlloc 14641->14642 14641->14643 14642->14635 14642->14636 14643->14639 14643->14641 14644 4fdc55 ctype EnterCriticalSection LeaveCriticalSection 14643->14644 14644->14643 14645->14518 14646 4f5e8d 14645->14646 14653 4f7b3c 14646->14653 14648 4f5e92 14648->14518 14651 4f1d6d __EH_prolog3_catch 14649->14651 14650 4f1da9 ctype 14650->14519 14651->14650 14652 4f1eb1 std::ios_base::_Init 43 API calls 14651->14652 14652->14650 14654 4f7b48 GetLastError 14653->14654 14655 4f7b45 14653->14655 14658 4f8cb3 14654->14658 14655->14648 14659 4f8b52 ___vcrt_FlsSetValue 5 API calls 14658->14659 14660 4f8ccd 14659->14660 14661 4f8ce5 TlsGetValue 14660->14661 14662 4f7b5d SetLastError 14660->14662 14661->14662 14662->14648 14664 4f138e std::ios_base::_Init 14663->14664 14665 4f13e8 14663->14665 14668 4f1319 std::ios_base::_Init 43 API calls 14664->14668 14669 4f1395 std::ios_base::_Init 14664->14669 14666 4f1e24 std::ios_base::_Init 43 API calls 14665->14666 14667 4f13ed 14666->14667 14668->14669 14669->14491 14671 4f17cf 14670->14671 14672 4f175f std::ios_base::_Init 14670->14672 14673 4f1e24 std::ios_base::_Init 43 API calls 14671->14673 14675 4f1319 std::ios_base::_Init 43 API calls 14672->14675 14674 4f17d4 14673->14674 14676 4f177e std::ios_base::_Init 14675->14676 14677 4f17b4 std::ios_base::_Init 14676->14677 14679 4f1478 14676->14679 14677->14495 14680 4f1485 14679->14680 14682 4f1492 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 14679->14682 14683 4f1c2a 14680->14683 14682->14677 14684 4f1c47 14683->14684 14685 4f1c44 14683->14685 14686 4f904e _Deallocate 41 API calls 14684->14686 14685->14682 14687 4f9121 14686->14687 14688 4f912f __Getctype 11 API calls 14687->14688 14689 4f912e 14688->14689 14692 50c1f4 14690->14692 14694 50c18c 14690->14694 14691 50c208 14691->14498 14692->14691 14693 4f1478 _Deallocate 41 API calls 14692->14693 14693->14691 14694->14692 14699 4f14a4 14694->14699 14729 50c000 14696->14729 14700 4f14b0 __EH_prolog3_catch 14699->14700 14701 4f155c 14700->14701 14702 4f14d0 14700->14702 14720 4f1e2f 14701->14720 14709 4f1e3a 14702->14709 14706 4f14e5 14716 4f1ca7 14706->14716 14708 4f153b ctype 14708->14694 14710 4f1e45 14709->14710 14711 4f1e52 14709->14711 14712 4f1319 std::ios_base::_Init 43 API calls 14710->14712 14723 4f1de1 14711->14723 14714 4f1e4e 14712->14714 14714->14706 14717 4f1caf 14716->14717 14719 4f1cbf 14716->14719 14718 4f1478 _Deallocate 41 API calls 14717->14718 14718->14719 14719->14708 14721 4f21a9 std::_Xinvalid_argument 43 API calls 14720->14721 14722 4f1e39 14721->14722 14724 4f1def Concurrency::cancel_current_task 14723->14724 14725 4f5a72 std::_Xinvalid_argument RaiseException 14724->14725 14726 4f1dfd 14725->14726 14727 4f1e12 14726->14727 14728 4f1478 _Deallocate 41 API calls 14726->14728 14728->14727 14740 4f1366 14729->14740 14731 50c129 14743 4f1567 14731->14743 14733 50c037 14733->14731 14735 4f1852 std::ios_base::_Init 43 API calls 14733->14735 14739 4f1dfe std::ios_base::_Init 41 API calls 14733->14739 14746 4f1150 14733->14746 14734 50c135 14736 4f4956 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 14734->14736 14735->14733 14737 50c147 CreateThread WaitForSingleObject 14736->14737 14737->13719 14739->14733 14741 4f4918 ctype 43 API calls 14740->14741 14742 4f136d 14741->14742 14742->14733 14750 4f1587 14743->14750 14745 4f1578 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 14745->14734 14747 4f115c 14746->14747 14758 4f15d1 14747->14758 14749 4f116b 14749->14733 14753 4f1591 14750->14753 14751 4f15b3 14751->14745 14752 4f1587 41 API calls 14752->14753 14753->14751 14753->14752 14755 4f15b8 14753->14755 14756 4f1dfe std::ios_base::_Init 41 API calls 14755->14756 14757 4f15c5 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 14756->14757 14757->14753 14759 4f15dd __EH_prolog3_catch 14758->14759 14760 4f1a71 51 API calls 14759->14760 14761 4f161a 14760->14761 14762 4f1eb1 std::ios_base::_Init 43 API calls 14761->14762 14763 4f1731 14762->14763 14764 4f1b4b 51 API calls 14763->14764 14765 4f1739 ctype 14764->14765 14765->14749 14767 4fc27f 14766->14767 14768 4fc291 14766->14768 14793 4fc31a GetModuleHandleW 14767->14793 14778 4fc11a 14768->14778 14773 4fc2ce 14773->13676 14776 4fc2e3 14779 4fc126 __FrameHandler3::FrameUnwindToState 14778->14779 14801 4fa8b5 EnterCriticalSection 14779->14801 14781 4fc130 14802 4fc167 14781->14802 14783 4fc13d 14806 4fc15b 14783->14806 14786 4fc2e9 14831 4fc35d 14786->14831 14789 4fc307 14791 4fc37f __FrameHandler3::FrameUnwindToState 3 API calls 14789->14791 14790 4fc2f7 GetCurrentProcess TerminateProcess 14790->14789 14792 4fc30f ExitProcess 14791->14792 14794 4fc284 14793->14794 14794->14768 14795 4fc37f GetModuleHandleExW 14794->14795 14796 4fc3df 14795->14796 14797 4fc3be GetProcAddress 14795->14797 14798 4fc290 14796->14798 14799 4fc3e5 FreeLibrary 14796->14799 14797->14796 14800 4fc3d2 14797->14800 14798->14768 14799->14798 14800->14796 14801->14781 14803 4fc173 __FrameHandler3::FrameUnwindToState 14802->14803 14805 4fc1da __FrameHandler3::FrameUnwindToState 14803->14805 14809 4fdf86 14803->14809 14805->14783 14830 4fa8fd LeaveCriticalSection 14806->14830 14808 4fc149 14808->14773 14808->14786 14810 4fdf92 __EH_prolog3 14809->14810 14813 4fdcde 14810->14813 14812 4fdfb9 ctype 14812->14805 14814 4fdcea __FrameHandler3::FrameUnwindToState 14813->14814 14821 4fa8b5 EnterCriticalSection 14814->14821 14816 4fdcf8 14822 4fde96 14816->14822 14821->14816 14823 4fdd05 14822->14823 14824 4fdeb5 14822->14824 14826 4fdd2d 14823->14826 14824->14823 14825 4fefd8 ___free_lconv_mon 14 API calls 14824->14825 14825->14823 14829 4fa8fd LeaveCriticalSection 14826->14829 14828 4fdd16 14828->14812 14829->14828 14830->14808 14836 50560e GetPEB 14831->14836 14834 4fc2f3 14834->14789 14834->14790 14835 4fc367 GetPEB 14835->14834 14837 4fc362 14836->14837 14838 505628 14836->14838 14837->14834 14837->14835 14840 4ff336 14838->14840 14841 4ff2b3 std::_Lockit::_Lockit 5 API calls 14840->14841 14842 4ff352 14841->14842 14842->14837 14844 4fe138 14843->14844 14846 4fe14a ___scrt_uninitialize_crt 14843->14846 14845 4fe146 14844->14845 14848 4f97ed 14844->14848 14845->13742 14846->13742 14851 4f967a 14848->14851 14854 4f956e 14851->14854 14855 4f957a __FrameHandler3::FrameUnwindToState 14854->14855 14862 4fa8b5 EnterCriticalSection 14855->14862 14857 4f95f0 14871 4f960e 14857->14871 14861 4f9584 ___scrt_uninitialize_crt 14861->14857 14863 4f94e2 14861->14863 14862->14861 14864 4f94ee __FrameHandler3::FrameUnwindToState 14863->14864 14874 4f9365 EnterCriticalSection 14864->14874 14866 4f9531 14888 4f9562 14866->14888 14867 4f94f8 ___scrt_uninitialize_crt 14867->14866 14875 4f9788 14867->14875 14990 4fa8fd LeaveCriticalSection 14871->14990 14873 4f95fc 14873->14845 14874->14867 14876 4f979d _Fputc 14875->14876 14877 4f97af 14876->14877 14878 4f97a4 14876->14878 14891 4f971f 14877->14891 14879 4f967a ___scrt_uninitialize_crt 70 API calls 14878->14879 14881 4f97aa 14879->14881 14883 4f8e3b _Fputc 41 API calls 14881->14883 14884 4f97e7 14883->14884 14884->14866 14886 4f97d0 14904 4ffd51 14886->14904 14989 4f9379 LeaveCriticalSection 14888->14989 14890 4f9550 14890->14861 14892 4f9738 14891->14892 14896 4f975f 14891->14896 14893 4ffa79 __fread_nolock 41 API calls 14892->14893 14892->14896 14894 4f9754 14893->14894 14915 50057c 14894->14915 14896->14881 14897 4ffa79 14896->14897 14898 4ffa9a 14897->14898 14899 4ffa85 14897->14899 14898->14886 14900 4fb318 __dosmaperr 14 API calls 14899->14900 14901 4ffa8a 14900->14901 14902 4f9102 __strnicoll 41 API calls 14901->14902 14903 4ffa95 14902->14903 14903->14886 14905 4ffd6f 14904->14905 14906 4ffd62 14904->14906 14908 4ffdb8 14905->14908 14910 4ffd96 14905->14910 14907 4fb318 __dosmaperr 14 API calls 14906->14907 14913 4ffd67 14907->14913 14909 4fb318 __dosmaperr 14 API calls 14908->14909 14911 4ffdbd 14909->14911 14956 4ffcaf 14910->14956 14912 4f9102 __strnicoll 41 API calls 14911->14912 14912->14913 14913->14881 14916 500588 __FrameHandler3::FrameUnwindToState 14915->14916 14917 50064c 14916->14917 14919 5005dd 14916->14919 14925 500590 14916->14925 14918 4f9085 _Deallocate 29 API calls 14917->14918 14918->14925 14926 50578d EnterCriticalSection 14919->14926 14921 5005e3 14922 500600 14921->14922 14927 500684 14921->14927 14953 500644 14922->14953 14925->14896 14926->14921 14928 5006a9 14927->14928 14951 5006cc __fread_nolock 14927->14951 14929 5006ad 14928->14929 14931 50070b 14928->14931 14930 4f9085 _Deallocate 29 API calls 14929->14930 14930->14951 14932 500722 14931->14932 14933 501e62 ___scrt_uninitialize_crt 43 API calls 14931->14933 14934 500208 ___scrt_uninitialize_crt 42 API calls 14932->14934 14933->14932 14935 50072c 14934->14935 14936 500772 14935->14936 14937 500732 14935->14937 14938 5007d5 WriteFile 14936->14938 14939 500786 14936->14939 14940 500739 14937->14940 14941 50075c 14937->14941 14944 5007f7 GetLastError 14938->14944 14938->14951 14942 5007c3 14939->14942 14943 50078e 14939->14943 14948 5001a0 ___scrt_uninitialize_crt 6 API calls 14940->14948 14940->14951 14945 4ffdce ___scrt_uninitialize_crt 47 API calls 14941->14945 14949 500286 ___scrt_uninitialize_crt 7 API calls 14942->14949 14946 5007b1 14943->14946 14947 500793 14943->14947 14944->14951 14945->14951 14950 50044a ___scrt_uninitialize_crt 8 API calls 14946->14950 14947->14951 14952 500361 ___scrt_uninitialize_crt 7 API calls 14947->14952 14948->14951 14949->14951 14950->14951 14951->14922 14952->14951 14954 5057b0 ___scrt_uninitialize_crt LeaveCriticalSection 14953->14954 14955 50064a 14954->14955 14955->14925 14957 4ffcbb __FrameHandler3::FrameUnwindToState 14956->14957 14969 50578d EnterCriticalSection 14957->14969 14959 4ffcca 14968 4ffd0f 14959->14968 14970 505864 14959->14970 14961 4fb318 __dosmaperr 14 API calls 14963 4ffd16 14961->14963 14962 4ffcf6 FlushFileBuffers 14962->14963 14964 4ffd02 GetLastError 14962->14964 14986 4ffd45 14963->14986 14983 4fb305 14964->14983 14968->14961 14969->14959 14971 505871 14970->14971 14972 505886 14970->14972 14973 4fb305 __dosmaperr 14 API calls 14971->14973 14975 4fb305 __dosmaperr 14 API calls 14972->14975 14977 5058ab 14972->14977 14974 505876 14973->14974 14976 4fb318 __dosmaperr 14 API calls 14974->14976 14978 5058b6 14975->14978 14979 50587e 14976->14979 14977->14962 14980 4fb318 __dosmaperr 14 API calls 14978->14980 14979->14962 14981 5058be 14980->14981 14982 4f9102 __strnicoll 41 API calls 14981->14982 14982->14979 14984 4fede1 __dosmaperr 14 API calls 14983->14984 14985 4fb30a 14984->14985 14985->14968 14987 5057b0 ___scrt_uninitialize_crt LeaveCriticalSection 14986->14987 14988 4ffd2e 14987->14988 14988->14913 14989->14890 14990->14873 16962 4fc8a8 16965 4fc574 16962->16965 16966 4fc580 __FrameHandler3::FrameUnwindToState 16965->16966 16973 4fa8b5 EnterCriticalSection 16966->16973 16968 4fc5b8 16974 4fc5d6 16968->16974 16969 4fc58a 16969->16968 16971 5068fb __Getctype 14 API calls 16969->16971 16971->16969 16973->16969 16977 4fa8fd LeaveCriticalSection 16974->16977 16976 4fc5c4 16977->16976 13662 7f018d 13665 7f01c5 CreateProcessA VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 13662->13665 13664 7f03a2 WriteProcessMemory 13666 7f03e7 13664->13666 13665->13664 13667 7f03ec WriteProcessMemory 13666->13667 13668 7f0429 WriteProcessMemory Wow64SetThreadContext ResumeThread 13666->13668 13667->13666

                Executed Functions

                Function 007F018D Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 282threadinjectionmemoryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 007F02FC
                • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 007F030F
                • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 007F032D
                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 007F0351
                • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 007F037C
                • WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?), ref: 007F03D4
                • WriteProcessMemory.KERNELBASE(?,?,?,?,00000000,?,00000028), ref: 007F041F
                • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 007F045D
                • Wow64SetThreadContext.KERNEL32(?,?), ref: 007F0499
                • ResumeThread.KERNELBASE(?), ref: 007F04A8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2066730426.00000000007F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7f0000_file.jbxd
                Similarity
                • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                • String ID: GetP$Load$aryA$ress
                • API String ID: 2687962208-977067982
                • Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                • Instruction ID: c3292326410d98d99da4159f2e3343151b0f0e2a3e7f144517251735dfe2070f
                • Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                • Instruction Fuzzy Hash: 0DB1D77664024AAFDB60CF68CC80BDA77A5FF88714F158524EA0CEB341D774FA518B94
                Function 0050560E Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6d3a586ec2da16d7fd3ee7ee03ae3402aab8ac5a3c6cbba84838bbe677f8115f
                • Instruction ID: 457176f6b862a6dca86e38a374ba997a1a31c23065881844d2c083669c61672d
                • Opcode Fuzzy Hash: 6d3a586ec2da16d7fd3ee7ee03ae3402aab8ac5a3c6cbba84838bbe677f8115f
                • Instruction Fuzzy Hash: 18E08C72911238EBCB25DBC9C908D8AF7ECFB44B04B5100AAF601D3140D271DE00DBD0
                Function 004FC35D Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4c992419eee8842309e7582ba631cfc6caef1f6ffe052a819ae54955aa5ef9da
                • Instruction ID: d392dbeb603afc2da91a9cd38266ab2d236367fb4b059821f0f7262894e0f429
                • Opcode Fuzzy Hash: 4c992419eee8842309e7582ba631cfc6caef1f6ffe052a819ae54955aa5ef9da
                • Instruction Fuzzy Hash: B6C08C3408090847CF29891893B13BF3358BBD77C2F80188ECA030BBA2C91F9C82DA08
                Function 004FF1E8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 23 4ff1e8-4ff1f4 24 4ff286-4ff289 23->24 25 4ff28f 24->25 26 4ff1f9-4ff20a 24->26 27 4ff291-4ff295 25->27 28 4ff20c-4ff20f 26->28 29 4ff217-4ff230 LoadLibraryExW 26->29 30 4ff2af-4ff2b1 28->30 31 4ff215 28->31 32 4ff296-4ff2a6 29->32 33 4ff232-4ff23b GetLastError 29->33 30->27 35 4ff283 31->35 32->30 34 4ff2a8-4ff2a9 FreeLibrary 32->34 36 4ff23d-4ff24f call 4fe918 33->36 37 4ff274-4ff281 33->37 34->30 35->24 36->37 40 4ff251-4ff263 call 4fe918 36->40 37->35 40->37 43 4ff265-4ff272 LoadLibraryExW 40->43 43->32 43->37
                APIs
                • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,BA3E30E8,?,004FF2F5,?,?,00000000,00000000), ref: 004FF2A9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: FreeLibrary
                • String ID: api-ms-$ext-ms-
                • API String ID: 3664257935-537541572
                • Opcode ID: c22f636b4897fc055c631b89c526c9f985c52247673f7f1c42b3650b3cd6d985
                • Instruction ID: 9a039257622880cae863299a60f9b623eae4b3e8706e463a027e364d64e4fe34
                • Opcode Fuzzy Hash: c22f636b4897fc055c631b89c526c9f985c52247673f7f1c42b3650b3cd6d985
                • Instruction Fuzzy Hash: 2D2160359001189BDB315B65EC44A7F3768BF11760F220172FA15A33D0D779ED09D6E5
                Function 00502C21 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 44 502c21-502c3a 45 502c50-502c55 44->45 46 502c3c-502c4c call 4fb4db 44->46 47 502c64-502c8a call 503db8 45->47 48 502c57-502c61 45->48 46->45 53 502c4e 46->53 54 502c90-502c9b 47->54 55 502dfd-502e0e call 4f4956 47->55 48->47 53->45 57 502df0 54->57 58 502ca1-502ca6 54->58 62 502df2 57->62 60 502ca8-502cb1 call 4f4ca0 58->60 61 502cbb-502cc6 call 502001 58->61 69 502cd1-502cd5 60->69 70 502cb3-502cb9 60->70 61->69 71 502cc8 61->71 65 502df4-502dfb call 4f46a9 62->65 65->55 69->62 73 502cdb-502cf2 call 503db8 69->73 74 502cce 70->74 71->74 73->62 77 502cf8-502d0a call 4ff682 73->77 74->69 79 502d0f-502d13 77->79 80 502d15-502d1d 79->80 81 502d2e-502d30 79->81 82 502d57-502d63 80->82 83 502d1f-502d24 80->83 81->62 84 502de2 82->84 85 502d65-502d67 82->85 86 502dd6-502dd8 83->86 87 502d2a-502d2c 83->87 90 502de4-502deb call 4f46a9 84->90 88 502d69-502d72 call 4f4ca0 85->88 89 502d7c-502d87 call 502001 85->89 86->65 87->81 91 502d35-502d4f call 4ff682 87->91 88->90 100 502d74-502d7a 88->100 89->90 101 502d89 89->101 90->81 91->86 102 502d55 91->102 103 502d8f-502d94 100->103 101->103 102->81 103->90 104 502d96-502dae call 4ff682 103->104 104->90 107 502db0-502db7 104->107 108 502db9-502dba 107->108 109 502dda-502de0 107->109 110 502dbb-502dcd call 503e34 108->110 109->110 110->90 113 502dcf-502dd5 call 4f46a9 110->113 113->86
                APIs
                • __alloca_probe_16.LIBCMT ref: 00502CA8
                • __alloca_probe_16.LIBCMT ref: 00502D69
                • __freea.LIBCMT ref: 00502DD0
                  • Part of subcall function 00502001: HeapAlloc.KERNEL32(00000000,004F21BA,?,?,004F5A1A,?,?,?,00000000,?,004F19F6,004F21BA,?,?,?,?), ref: 00502033
                • __freea.LIBCMT ref: 00502DE5
                • __freea.LIBCMT ref: 00502DF5
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: __freea$__alloca_probe_16$AllocHeap
                • String ID:
                • API String ID: 1096550386-0
                • Opcode ID: 44dd3ccea7792dfb05ef162d853585b4430bcb78056f8ccdd787e4fc05245412
                • Instruction ID: 02a327a856717d68290b297927f07722e1a2c7dca6edde95faeb584752a34197
                • Opcode Fuzzy Hash: 44dd3ccea7792dfb05ef162d853585b4430bcb78056f8ccdd787e4fc05245412
                • Instruction Fuzzy Hash: 8B51DE7260021AAFEF259F61CC8AEBF3EA9FF44314F150129FD08D6180EA34CC51D6A4
                Function 0050C20E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38memorysynchronizationthreadCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • VirtualAlloc.KERNELBASE(00000000,000004AC,00001000,00000040,ole,00000000,?,00564398,0050C302), ref: 0050C222
                  • Part of subcall function 0050C168: _Deallocate.LIBCONCRT ref: 0050C203
                • CreateThread.KERNELBASE(00000000,00000000,00000188,00517018,00000000,00000000), ref: 0050C256
                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0050C25F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: AllocCreateDeallocateObjectSingleThreadVirtualWait
                • String ID: ole
                • API String ID: 53083093-1213916275
                • Opcode ID: 3d6131ee016f423b2ee6f933ff392ff49b3e7e61a8a0b44dcf9ce86fad7d201e
                • Instruction ID: cd2a2e4127f68da54de948cf93d2dd82a7237b2cce4e97489fd4a68b91e3debb
                • Opcode Fuzzy Hash: 3d6131ee016f423b2ee6f933ff392ff49b3e7e61a8a0b44dcf9ce86fad7d201e
                • Instruction Fuzzy Hash: A3F065B224020C3BE11023A6DC4DFAF3E2CEB877BAF410115B709910C2A91659059675
                Function 004FC2E9 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetCurrentProcess.KERNEL32(?,?,004FC2E3,00000000,004F8F02,?,?,BA3E30E8,004F8F02,?), ref: 004FC2FA
                • TerminateProcess.KERNEL32(00000000,?,004FC2E3,00000000,004F8F02,?,?,BA3E30E8,004F8F02,?), ref: 004FC301
                • ExitProcess.KERNEL32 ref: 004FC313
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: Process$CurrentExitTerminate
                • String ID:
                • API String ID: 1703294689-0
                • Opcode ID: f01cbfe1aab1ea5a3f40386b2326edaea2f0d4cc6977a4eb875e72729cb6795e
                • Instruction ID: 60011b959e11badd6908ec172ab66e5d08e1b159835fac0f9e9a15091b3dc059
                • Opcode Fuzzy Hash: f01cbfe1aab1ea5a3f40386b2326edaea2f0d4cc6977a4eb875e72729cb6795e
                • Instruction Fuzzy Hash: 79D09E3200410CAFCF012FA1DE5D96D3F36BF55395F048415BE4D4A131DB369957AAA4
                Function 00504F3F Relevance: 3.2, APIs: 2, Instructions: 177COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 130 504f3f-504f67 call 504a6f 133 504f6d-504f73 130->133 134 50512f-505130 call 504ae0 130->134 135 504f76-504f7c 133->135 139 505135-505137 134->139 137 504f82-504f8e 135->137 138 50507e-50509d call 4f6090 135->138 137->135 140 504f90-504f96 137->140 149 5050a0-5050a5 138->149 142 505138-505146 call 4f4956 139->142 144 505076-505079 140->144 145 504f9c-504fa8 IsValidCodePage 140->145 144->142 145->144 148 504fae-504fb5 145->148 150 504fb7-504fc3 148->150 151 504fdd-504fea GetCPInfo 148->151 152 5050e2-5050ec 149->152 153 5050a7-5050ac 149->153 154 504fc7-504fd3 call 504b43 150->154 156 50506a-505070 151->156 157 504fec-50500b call 4f6090 151->157 152->149 155 5050ee-505118 call 504a31 152->155 158 5050ae-5050b6 153->158 159 5050df 153->159 166 504fd8 154->166 170 505119-505128 155->170 156->134 156->144 157->154 171 50500d-505014 157->171 160 5050d7-5050dd 158->160 161 5050b8-5050bb 158->161 159->152 160->153 160->159 165 5050bd-5050c3 161->165 165->160 169 5050c5-5050d5 165->169 166->139 169->160 169->165 170->170 172 50512a 170->172 173 505040-505043 171->173 174 505016-50501b 171->174 172->134 175 505048-50504f 173->175 174->173 176 50501d-505025 174->176 175->175 179 505051-505065 call 504a31 175->179 177 505027-50502e 176->177 178 505038-50503e 176->178 180 50502f-505036 177->180 178->173 178->174 179->154 180->178 180->180
                APIs
                  • Part of subcall function 00504A6F: GetOEMCP.KERNEL32(00000000,?,?,00000000,?), ref: 00504A9A
                • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00504D86,?,00000000,?,00000000,?), ref: 00504FA0
                • GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00504D86,?,00000000,?,00000000,?), ref: 00504FE2
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: CodeInfoPageValid
                • String ID:
                • API String ID: 546120528-0
                • Opcode ID: 6e7f67127ed106060668e3151512be07908a97599aa2ed0845e1bd40c80b21c6
                • Instruction ID: 114d254298fd12daf329feb7d96abdeed692e53cf707c56e516eb6937304f0d7
                • Opcode Fuzzy Hash: 6e7f67127ed106060668e3151512be07908a97599aa2ed0845e1bd40c80b21c6
                • Instruction Fuzzy Hash: E4511370A00A469EDB20CF35C8A96AFBFF5FF90304F18856ED1868B291F6759945CF90
                Function 004FF682 Relevance: 3.0, APIs: 2, Instructions: 34COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 183 4ff682-4ff691 call 4ff1b4 186 4ff6ba-4ff6d4 call 4ff6df LCMapStringW 183->186 187 4ff693-4ff6b8 LCMapStringEx 183->187 191 4ff6da-4ff6dc 186->191 187->191
                APIs
                • LCMapStringEx.KERNELBASE(?,00502D0F,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 004FF6B6
                • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00502D0F,?,?,00000000,?,00000000), ref: 004FF6D4
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: String
                • String ID:
                • API String ID: 2568140703-0
                • Opcode ID: 5a8937ec1466a9da03333e7cebcdb164c99683de337cb715cc8f71c0904f0796
                • Instruction ID: aa6f7c39c65051cf642d63492ab59cf7b64bd8b46f480b2e55c62314e64aca6f
                • Opcode Fuzzy Hash: 5a8937ec1466a9da03333e7cebcdb164c99683de337cb715cc8f71c0904f0796
                • Instruction Fuzzy Hash: 85F0683200011EBBCF125F91DC059EE3F66BF583A0F058025FF1965130CA36C836AB98
                Function 00504B43 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 192 504b43-504b65 193 504b6b-504b7d GetCPInfo 192->193 194 504c7e-504ca4 192->194 193->194 195 504b83-504b8a 193->195 196 504ca9-504cae 194->196 197 504b8c-504b96 195->197 198 504cb0-504cb6 196->198 199 504cb8-504cbe 196->199 197->197 200 504b98-504bab 197->200 201 504cc6-504cc8 198->201 202 504cc0-504cc3 199->202 203 504cca 199->203 205 504bcc-504bce 200->205 204 504ccc-504cde 201->204 202->201 203->204 204->196 206 504ce0-504cee call 4f4956 204->206 207 504bd0-504c07 call 502b18 call 502e0f 205->207 208 504bad-504bb4 205->208 218 504c0c-504c41 call 502e0f 207->218 210 504bc3-504bc5 208->210 213 504bb6-504bb8 210->213 214 504bc7-504bca 210->214 213->214 217 504bba-504bc2 213->217 214->205 217->210 221 504c43-504c4d 218->221 222 504c5b-504c5d 221->222 223 504c4f-504c59 221->223 225 504c6b 222->225 226 504c5f-504c69 222->226 224 504c6d-504c7a 223->224 224->221 227 504c7c 224->227 225->224 226->224 227->206
                APIs
                • GetCPInfo.KERNEL32(E8458D00,?,00504D92,00504D86,00000000), ref: 00504B75
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: Info
                • String ID:
                • API String ID: 1807457897-0
                • Opcode ID: 3be3abc91bc9d750bba0e685f3c2b29550bc2fa0f4d56053eeec3e29a9fa1214
                • Instruction ID: f872728253436cb064ff6fe8dd7d3cb741bc276e6f0f86d9c516df824f50f131
                • Opcode Fuzzy Hash: 3be3abc91bc9d750bba0e685f3c2b29550bc2fa0f4d56053eeec3e29a9fa1214
                • Instruction Fuzzy Hash: 3E5127B16041589AEB218A28CD84BEA7FBCFB55304F2405E9D69AD71C2D371AD46DF20
                Function 004FF2B3 Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 228 4ff2b3-4ff2db 229 4ff2dd-4ff2df 228->229 230 4ff2e1-4ff2e3 228->230 231 4ff332-4ff335 229->231 232 4ff2e9-4ff2f0 call 4ff1e8 230->232 233 4ff2e5-4ff2e7 230->233 235 4ff2f5-4ff2f9 232->235 233->231 236 4ff2fb-4ff309 GetProcAddress 235->236 237 4ff318-4ff32f 235->237 236->237 238 4ff30b-4ff316 call 4fba6a 236->238 239 4ff331 237->239 238->239 239->231
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 08af84cc5b45642dbdd1f88855036f6269d94d5c8f58c3ccc64c1d161604de92
                • Instruction ID: a562d82e7e1541c33bfb469a1e63c4af8296dad36866a02f9ce4a7d0900523ee
                • Opcode Fuzzy Hash: 08af84cc5b45642dbdd1f88855036f6269d94d5c8f58c3ccc64c1d161604de92
                • Instruction Fuzzy Hash: EB01F5376002199F9B15CE6EEC4096B3796BF913207244136FA05CB154EB35DC0A9799

                Non-executed Functions

                Function 005077D6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLocaleInfoW.KERNEL32(?,2000000B,00507AF4,00000002,00000000,?,?,?,00507AF4,?,00000000), ref: 0050786F
                • GetLocaleInfoW.KERNEL32(?,20001004,00507AF4,00000002,00000000,?,?,?,00507AF4,?,00000000), ref: 00507898
                • GetACP.KERNEL32(?,?,00507AF4,?,00000000), ref: 005078AD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: InfoLocale
                • String ID: ACP$OCP
                • API String ID: 2299586839-711371036
                • Opcode ID: b1d4dbd06f7deb4c8b128182a7e902d8428f3c51013b9167134f8c774116cdf7
                • Instruction ID: da7c6b8be64e341c08bfa70ee1ff8711c6ae4f327ca7866e9fedb24c6b73c580
                • Opcode Fuzzy Hash: b1d4dbd06f7deb4c8b128182a7e902d8428f3c51013b9167134f8c774116cdf7
                • Instruction Fuzzy Hash: 7D21B832E08109AAEB348B94C909B9F7AA7FF58B54F56C464E90AD7190F731FD42C390
                Function 005079AB Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 004FEC90: GetLastError.KERNEL32(?,00000008,00503196,00000000,004F9083), ref: 004FEC94
                  • Part of subcall function 004FEC90: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 004FED36
                • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00507AB7
                • IsValidCodePage.KERNEL32(00000000), ref: 00507B00
                • IsValidLocale.KERNEL32(?,00000001), ref: 00507B0F
                • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00507B57
                • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00507B76
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                • String ID:
                • API String ID: 415426439-0
                • Opcode ID: be44929416d5f04c8565af01eb7569598fedd4d9ee530171cb2a7b39416c0108
                • Instruction ID: 859ea4bd3ba2a6ef82a0c82ecc3e5177d32e28d01c1fb450fdffe9ab4450e4ad
                • Opcode Fuzzy Hash: be44929416d5f04c8565af01eb7569598fedd4d9ee530171cb2a7b39416c0108
                • Instruction Fuzzy Hash: 54517071E0420EAFEB10DFA5CC45ABE7BB8FF48700F184469E905E71D1EB70AA448B61
                Function 00507047 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 004FEC90: GetLastError.KERNEL32(?,00000008,00503196,00000000,004F9083), ref: 004FEC94
                  • Part of subcall function 004FEC90: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 004FED36
                • GetACP.KERNEL32(?,?,?,?,?,?,004FCC9C,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00507108
                • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004FCC9C,?,?,?,00000055,?,-00000050,?,?), ref: 00507133
                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00507296
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$CodeInfoLocalePageValid
                • String ID: utf8
                • API String ID: 607553120-905460609
                • Opcode ID: 918271f2fece0a57636f1fb447d587e7ae97b507cd3b175c041b9e4f1de3e084
                • Instruction ID: 886853c6dae00a6921bb0396df2b92d173651afd2c0cae73c80bf545ff5cbc81
                • Opcode Fuzzy Hash: 918271f2fece0a57636f1fb447d587e7ae97b507cd3b175c041b9e4f1de3e084
                • Instruction Fuzzy Hash: 77710575E0420BAAEB24AB75DC4ABAF7BA8FF48700F14442AF905D71C1EB70F951C660
                Function 004F4FA6 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                Download Yara Rule
                APIs
                • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 004F4FB2
                • IsDebuggerPresent.KERNEL32 ref: 004F507E
                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004F5097
                • UnhandledExceptionFilter.KERNEL32(?), ref: 004F50A1
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                • String ID:
                • API String ID: 254469556-0
                • Opcode ID: dfc7447d7c5bdb9efdfb52899589ecb8388371d4fcf98888ffa4ac0c14593995
                • Instruction ID: e9e54b8516a4ea5454da1ecefb9f90eb9a3fa595da12fd59737ecb6a7e7ba783
                • Opcode Fuzzy Hash: dfc7447d7c5bdb9efdfb52899589ecb8388371d4fcf98888ffa4ac0c14593995
                • Instruction Fuzzy Hash: 7C311875C0131CDBDB20DFA5D9897CEBBB8AF08300F1041AAE60CAB250EB759A85CF55
                Function 0050745A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004FEC90: GetLastError.KERNEL32(?,00000008,00503196,00000000,004F9083), ref: 004FEC94
                  • Part of subcall function 004FEC90: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 004FED36
                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 005074AE
                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 005074F8
                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 005075BE
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: InfoLocale$ErrorLast
                • String ID:
                • API String ID: 661929714-0
                • Opcode ID: 7148415d9d663870ae33a4a14a010099fc512adfecdbd8d0eb5f7852b46e2d2b
                • Instruction ID: 7e638093166cf3dec783486c2a56a16002912023e922f457d16633b326915bf4
                • Opcode Fuzzy Hash: 7148415d9d663870ae33a4a14a010099fc512adfecdbd8d0eb5f7852b46e2d2b
                • Instruction Fuzzy Hash: A8617E7191861B9FDB289F28CD86BBE7BA8FF08300F14417AE91AC61C5E735E945CB50
                Function 004F8F06 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 004F8FFE
                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 004F9008
                • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 004F9015
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                • String ID:
                • API String ID: 3906539128-0
                • Opcode ID: 3b487fa43306516005a0510b469576e1d4c5b2d617c7198c117cbe316e1cffe9
                • Instruction ID: 3fc2769fcce0d59578a636b071977c846db05f8d00b7c1139d3a5a5e91d71841
                • Opcode Fuzzy Hash: 3b487fa43306516005a0510b469576e1d4c5b2d617c7198c117cbe316e1cffe9
                • Instruction Fuzzy Hash: DF31E57490121D9BCB21DF69D888B9DBBB4BF18310F5041DAE51CA7250EB749F858F58
                Function 00503560 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,?,?,?,0050355B,?,?,?,?,?,?,00000000), ref: 0050378D
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: ExceptionRaise
                • String ID:
                • API String ID: 3997070919-0
                • Opcode ID: 647737eaec63c51f0c3294b394ceff0c1a1b582f63a1f42f7c90074564498ad4
                • Instruction ID: cb2be053cfba56be33581831ac5841d27978353c519df900fe942e31445c1019
                • Opcode Fuzzy Hash: 647737eaec63c51f0c3294b394ceff0c1a1b582f63a1f42f7c90074564498ad4
                • Instruction Fuzzy Hash: 0FB12B71610604DFD714CF28C48AA697FA4FF45364F258698E89ACF2E1C736EA91CB40
                Function 004F4CCC Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                Download Yara Rule
                APIs
                • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 004F4CE2
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: FeaturePresentProcessor
                • String ID:
                • API String ID: 2325560087-0
                • Opcode ID: 1911d80d1635b9def53eac114e98a50673aa189a1db1c1d0c6f3cd3e0fd14771
                • Instruction ID: 4049cf249c8070f80a284b45d9150c737be77e80da6c8f9e7eea955f72c15e2d
                • Opcode Fuzzy Hash: 1911d80d1635b9def53eac114e98a50673aa189a1db1c1d0c6f3cd3e0fd14771
                • Instruction Fuzzy Hash: C0517AB1A002198FDB15CF99D8817ABBBF0FB98324F24842AD501EB390D7B8A944CF54
                Function 00504493 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 90a9e813ece3878ed484c78183ef408a033016769081b15d1458e0b8a2f8ca2e
                • Instruction ID: 18c175a1756d82018187bcd497655981c3b22b563fb4e0b5a49f52f0841ad2db
                • Opcode Fuzzy Hash: 90a9e813ece3878ed484c78183ef408a033016769081b15d1458e0b8a2f8ca2e
                • Instruction Fuzzy Hash: 524190B5804219AFDF20DF69CC89AAEBBB9FF85304F1442D9E518D3241DA359E848F60
                Function 005076AD Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004FEC90: GetLastError.KERNEL32(?,00000008,00503196,00000000,004F9083), ref: 004FEC94
                  • Part of subcall function 004FEC90: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 004FED36
                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00507701
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$InfoLocale
                • String ID:
                • API String ID: 3736152602-0
                • Opcode ID: 1ae6b9c683fa73bf96c07ab1968641a1a1d915bdee3599854d794deb0b917826
                • Instruction ID: bad776ff36dc9734d2a08a4b4d03abb7e88df4958ba8105ad25c8b346ff425de
                • Opcode Fuzzy Hash: 1ae6b9c683fa73bf96c07ab1968641a1a1d915bdee3599854d794deb0b917826
                • Instruction Fuzzy Hash: A321B331A0820AABDB189B29DD46A7E3BA8FF48359F10407AF905C7281EB74ED44C794
                Function 00507334 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 004FEC90: GetLastError.KERNEL32(?,00000008,00503196,00000000,004F9083), ref: 004FEC94
                  • Part of subcall function 004FEC90: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 004FED36
                • EnumSystemLocalesW.KERNEL32(0050745A,00000001,00000000,?,-00000050,?,00507A8B,00000000,?,?,?,00000055,?), ref: 005073A6
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$EnumLocalesSystem
                • String ID:
                • API String ID: 2417226690-0
                • Opcode ID: e97e0bb86fff36e522beedf7b796b9693afd33a86229f3eebf98ee7d549e379b
                • Instruction ID: ed8ee9c19fdabdf7a23b99ffeb78d62de4b57ebe0fe64006b419f20988c49c28
                • Opcode Fuzzy Hash: e97e0bb86fff36e522beedf7b796b9693afd33a86229f3eebf98ee7d549e379b
                • Instruction Fuzzy Hash: 7B11293A6047095FEB189F39C8A15BEBF91FF84318B15882DE94647A80E371B803D740
                Function 005078DC Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004FEC90: GetLastError.KERNEL32(?,00000008,00503196,00000000,004F9083), ref: 004FEC94
                  • Part of subcall function 004FEC90: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 004FED36
                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00507676,00000000,00000000,?), ref: 00507908
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$InfoLocale
                • String ID:
                • API String ID: 3736152602-0
                • Opcode ID: 37c87eed7f66dff18ff424788c9159d1328a25bc60b112c2ec5d27049c7250d1
                • Instruction ID: dc31be004201554f9be71aaa6ffcc1c69716c31bf747114a93ebf364d780d54e
                • Opcode Fuzzy Hash: 37c87eed7f66dff18ff424788c9159d1328a25bc60b112c2ec5d27049c7250d1
                • Instruction Fuzzy Hash: 4CF0F936D041196BDB245A25C809BBF7F65FB44764F154C29ED06A31C0EA34FD02C5D0
                Function 005073CF Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 004FEC90: GetLastError.KERNEL32(?,00000008,00503196,00000000,004F9083), ref: 004FEC94
                  • Part of subcall function 004FEC90: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 004FED36
                • EnumSystemLocalesW.KERNEL32(005076AD,00000001,00000000,?,-00000050,?,00507A4F,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00507419
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$EnumLocalesSystem
                • String ID:
                • API String ID: 2417226690-0
                • Opcode ID: 65b03ffa0f607a7775127696bed279f53e9e16837bcfc6c73528b135a4fc373d
                • Instruction ID: df395defd39352bdc6e201787219cf120c17d66f46faf5da50da4d5eb1f7aead
                • Opcode Fuzzy Hash: 65b03ffa0f607a7775127696bed279f53e9e16837bcfc6c73528b135a4fc373d
                • Instruction Fuzzy Hash: F0F022366043085FDB245F399885A7E7F91FB84328F15842DFA058B6C0D671BC02C750
                Function 004FF01F Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 004FA8B5: EnterCriticalSection.KERNEL32(?,?,004FE968,?,00515780,00000008,004FEB2C,?,?,?), ref: 004FA8C4
                • EnumSystemLocalesW.KERNEL32(004FF012,00000001,00515800,0000000C,004FF441,00000000), ref: 004FF057
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: CriticalEnterEnumLocalesSectionSystem
                • String ID:
                • API String ID: 1272433827-0
                • Opcode ID: d6aed7e50f102d0478507b5055a999de820327c5c25a0958a33a9cbac685d388
                • Instruction ID: 720d54bd44555f8360c4ba93915c7c6826285089f2384bb7fbab0f46041a0740
                • Opcode Fuzzy Hash: d6aed7e50f102d0478507b5055a999de820327c5c25a0958a33a9cbac685d388
                • Instruction Fuzzy Hash: 3EF03C72A00204DFD700EF98E842BAC7BB0FB58725F10402BE515972A1DBB959459F55
                Function 005072E9 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 004FEC90: GetLastError.KERNEL32(?,00000008,00503196,00000000,004F9083), ref: 004FEC94
                  • Part of subcall function 004FEC90: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 004FED36
                • EnumSystemLocalesW.KERNEL32(00507242,00000001,00000000,?,?,00507AAD,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00507320
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$EnumLocalesSystem
                • String ID:
                • API String ID: 2417226690-0
                • Opcode ID: 0da9475d7271b8c2dbee0413b626b8c67c3a987a4ebff1076c1da1d2802c92b5
                • Instruction ID: 79ad5f6a1b2d522fb4b7b1148ac6ef13ca102615d40450bf5a5e5757967343d0
                • Opcode Fuzzy Hash: 0da9475d7271b8c2dbee0413b626b8c67c3a987a4ebff1076c1da1d2802c92b5
                • Instruction Fuzzy Hash: 57F0553A70020997CB149F3AC80666EBF90FFC5710B074059FE098B290C631A843C7A0
                Function 004FF545 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,004FD804,?,20001004,00000000,00000002,?,?,004FCE04), ref: 004FF579
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: InfoLocale
                • String ID:
                • API String ID: 2299586839-0
                • Opcode ID: 87ea63e5fd940c65825293f9526bfbe35116fc772f8e89c0e1dc46e5118f85d2
                • Instruction ID: f2773052205015cbec361b7e3a1a7cd930c28a9d628819a6dd48c1fefc010c43
                • Opcode Fuzzy Hash: 87ea63e5fd940c65825293f9526bfbe35116fc772f8e89c0e1dc46e5118f85d2
                • Instruction Fuzzy Hash: 07E04F3250052CBBCF126F61DC04ABE7F26EF54750F044026FE0966221CB758D26AAE9
                Function 004F5102 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                Download Yara Rule
                APIs
                • SetUnhandledExceptionFilter.KERNEL32(Function_0000510E,004F477F), ref: 004F5107
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: c1163a237d8932ea4615f05030e28c9e064c8a56059cfab5bc46b2ce975080ab
                • Instruction ID: b66c968bfc0d500c9bba950305c03b7c13c412d071d3d52e66f50919b62cfe97
                • Opcode Fuzzy Hash: c1163a237d8932ea4615f05030e28c9e064c8a56059cfab5bc46b2ce975080ab
                • Instruction Fuzzy Hash:
                Function 00507C0D Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: HeapProcess
                • String ID:
                • API String ID: 54951025-0
                • Opcode ID: 97270f15a8ee25aa7ca400d4d628e52ff6762b0e65fad048b5bc34f45a6b6a64
                • Instruction ID: d209848b7740d64ed087e80ff64801f42163b171e98ddabb8276f9bff2b42c92
                • Opcode Fuzzy Hash: 97270f15a8ee25aa7ca400d4d628e52ff6762b0e65fad048b5bc34f45a6b6a64
                • Instruction Fuzzy Hash: F6A00170A526018B97508F79AB0934D3AE9AA6A691B05806AA885CA160EAB48558EA11
                Function 00506AF8 Relevance: .3, Instructions: 327COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
                • String ID:
                • API String ID: 3471368781-0
                • Opcode ID: 9b50ea3ff1460adefba6b460dd3867fc53c8922e6908a79ef20028ab1b7d32e2
                • Instruction ID: 432dc49fd3bcb776513a06c9b7a9e2b99ec9086fbb40bc1a40bee9de8b3a5f4b
                • Opcode Fuzzy Hash: 9b50ea3ff1460adefba6b460dd3867fc53c8922e6908a79ef20028ab1b7d32e2
                • Instruction Fuzzy Hash: 9FB139756007069BDB34AF25CC92ABFBBE9FF44308F14486DEA83C65C0EA75A955CB00
                Function 0050C26A Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 63libraryloaderCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004F116F: __EH_prolog3_catch.LIBCMT ref: 004F1176
                  • Part of subcall function 004F116F: _strlen.LIBCMT ref: 004F1188
                • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0050C294
                  • Part of subcall function 004F1852: _strlen.LIBCMT ref: 004F186A
                • _strlen.LIBCMT ref: 0050C2AF
                • _strlen.LIBCMT ref: 0050C2C5
                • GetProcAddress.KERNEL32(00000000,?), ref: 0050C2E2
                  • Part of subcall function 0050C20E: VirtualAlloc.KERNELBASE(00000000,000004AC,00001000,00000040,ole,00000000,?,00564398,0050C302), ref: 0050C222
                  • Part of subcall function 0050C20E: CreateThread.KERNELBASE(00000000,00000000,00000188,00517018,00000000,00000000), ref: 0050C256
                  • Part of subcall function 0050C20E: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0050C25F
                  • Part of subcall function 004F1DFE: _Deallocate.LIBCONCRT ref: 004F1E0D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: _strlen$AddressAllocCreateDeallocateH_prolog3_catchHandleModuleObjectProcSingleThreadVirtualWait
                • String ID: Cons$Free$Madino Mino$Write command.For help write '5'Don't TRY TO WRITE WORDS!!!ONLY NUMBERS!!!Like:help and other...root@calculator-unstable:~# $kernel32.dll$ole
                • API String ID: 748853668-4266058140
                • Opcode ID: c0828fa02f06e1aba496a7102d546c764b01aa039468bd45c1cdfd966d2f4bc8
                • Instruction ID: bf34c37db23bdbd0e555e0f364e17bfd5c05f3d8d70c87fae12777410d10fe54
                • Opcode Fuzzy Hash: c0828fa02f06e1aba496a7102d546c764b01aa039468bd45c1cdfd966d2f4bc8
                • Instruction Fuzzy Hash: 19119471A0020DAAD704EBA6EC46CFF7BB8EF54714710042EF516E2191EE689D05C629
                Function 004F7E18 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • type_info::operator==.LIBVCRUNTIME ref: 004F7F37
                • ___TypeMatch.LIBVCRUNTIME ref: 004F8045
                • _UnwindNestedFrames.LIBCMT ref: 004F8197
                • CallUnexpected.LIBVCRUNTIME ref: 004F81B2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                • String ID: `P$csm$csm$csm
                • API String ID: 2751267872-3795834809
                • Opcode ID: 4a999b314fd4f74fadfb13d19edecd70219dad521d3ddad4edc8a4d861c9a635
                • Instruction ID: 97cda5002b587290c46285710285deafb3a4e65aa42a34958a67182ce85f9208
                • Opcode Fuzzy Hash: 4a999b314fd4f74fadfb13d19edecd70219dad521d3ddad4edc8a4d861c9a635
                • Instruction Fuzzy Hash: 63B1543180020DAFCF24DFA5C9819BEBBB5BF14314B15455FEA046B212DB38DA62CB99
                Function 004F2307 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 004F230E
                • std::_Lockit::_Lockit.LIBCPMT ref: 004F2318
                • int.LIBCPMT ref: 004F232F
                  • Part of subcall function 004F2867: std::_Lockit::_Lockit.LIBCPMT ref: 004F2878
                  • Part of subcall function 004F2867: std::_Lockit::~_Lockit.LIBCPMT ref: 004F2892
                • codecvt.LIBCPMT ref: 004F2352
                • std::_Facet_Register.LIBCPMT ref: 004F2369
                • std::_Lockit::~_Lockit.LIBCPMT ref: 004F2389
                • Concurrency::cancel_current_task.LIBCPMT ref: 004F2396
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                • String ID: @DV
                • API String ID: 2133458128-2579900946
                • Opcode ID: 541119a71de5c1b98a98b202afd23e63331684d9c7fbc2a7f176eb45cd975c81
                • Instruction ID: 8a9e85215f761b2745b657775e7768c9bb5eb75a409b2e54705e9310c85a546c
                • Opcode Fuzzy Hash: 541119a71de5c1b98a98b202afd23e63331684d9c7fbc2a7f176eb45cd975c81
                • Instruction Fuzzy Hash: D101C47690015D8BCF05EB65D902ABE7BB1BF94318F14050EEA106B391DFBC9E05CB99
                Function 004F239C Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 004F23A3
                • std::_Lockit::_Lockit.LIBCPMT ref: 004F23AD
                • int.LIBCPMT ref: 004F23C4
                  • Part of subcall function 004F2867: std::_Lockit::_Lockit.LIBCPMT ref: 004F2878
                  • Part of subcall function 004F2867: std::_Lockit::~_Lockit.LIBCPMT ref: 004F2892
                • ctype.LIBCPMT ref: 004F23E7
                • std::_Facet_Register.LIBCPMT ref: 004F23FE
                • std::_Lockit::~_Lockit.LIBCPMT ref: 004F241E
                • Concurrency::cancel_current_task.LIBCPMT ref: 004F242B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registerctype
                • String ID: EV
                • API String ID: 2958136301-3946306333
                • Opcode ID: 1b552e3358fbee155e91e99ca5ae32e4015480509ce4843422fbff3959bfd5a8
                • Instruction ID: fa6b02db89d363c223b6e87fd332fe87ef97489646e751e09e9d5b7b0fa2d557
                • Opcode Fuzzy Hash: 1b552e3358fbee155e91e99ca5ae32e4015480509ce4843422fbff3959bfd5a8
                • Instruction Fuzzy Hash: 5701C47190011D8BCB05EBA5C951ABE7B71EF94714F14050EEA017B381DFB89E05CB99
                Function 0050187C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID: 0-3907804496
                • Opcode ID: d9c668e124d1ea135434c0405149b95e4e909f51ad98b0ff4be351b501cae67a
                • Instruction ID: 95755f232213328c2e8f9d229f8862923d936c5054024f11b987749d46ccafeb
                • Opcode Fuzzy Hash: d9c668e124d1ea135434c0405149b95e4e909f51ad98b0ff4be351b501cae67a
                • Instruction Fuzzy Hash: B4B12570A04A49AFDB11CF99C880BBDBFB5FF46304F148159E901AB2D1DB709D41CBAA
                Function 00509AF9 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetCPInfo.KERNEL32(00E205D8,00E205D8,?,7FFFFFFF,?,00509DC9,00E205D8,00E205D8,?,00E205D8,?,?,?,?,00E205D8,?), ref: 00509B9F
                • __alloca_probe_16.LIBCMT ref: 00509C5A
                • __alloca_probe_16.LIBCMT ref: 00509CE9
                • __freea.LIBCMT ref: 00509D34
                • __freea.LIBCMT ref: 00509D3A
                • __freea.LIBCMT ref: 00509D70
                • __freea.LIBCMT ref: 00509D76
                • __freea.LIBCMT ref: 00509D86
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: __freea$__alloca_probe_16$Info
                • String ID:
                • API String ID: 127012223-0
                • Opcode ID: 719e329fded01a49845c06b6d3720846567663e9c8daf42377e9752180a51fbd
                • Instruction ID: 4e1cc906184e03cf4d086f8b3fa35b6c0cb1245472f2c660f58b5f089c68a5af
                • Opcode Fuzzy Hash: 719e329fded01a49845c06b6d3720846567663e9c8daf42377e9752180a51fbd
                • Instruction Fuzzy Hash: 4271F47294420AABEF219F64DC41BEF7FB9BF85310F280059E904AB2C7E635DC4087A4
                Function 004F44DD Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 004F4526
                • __alloca_probe_16.LIBCMT ref: 004F4552
                • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 004F4591
                • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004F45AE
                • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004F45ED
                • __alloca_probe_16.LIBCMT ref: 004F460A
                • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004F464C
                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 004F466F
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: ByteCharMultiStringWide$__alloca_probe_16
                • String ID:
                • API String ID: 2040435927-0
                • Opcode ID: 3f4515e8c883fd44bcd0667d907c3b1bee32cb62f9b601d93f90fdbeb085eb75
                • Instruction ID: 43732f8de1308bbef04a4b944c5e6fbc27b50d69e257a88c5b73adee269ee99c
                • Opcode Fuzzy Hash: 3f4515e8c883fd44bcd0667d907c3b1bee32cb62f9b601d93f90fdbeb085eb75
                • Instruction Fuzzy Hash: 7751BF7250020EABEB209FA1CC44FBB3BB9EF85754F15452AFB05D6290DB788C118B68
                Function 004F78B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                Download Yara Rule
                APIs
                • _ValidateLocalCookies.LIBCMT ref: 004F78E7
                • ___except_validate_context_record.LIBVCRUNTIME ref: 004F78EF
                • _ValidateLocalCookies.LIBCMT ref: 004F7978
                • __IsNonwritableInCurrentImage.LIBCMT ref: 004F79A3
                • _ValidateLocalCookies.LIBCMT ref: 004F79F8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                • String ID: csm
                • API String ID: 1170836740-1018135373
                • Opcode ID: 1802eb20950b812d2bd7bda472e591824fadefed72e8b7d47abc2f0167b5b6f9
                • Instruction ID: 16b3fa85c605300022714d99256952615aac71ccacdffdde9e72fe6e3ce11456
                • Opcode Fuzzy Hash: 1802eb20950b812d2bd7bda472e591824fadefed72e8b7d47abc2f0167b5b6f9
                • Instruction Fuzzy Hash: 0141E170A0420D9BCF00DF69C885ABEBFB4EF45324F14819BEA159B392D77D9A11CB94
                Function 004F7AAA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(?,?,004F7AA1,004F6070,004F5152), ref: 004F7AB8
                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004F7AC6
                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004F7ADF
                • SetLastError.KERNEL32(00000000,004F7AA1,004F6070,004F5152), ref: 004F7B31
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLastValue___vcrt_
                • String ID:
                • API String ID: 3852720340-0
                • Opcode ID: 107afd333ea7d2a8df809abef2daadb012bfdb541292ef0d3a4cbc38183e5ecb
                • Instruction ID: 15af5a7c3139bcf0afe1176899960e02201e3af2c4ad31223bfc60549aec5889
                • Opcode Fuzzy Hash: 107afd333ea7d2a8df809abef2daadb012bfdb541292ef0d3a4cbc38183e5ecb
                • Instruction Fuzzy Hash: F601B53261D2195EAB1527B97D9597B2B94EB223B8720022FF310C71E1FF9E5C06A158
                Function 004FC37F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BA3E30E8,?,?,00000000,0050B356,000000FF,?,004FC30F,?,?,004FC2E3,00000000), ref: 004FC3B4
                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004FC3C6
                • FreeLibrary.KERNEL32(00000000,?,00000000,0050B356,000000FF,?,004FC30F,?,?,004FC2E3,00000000), ref: 004FC3E8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: AddressFreeHandleLibraryModuleProc
                • String ID: CorExitProcess$mscoree.dll
                • API String ID: 4061214504-1276376045
                • Opcode ID: 7f716c59fe619d3762633d80f595682e192ad6216d64a8eaac02c96738e6e7cd
                • Instruction ID: 77818937717e0e603707512c899461e1d26abb00a1d0ba968f469446bcc96677
                • Opcode Fuzzy Hash: 7f716c59fe619d3762633d80f595682e192ad6216d64a8eaac02c96738e6e7cd
                • Instruction Fuzzy Hash: 9201A73194061DEBDB118F94DD49BBEBBB9FB04715F004526E811E26D0DBB49904DB50
                Function 004F3E12 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 004F3E19
                • std::_Lockit::_Lockit.LIBCPMT ref: 004F3E24
                • std::_Lockit::~_Lockit.LIBCPMT ref: 004F3E92
                  • Part of subcall function 004F3F75: std::locale::_Locimp::_Locimp.LIBCPMT ref: 004F3F8D
                • std::locale::_Setgloballocale.LIBCPMT ref: 004F3E3F
                • _Yarn.LIBCPMT ref: 004F3E55
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                • String ID:
                • API String ID: 1088826258-0
                • Opcode ID: 7e6d03cd7372f7596b091f5eb92cfda2de3b5a0c9a7b6864f5e2f6d3a6748d11
                • Instruction ID: 02df05fe164cddee9ea91233dfa182093ca5e204db24860281fe3c4516581ae5
                • Opcode Fuzzy Hash: 7e6d03cd7372f7596b091f5eb92cfda2de3b5a0c9a7b6864f5e2f6d3a6748d11
                • Instruction Fuzzy Hash: 1E01BCB2A002189BCB06EF65D84197E7B71BFA4305B18000EEA1257381CF786B06DB99
                Function 004F25A5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 004F25AC
                • std::_Lockit::_Lockit.LIBCPMT ref: 004F25B9
                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004F25F6
                  • Part of subcall function 004F3F10: _Yarn.LIBCPMT ref: 004F3F2F
                  • Part of subcall function 004F3F10: _Yarn.LIBCPMT ref: 004F3F53
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: Yarnstd::_$H_prolog3Locinfo::_Locinfo_ctorLockitLockit::_
                • String ID: bad locale name
                • API String ID: 482894088-1405518554
                • Opcode ID: 3ba1c5c3cc40dfa5d0145c729cab011d70ee31360bd99a5b5e57943509f9a073
                • Instruction ID: 486e9babdbcd9d5351d02d2565102aec078d86bd918ffb78decfbf021f6c3401
                • Opcode Fuzzy Hash: 3ba1c5c3cc40dfa5d0145c729cab011d70ee31360bd99a5b5e57943509f9a073
                • Instruction Fuzzy Hash: BC0184B15057489EC7209F6A954145BFEE0BF18350740892FE28D83A41C7749544CBAD
                Function 004F8BF2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • LoadLibraryExW.KERNEL32(005150C8,00000000,00000800,?,004F8BA3,00000000,?,00000000,?,?,?,004F8CCD,00000002,FlsGetValue,0050ED08,FlsGetValue), ref: 004F8BFF
                • GetLastError.KERNEL32(?,004F8BA3,00000000,?,00000000,?,?,?,004F8CCD,00000002,FlsGetValue,0050ED08,FlsGetValue,00000000,?,004F7B5D), ref: 004F8C09
                • LoadLibraryExW.KERNEL32(005150C8,00000000,00000000,?,005150C8,?,?,?,004F18ED,?,004F18ED,?), ref: 004F8C31
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: LibraryLoad$ErrorLast
                • String ID: api-ms-
                • API String ID: 3177248105-2084034818
                • Opcode ID: 5ff25033dcea2545dae93883c862b7521249ea4df897e344dc10913b84170f42
                • Instruction ID: 2e77e558bee07c6ca455844ca7a63402fb5125bfb31a6362be5d43664781819f
                • Opcode Fuzzy Hash: 5ff25033dcea2545dae93883c862b7521249ea4df897e344dc10913b84170f42
                • Instruction Fuzzy Hash: BFE0483024120CBBEF301FA1DC0AB2D3E64BB11B84F104025FA4CE81E1EB7B991695A8
                Function 004FFDCE Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetConsoleOutputCP.KERNEL32(BA3E30E8,00000000,00000000,00000000), ref: 004FFE31
                  • Part of subcall function 00503E34: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00502DC6,?,00000000,-00000008), ref: 00503EE0
                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0050008C
                • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 005000D4
                • GetLastError.KERNEL32 ref: 00500177
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                • String ID:
                • API String ID: 2112829910-0
                • Opcode ID: d2f6760e08c6e18463f32e7084fee9d42a009ec370872d9f0e1cf40cab3a3c44
                • Instruction ID: 068401bcdf6e8232939a00a4b8a304dce87b47d4a44d4cebb33def59ed5808d1
                • Opcode Fuzzy Hash: d2f6760e08c6e18463f32e7084fee9d42a009ec370872d9f0e1cf40cab3a3c44
                • Instruction Fuzzy Hash: 3DD179B5D002589FCB15CFA8D880AAEBBB5FF49304F18412AE955E7391D730A946CB50
                Function 004F7BC1 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: AdjustPointer
                • String ID:
                • API String ID: 1740715915-0
                • Opcode ID: f7da345bf504aa529fc58a5fbdde951a4d24a961ed419e4f7a808e47cc5e2e1b
                • Instruction ID: 01d18fc53230de1dbf18265c7c07db5d366f1d29dea230f7bd1c5dc50bc07982
                • Opcode Fuzzy Hash: f7da345bf504aa529fc58a5fbdde951a4d24a961ed419e4f7a808e47cc5e2e1b
                • Instruction Fuzzy Hash: 5651D17150864E9FDB258F15D841BBA77A4EF04304F14452FEB0287291E73DAC81D7A8
                Function 00504250 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00503E34: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00502DC6,?,00000000,-00000008), ref: 00503EE0
                • GetLastError.KERNEL32 ref: 005042B4
                • __dosmaperr.LIBCMT ref: 005042BB
                • GetLastError.KERNEL32(?,?,?,?), ref: 005042F5
                • __dosmaperr.LIBCMT ref: 005042FC
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                • String ID:
                • API String ID: 1913693674-0
                • Opcode ID: 990d7f114831f985811ac3ee576b02305e486e40beb21802e09907fcd74ec0fa
                • Instruction ID: 67a36253ff8b8375c8774a0ba4d1ab0cab2d6282ad28a36688a61fb9beaee89b
                • Opcode Fuzzy Hash: 990d7f114831f985811ac3ee576b02305e486e40beb21802e09907fcd74ec0fa
                • Instruction Fuzzy Hash: F62183B160020AAFDB20AF66C88596FBBACFF45364B148919FB1997291D734EC419F90
                Function 004FB5A9 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 278ca52f2c95641206763f68b5bc9e4dd617d4deef12f9c2b412e7f2c2e3f8b2
                • Instruction ID: d5e2990c8d64a892767a39b1c49878bcefeb52de85c09b73ae1ce7d7b4f52874
                • Opcode Fuzzy Hash: 278ca52f2c95641206763f68b5bc9e4dd617d4deef12f9c2b412e7f2c2e3f8b2
                • Instruction Fuzzy Hash: 8E21C57160020DAFEB21AF61DC81D7B77AAEF52358B10451AFA14D7250D738DC008BD9
                Function 005051E6 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                Download Yara Rule
                APIs
                • GetEnvironmentStringsW.KERNEL32 ref: 005051EE
                  • Part of subcall function 00503E34: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00502DC6,?,00000000,-00000008), ref: 00503EE0
                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00505226
                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00505246
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                • String ID:
                • API String ID: 158306478-0
                • Opcode ID: 66bd0bc169b5ae2bc6ae7286b1d87c17c433256a979233f9c8ea957ace3c891b
                • Instruction ID: 3887de6b604c4ee8414ec74cf1a22990d4e887033f31d346d39403134a889929
                • Opcode Fuzzy Hash: 66bd0bc169b5ae2bc6ae7286b1d87c17c433256a979233f9c8ea957ace3c891b
                • Instruction Fuzzy Hash: 4D1122B5902A1A7FEB2127B29C8DC7F6DACEFA93987100524F901D1180FE24CE019A71
                Function 00509615 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,00508411,00000000,00000001,00000000,00000000,?,005001CB,00000000,00000000,00000000), ref: 0050962C
                • GetLastError.KERNEL32(?,00508411,00000000,00000001,00000000,00000000,?,005001CB,00000000,00000000,00000000,00000000,00000000,?,00500752,00000000), ref: 00509638
                  • Part of subcall function 005095FE: CloseHandle.KERNEL32(FFFFFFFE,00509648,?,00508411,00000000,00000001,00000000,00000000,?,005001CB,00000000,00000000,00000000,00000000,00000000), ref: 0050960E
                • ___initconout.LIBCMT ref: 00509648
                  • Part of subcall function 005095C0: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,005095EF,005083FE,00000000,?,005001CB,00000000,00000000,00000000,00000000), ref: 005095D3
                • WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,00508411,00000000,00000001,00000000,00000000,?,005001CB,00000000,00000000,00000000,00000000), ref: 0050965D
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                • String ID:
                • API String ID: 2744216297-0
                • Opcode ID: 84a09b2376e5c7e6bab2a56d11e8d41f821ad12dfa661d1d09acb7fa8b849a56
                • Instruction ID: a4f5daf1bd45540d5f1cf571fec219ac2af704059388ad8de67a290437b7b5a7
                • Opcode Fuzzy Hash: 84a09b2376e5c7e6bab2a56d11e8d41f821ad12dfa661d1d09acb7fa8b849a56
                • Instruction Fuzzy Hash: 5BF01C36801159BBCF221FE5EC09A8D3F3AFF583A0F004010FA1986175DA728964EB90
                Function 005059E2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 373COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: P6V$P6V
                • API String ID: 0-2469501823
                • Opcode ID: 5507e3a8c6278934f1acc53853725ba2ce28ff9ada9ee4a55752c77eb41fdeed
                • Instruction ID: ce1a7c083f0f6c4bc53b9da3b292cc3ede7733ea55f3326f2f0006cc9f8a3498
                • Opcode Fuzzy Hash: 5507e3a8c6278934f1acc53853725ba2ce28ff9ada9ee4a55752c77eb41fdeed
                • Instruction Fuzzy Hash: A0C14572D40609BBEB20DBA8CC86FEE7BF8BB44704F144565FA05FB2C2E57499448B64
                Function 0050662E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 004FEFD8: HeapFree.KERNEL32(00000000,00000000,?,0050602B,?,00000000,?,?,005062CC,?,00000007,?,?,005067C5,?,?), ref: 004FEFEE
                  • Part of subcall function 004FEFD8: GetLastError.KERNEL32(?,?,0050602B,?,00000000,?,?,005062CC,?,00000007,?,?,005067C5,?,?), ref: 004FEFF9
                • ___free_lconv_mon.LIBCMT ref: 00506672
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: ErrorFreeHeapLast___free_lconv_mon
                • String ID: P6V$x7V
                • API String ID: 4068849827-3161767270
                • Opcode ID: b44d6613e39e6b85a7aa7241aa1801d4cbeb1089ed95819091cba3980408f5a0
                • Instruction ID: e6b00e6494247b9dd50063fe0a4e07e1400a28ef7722e145738324b35171b8c6
                • Opcode Fuzzy Hash: b44d6613e39e6b85a7aa7241aa1801d4cbeb1089ed95819091cba3980408f5a0
                • Instruction Fuzzy Hash: BA316B31604309AFEB30AA3AD845B6A7BE8FF00315F14442EE549D72E1DF35EC908B64
                Function 004F81BD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • EncodePointer.KERNEL32(00000000,?), ref: 004F81E2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: EncodePointer
                • String ID: MOC$RCC
                • API String ID: 2118026453-2084237596
                • Opcode ID: 0efc7d716db653decb6e4476e2f0698f817792cded43810352d5257f1af871ec
                • Instruction ID: e4c748f4395e544262079e37e607fd1e42f6520fec46dc9974a353097893f67a
                • Opcode Fuzzy Hash: 0efc7d716db653decb6e4476e2f0698f817792cded43810352d5257f1af871ec
                • Instruction Fuzzy Hash: D241893290060DAFDF15CF94CD81AAEBBB1FF09304F1A409AFA046B211D739A950DB59
                Function 004F4956 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004F526A
                • ___raise_securityfailure.LIBCMT ref: 004F5352
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: FeaturePresentProcessor___raise_securityfailure
                • String ID: XGV
                • API String ID: 3761405300-2698939161
                • Opcode ID: f964558a6e708a0f0f0f7246ed57e32a930cbd33b5147dbc19966c5e285a006a
                • Instruction ID: a53068450f14a458c53c00f4666c368bbc845d67901121ebc2fae2a15a7a8240
                • Opcode Fuzzy Hash: f964558a6e708a0f0f0f7246ed57e32a930cbd33b5147dbc19966c5e285a006a
                • Instruction Fuzzy Hash: 002140B45003889ED704DF5DF891A143BE4FBAA700F21412AE6088B3B1E3F44989EF48
                Function 004F5365 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004F5370
                • ___raise_securityfailure.LIBCMT ref: 004F542D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2066505807.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                • Associated: 00000000.00000002.2066479118.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066538862.000000000050D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.0000000000517000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000054B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066565409.000000000055A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2066659962.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                Yara matches
                Similarity
                • API ID: FeaturePresentProcessor___raise_securityfailure
                • String ID: XGV
                • API String ID: 3761405300-2698939161
                • Opcode ID: 084abc5f272b3b44167b4b2b7e69604c8accd95f86659fb546422c21b3ac08e6
                • Instruction ID: cc8fa9c0b36c283843c104dfa41a2618b4893718249a5be278494c779924dbb3
                • Opcode Fuzzy Hash: 084abc5f272b3b44167b4b2b7e69604c8accd95f86659fb546422c21b3ac08e6
                • Instruction Fuzzy Hash: 3C11DFB85103889FC744EF5EF9916443BE4FBAA700B01511AE9088B371E7F0958AEF49

                Execution Graph

                Execution Coverage:7.1%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:0%
                Total number of Nodes:52
                Total number of Limit Nodes:7
                execution_graph 25494 3084668 25495 3084684 25494->25495 25496 3084696 25495->25496 25498 30847a0 25495->25498 25499 30847c5 25498->25499 25503 30848b0 25499->25503 25507 30848a1 25499->25507 25505 30848d7 25503->25505 25504 30849b4 25504->25504 25505->25504 25511 3084248 25505->25511 25509 30848b0 25507->25509 25508 30849b4 25508->25508 25509->25508 25510 3084248 CreateActCtxA 25509->25510 25510->25508 25512 3085940 CreateActCtxA 25511->25512 25514 3085a03 25512->25514 25515 308ad38 25516 308ad47 25515->25516 25519 308ae20 25515->25519 25527 308ae30 25515->25527 25520 308ae41 25519->25520 25522 308ae64 25519->25522 25520->25522 25535 308b0b8 25520->25535 25539 308b0c8 25520->25539 25521 308ae5c 25521->25522 25523 308b068 GetModuleHandleW 25521->25523 25522->25516 25524 308b095 25523->25524 25524->25516 25528 308ae41 25527->25528 25529 308ae64 25527->25529 25528->25529 25533 308b0b8 LoadLibraryExW 25528->25533 25534 308b0c8 LoadLibraryExW 25528->25534 25529->25516 25530 308b068 GetModuleHandleW 25532 308b095 25530->25532 25531 308ae5c 25531->25529 25531->25530 25532->25516 25533->25531 25534->25531 25536 308b0dc 25535->25536 25537 308b101 25536->25537 25543 308a870 25536->25543 25537->25521 25540 308b0dc 25539->25540 25541 308a870 LoadLibraryExW 25540->25541 25542 308b101 25540->25542 25541->25542 25542->25521 25544 308b2a8 LoadLibraryExW 25543->25544 25546 308b321 25544->25546 25546->25537 25547 308d0b8 25548 308d0fe 25547->25548 25552 308d298 25548->25552 25555 308d289 25548->25555 25549 308d1eb 25554 308d2c6 25552->25554 25558 308c9a0 25552->25558 25554->25549 25556 308c9a0 DuplicateHandle 25555->25556 25557 308d2c6 25556->25557 25557->25549 25559 308d300 DuplicateHandle 25558->25559 25560 308d396 25559->25560 25560->25554

                Executed Functions

                Function 06B03F50 Relevance: .5, Instructions: 525COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 679 6b03f50-6b03f84 682 6b03f92-6b03fa5 679->682 683 6b03f86-6b03f8f 679->683 684 6b04215-6b04219 682->684 685 6b03fab-6b03fae 682->685 683->682 687 6b0421b-6b0422b 684->687 688 6b0422e-6b04238 684->688 689 6b03fb0-6b03fb5 685->689 690 6b03fbd-6b03fc9 685->690 687->688 689->690 691 6b04253-6b04299 690->691 692 6b03fcf-6b03fe1 690->692 699 6b042a8-6b042d0 691->699 700 6b0429b-6b042a5 691->700 696 6b03fe7-6b0403a 692->696 697 6b0414d-6b0415b 692->697 728 6b0404a 696->728 729 6b0403c-6b04048 call 6b03c88 696->729 703 6b041e0-6b041e2 697->703 704 6b04161-6b0416f 697->704 722 6b04425-6b04443 699->722 723 6b042d6-6b042ef 699->723 700->699 709 6b041f0-6b041fc 703->709 710 6b041e4-6b041ea 703->710 707 6b04171-6b04176 704->707 708 6b0417e-6b0418a 704->708 707->708 708->691 714 6b04190-6b041bf 708->714 719 6b041fe-6b0420f 709->719 712 6b041ec 710->712 713 6b041ee 710->713 712->709 713->709 734 6b041d0-6b041de 714->734 735 6b041c1-6b041ce 714->735 719->684 719->685 740 6b04445-6b04467 722->740 741 6b044ae-6b044b8 722->741 738 6b042f5-6b0430b 723->738 739 6b04406-6b0441f 723->739 732 6b0404c-6b0405c 728->732 729->732 746 6b04077-6b04079 732->746 747 6b0405e-6b04075 732->747 734->684 735->734 738->739 760 6b04311-6b0435f 738->760 739->722 739->723 758 6b044b9-6b0450a 740->758 759 6b04469-6b04485 740->759 750 6b040c2-6b040c4 746->750 751 6b0407b-6b04089 746->751 747->746 753 6b040d2-6b040e2 750->753 754 6b040c6-6b040d0 750->754 751->750 765 6b0408b-6b0409d 751->765 770 6b040e4-6b040f2 753->770 771 6b0410d-6b04110 753->771 754->753 768 6b0411b-6b04127 754->768 796 6b0452a-6b04568 758->796 797 6b0450c-6b04528 758->797 774 6b044a9-6b044ac 759->774 807 6b04361-6b04387 760->807 808 6b04389-6b043ad 760->808 775 6b040a3-6b040a7 765->775 776 6b0409f-6b040a1 765->776 768->719 785 6b0412d-6b04148 768->785 782 6b040f4-6b04103 770->782 783 6b04105-6b04108 770->783 828 6b04113 call 6b048b8 771->828 829 6b04113 call 6b048a8 771->829 774->741 779 6b04493-6b04496 774->779 784 6b040ad-6b040bc 775->784 776->784 778 6b04119 778->768 779->758 786 6b04498-6b044a8 779->786 782->768 783->684 784->750 795 6b04239-6b0424c 784->795 785->684 786->774 795->691 797->796 807->808 817 6b043df-6b043f8 808->817 818 6b043af-6b043c6 808->818 820 6b04403-6b04404 817->820 821 6b043fa 817->821 825 6b043d2-6b043dd 818->825 826 6b043c8-6b043cb 818->826 820->739 821->820 825->817 825->818 826->825 828->778 829->778
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 680c61a1f3912f61f2c600dbf8db6f124f458f6ea46b87926b31e96994e05915
                • Instruction ID: a4f0748498e04b94ca53a205b29e032c2fc7aaf7eb783e012e53bf53e5df0183
                • Opcode Fuzzy Hash: 680c61a1f3912f61f2c600dbf8db6f124f458f6ea46b87926b31e96994e05915
                • Instruction Fuzzy Hash: 27125B74B00215DFDB54DF69C494AAEBFF6EF89200B1491A9E906EB3A5DB30DC41CB90
                Function 06B067D8 Relevance: .4, Instructions: 416COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 830 6b067d8-6b067f0 832 6b067f2-6b067fb 830->832 833 6b0682a-6b06849 830->833 834 6b0684c-6b068cd 832->834 835 6b067fd-6b0680d 832->835 845 6b06ae0-6b06b04 834->845 846 6b068d3-6b068df 834->846 837 6b06815-6b06817 835->837 839 6b06821-6b06827 837->839 840 6b06819-6b0681e 837->840 839->833 852 6b06c31-6b06c35 845->852 853 6b06b0a-6b06b0e 845->853 847 6b068e5-6b068fc 846->847 848 6b06c6f-6b06c79 846->848 847->845 856 6b06902-6b06946 847->856 857 6b06c7b-6b06caa 848->857 858 6b06c1f 848->858 854 6b06c63-6b06c6c 852->854 855 6b06c37-6b06c3b 852->855 859 6b06b14-6b06b1a 853->859 860 6b06bcc-6b06bd2 853->860 855->854 861 6b06c3d-6b06c5e 855->861 886 6b06956 856->886 887 6b06948-6b06954 call 6b03c88 856->887 872 6b06cc4-6b06cdc 857->872 873 6b06cac-6b06cc3 857->873 863 6b06c25-6b06c2e 858->863 864 6b06b33-6b06bbc 859->864 865 6b06b1c-6b06b20 859->865 862 6b06bd4-6b06c1a 860->862 860->863 861->854 874 6b06c60 861->874 862->858 864->863 906 6b06bbe-6b06bca 864->906 865->860 868 6b06b26-6b06b2d 865->868 868->860 868->864 874->854 889 6b06958-6b06968 886->889 887->889 893 6b069a7-6b069eb 889->893 894 6b0696a-6b06971 889->894 911 6b069fb 893->911 912 6b069ed-6b069f9 call 6b03c88 893->912 896 6b06973-6b06989 894->896 897 6b0698b-6b06992 894->897 899 6b06995-6b06997 896->899 897->899 899->893 902 6b06999-6b0699d 899->902 902->893 905 6b0699f-6b069a2 902->905 907 6b06ad6-6b06ada 905->907 906->863 907->845 907->846 914 6b069fd-6b06a0d 911->914 912->914 917 6b06a13-6b06a19 914->917 918 6b06a0f-6b06a11 914->918 919 6b06a21-6b06a23 917->919 918->919 920 6b06ad3 919->920 921 6b06a29-6b06a2f 919->921 920->907 922 6b06a35-6b06ab9 921->922 923 6b06ac7-6b06ad0 921->923 922->923 932 6b06abb-6b06abe 922->932 932->923
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8ba78b135f4a34559a899fefeef47a2a0b4b1bdc300d37e2be72201f365d83f1
                • Instruction ID: 845256fcee8e8cf0868317bec95aa9a7c4dd61281d6bb791a57dbc055066f44e
                • Opcode Fuzzy Hash: 8ba78b135f4a34559a899fefeef47a2a0b4b1bdc300d37e2be72201f365d83f1
                • Instruction Fuzzy Hash: C6F1C170A002469FDB55DFA8D850B9EBFF2EF89300F1481A9E505DB2A1EB30DD55CB91
                Function 06B0A3D8 Relevance: .3, Instructions: 295COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f1e7014d53eb86e3907a8b0704002f469eddeec30c0ca11debdc33da254f1ce6
                • Instruction ID: 1c8df13ea0790f0202d265598a8d0172ac68cd25930ad4dbaf9c70b9b11815ee
                • Opcode Fuzzy Hash: f1e7014d53eb86e3907a8b0704002f469eddeec30c0ca11debdc33da254f1ce6
                • Instruction Fuzzy Hash: FBD1F5B4A00318CFDB14EFB4D8546ADBBB2FF8A301F1085A9D51AAB354DB359886CF51
                Function 06B0A3E8 Relevance: .3, Instructions: 289COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 703139c6bd18a60166b3188612ac259701451371d5cfdd40e9045d253e539c02
                • Instruction ID: 72f0b4440a1b0f6272aba38515b0454dd3cee5f1132e1bdae9a640c99b1a2609
                • Opcode Fuzzy Hash: 703139c6bd18a60166b3188612ac259701451371d5cfdd40e9045d253e539c02
                • Instruction Fuzzy Hash: 32D1E4B4A00318CFDB18EFB4D85469DBBB2FF8A301F1085A9D51AAB394DB319985CF51
                Function 0308AE30 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetModuleHandleW.KERNELBASE(00000000), ref: 0308B086
                Memory Dump Source
                • Source File: 00000002.00000002.3321174492.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_3080000_RegAsm.jbxd
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: ccc0c483c8d900064a359620eae8270c38ee35804c540e0c11c11e3db0d35d3c
                • Instruction ID: b2ec2b2f0c98bc0b81534f911280f3c6ce49f73baa075818b679a92ffc0db17c
                • Opcode Fuzzy Hash: ccc0c483c8d900064a359620eae8270c38ee35804c540e0c11c11e3db0d35d3c
                • Instruction Fuzzy Hash: 8F8136B0A01B05CFDB64EF69D04479ABBF1FF89304F04892ED48A9BA41D735E849CB91
                Function 03085935 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 61 3085935-308593c 62 3085944-3085a01 CreateActCtxA 61->62 64 3085a0a-3085a64 62->64 65 3085a03-3085a09 62->65 72 3085a73-3085a77 64->72 73 3085a66-3085a69 64->73 65->64 74 3085a88 72->74 75 3085a79-3085a85 72->75 73->72 77 3085a89 74->77 75->74 77->77
                APIs
                • CreateActCtxA.KERNEL32(?), ref: 030859F1
                Memory Dump Source
                • Source File: 00000002.00000002.3321174492.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_3080000_RegAsm.jbxd
                Similarity
                • API ID: Create
                • String ID:
                • API String ID: 2289755597-0
                • Opcode ID: 17902ad3a7bc2a078664d8bba767fd9af892b25b64bf2d00e5b0a18af3793cd3
                • Instruction ID: 0805d093d4fd3206980f12abe77cfd2d09ae7a89b0ca853b2b7ac1a834c16b37
                • Opcode Fuzzy Hash: 17902ad3a7bc2a078664d8bba767fd9af892b25b64bf2d00e5b0a18af3793cd3
                • Instruction Fuzzy Hash: 4241FFB0C00768CEDB24DFA9C884B8DBBF5BF49304F24806AD448AB255DB756949CF51
                Function 03084248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 78 3084248-3085a01 CreateActCtxA 81 3085a0a-3085a64 78->81 82 3085a03-3085a09 78->82 89 3085a73-3085a77 81->89 90 3085a66-3085a69 81->90 82->81 91 3085a88 89->91 92 3085a79-3085a85 89->92 90->89 94 3085a89 91->94 92->91 94->94
                APIs
                • CreateActCtxA.KERNEL32(?), ref: 030859F1
                Memory Dump Source
                • Source File: 00000002.00000002.3321174492.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_3080000_RegAsm.jbxd
                Similarity
                • API ID: Create
                • String ID:
                • API String ID: 2289755597-0
                • Opcode ID: 8977aa6d857658c33e9447298042697d03a828e2aafc7db2d0ace9060fa323ec
                • Instruction ID: 4cf2b00f5b8a82520da72d816ea93ab390cb34e1b3778c4675103a2630c1a4ee
                • Opcode Fuzzy Hash: 8977aa6d857658c33e9447298042697d03a828e2aafc7db2d0ace9060fa323ec
                • Instruction Fuzzy Hash: 0841EDB0D00729CBDB24DFA9C884B8DBBB5BF49304F20806AD448AB251DB756946CF91
                Function 0308A858 Relevance: 1.6, APIs: 1, Instructions: 77libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 95 308a858-308a860 97 308a88c-308a8c0 95->97 98 308a862-308a877 95->98 99 308b2a8-308b2e8 97->99 98->99 101 308b2ea-308b2ed 99->101 102 308b2f0-308b31f LoadLibraryExW 99->102 101->102 103 308b328-308b345 102->103 104 308b321-308b327 102->104 104->103
                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0308B101,00000800,00000000,00000000), ref: 0308B312
                Memory Dump Source
                • Source File: 00000002.00000002.3321174492.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_3080000_RegAsm.jbxd
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: a1c43bb1718ca6b53f83c7af0ee80dc298afc3fe78dc63724ee5c12008c6bb98
                • Instruction ID: 7177966d902d45be1440543533666ab51cf52852f1a04a2102a7e478b26726e5
                • Opcode Fuzzy Hash: a1c43bb1718ca6b53f83c7af0ee80dc298afc3fe78dc63724ee5c12008c6bb98
                • Instruction Fuzzy Hash: B72198B6809388CFDB11DFAAD8646DEBFF0AF59310F04805AD584AB301C2789505CFA5
                Function 06B059C8 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 108 6b059c8-6b059c9 109 6b059cb-6b059f3 108->109 110 6b0596f-6b059c7 call 6b05098 108->110 111 6b059f5-6b059f7 109->111 112 6b059ff-6b05a0e 109->112 111->112 114 6b05a10 112->114 115 6b05a1a-6b05a2a 112->115 114->115 117 6b05a2d-6b05a4f 115->117 119 6b05a55-6b05a5b 117->119 120 6b05c88-6b05ccf 117->120 121 6b05a61-6b05a67 119->121 122 6b05b34-6b05b38 119->122 152 6b05cd1 120->152 153 6b05ce5-6b05cf1 120->153 121->120 124 6b05a6d-6b05a7a 121->124 125 6b05b3a-6b05b43 122->125 126 6b05b5b-6b05b64 122->126 129 6b05a80-6b05a89 124->129 130 6b05b13-6b05b1c 124->130 125->120 131 6b05b49-6b05b59 125->131 132 6b05b66-6b05b86 126->132 133 6b05b89-6b05b8c 126->133 129->120 138 6b05a8f-6b05ab0 129->138 130->120 136 6b05b22-6b05b2e 130->136 135 6b05b8f-6b05b95 131->135 132->133 133->135 135->120 139 6b05b9b-6b05bae 135->139 136->121 136->122 140 6b05ab2 138->140 141 6b05abc-6b05ad7 138->141 139->120 144 6b05bb4-6b05bc4 139->144 140->141 141->130 151 6b05ad9-6b05adf 141->151 144->120 146 6b05bca-6b05bd7 144->146 146->120 150 6b05bdd-6b05c02 146->150 150->120 165 6b05c08-6b05c20 150->165 154 6b05ae1 151->154 155 6b05aeb-6b05af1 151->155 157 6b05cd4-6b05ce3 152->157 159 6b05cf3 153->159 160 6b05cfd-6b05d19 153->160 154->155 155->120 156 6b05af7-6b05b10 155->156 157->153 159->160 165->120 168 6b05c22-6b05c2d 165->168 169 6b05c7e-6b05c85 168->169 170 6b05c2f-6b05c39 168->170 170->169 172 6b05c3b-6b05c51 170->172 174 6b05c53 172->174 175 6b05c5d-6b05c76 172->175 174->175 175->169
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID: d
                • API String ID: 0-2564639436
                • Opcode ID: 7beba311dcee4c9326d7b55979735a1750e2f73baed4bfc0e89526b8061b4d38
                • Instruction ID: a37ff040e70f0f2cdc5fd1acef445d5c9d6381a1d53670d1a7732b41b1f6526f
                • Opcode Fuzzy Hash: 7beba311dcee4c9326d7b55979735a1750e2f73baed4bfc0e89526b8061b4d38
                • Instruction Fuzzy Hash: 66D15A75600602CFD764CF68C5809AABBF2FF88310765CA99D55A9BAA1D730FC46CF90
                Function 0308C9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 178 308c9a0-308d394 DuplicateHandle 180 308d39d-308d3ba 178->180 181 308d396-308d39c 178->181 181->180
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0308D2C6,?,?,?,?,?), ref: 0308D387
                Memory Dump Source
                • Source File: 00000002.00000002.3321174492.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_3080000_RegAsm.jbxd
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: 7f13456db5bb63f678ebf5fcad185ec67eec8286e71f0e1313902a37cd9bbc37
                • Instruction ID: 08b0ad7c5ba3ade9f60d514aea545ebadee4bbb262e363c682f68efa9db02b6c
                • Opcode Fuzzy Hash: 7f13456db5bb63f678ebf5fcad185ec67eec8286e71f0e1313902a37cd9bbc37
                • Instruction Fuzzy Hash: 242116B5900748EFDB10CF9AD984ADEFBF4EB48310F14841AE954A7350D378A954CFA5
                Function 0308D2F9 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 184 308d2f9-308d394 DuplicateHandle 185 308d39d-308d3ba 184->185 186 308d396-308d39c 184->186 186->185
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0308D2C6,?,?,?,?,?), ref: 0308D387
                Memory Dump Source
                • Source File: 00000002.00000002.3321174492.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_3080000_RegAsm.jbxd
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: 3937797cf5fdd948ddbd64ccaa27ed393e239788444c36e18915fe1de505bb27
                • Instruction ID: 218730e24b409e98e4ecc94277c8d6c22358abaea67183de10eb9996a95883da
                • Opcode Fuzzy Hash: 3937797cf5fdd948ddbd64ccaa27ed393e239788444c36e18915fe1de505bb27
                • Instruction Fuzzy Hash: 242103B5900208EFDB10CFA9D984AEEBBF4AB48310F14841AE918B3350D378A944CF64
                Function 0308A870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 189 308a870-308b2e8 191 308b2ea-308b2ed 189->191 192 308b2f0-308b31f LoadLibraryExW 189->192 191->192 193 308b328-308b345 192->193 194 308b321-308b327 192->194 194->193
                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0308B101,00000800,00000000,00000000), ref: 0308B312
                Memory Dump Source
                • Source File: 00000002.00000002.3321174492.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_3080000_RegAsm.jbxd
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: 65c544f6b9abb6afd334c36b5102564d6fb93da6e2c5a1a3627bb3d85c085349
                • Instruction ID: 0dd6b295d1dd07898245e06321ea52780e8212f1a89fabd6bdd6f568bb4c681c
                • Opcode Fuzzy Hash: 65c544f6b9abb6afd334c36b5102564d6fb93da6e2c5a1a3627bb3d85c085349
                • Instruction Fuzzy Hash: 571114B6901749DFDB20DF9AD844AAEFBF4EB48310F14842EE559A7300C374A545CFA5
                Function 0308B2A0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 197 308b2a0-308b2e8 198 308b2ea-308b2ed 197->198 199 308b2f0-308b31f LoadLibraryExW 197->199 198->199 200 308b328-308b345 199->200 201 308b321-308b327 199->201 201->200
                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0308B101,00000800,00000000,00000000), ref: 0308B312
                Memory Dump Source
                • Source File: 00000002.00000002.3321174492.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_3080000_RegAsm.jbxd
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: 819901fa42d8b0b4ec4e7b54958d7ce885736528529c074ad74a37f7023da976
                • Instruction ID: 0c493d37773b8e01f8f500d184a828a46bc9ed6976db463c2172e92f630ea7fc
                • Opcode Fuzzy Hash: 819901fa42d8b0b4ec4e7b54958d7ce885736528529c074ad74a37f7023da976
                • Instruction Fuzzy Hash: E31114B6800349CFDB10CFAAC844ADEFBF4AB48310F14841AD959A7300C374A545CFA5
                Function 0308B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 204 308b020-308b060 205 308b068-308b093 GetModuleHandleW 204->205 206 308b062-308b065 204->206 207 308b09c-308b0b0 205->207 208 308b095-308b09b 205->208 206->205 208->207
                APIs
                • GetModuleHandleW.KERNELBASE(00000000), ref: 0308B086
                Memory Dump Source
                • Source File: 00000002.00000002.3321174492.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_3080000_RegAsm.jbxd
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: 9045f5578d6302f0bf00c1608776906a925b2ee374b70fd4977e369615b55105
                • Instruction ID: 3f7a91fe44dbdf556089c6104b31a248c8cbe999912f0c98a4a49be39dfe957e
                • Opcode Fuzzy Hash: 9045f5578d6302f0bf00c1608776906a925b2ee374b70fd4977e369615b55105
                • Instruction Fuzzy Hash: 0E1113B6C00749CFDB20DF9AC844BDEFBF4AB88610F14841AD568B7210D375A549CFA5
                Function 06B048B8 Relevance: .6, Instructions: 619COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 504 6b048b8-6b04900 call 6b04650 509 6b04902-6b04904 504->509 510 6b04906-6b0490a 504->510 511 6b04910-6b04933 509->511 510->511 516 6b04935-6b0493a 511->516 517 6b0493f-6b0494b 511->517 518 6b04a1b-6b04a21 516->518 522 6b0494d-6b04979 call 6b03f50 517->522 523 6b0497e-6b0498a 517->523 519 6b04a23 518->519 520 6b04a27-6b04a47 518->520 519->520 534 6b04a53-6b04a68 520->534 535 6b04a49-6b04a4e 520->535 522->518 527 6b04996-6b049aa 523->527 528 6b0498c-6b04991 523->528 540 6b04a16 527->540 541 6b049ac-6b049ce 527->541 528->518 548 6b04aeb 534->548 549 6b04a6e-6b04a7e 534->549 538 6b04af0-6b04afe 535->538 544 6b04b00-6b04b04 538->544 545 6b04b16-6b04b22 538->545 540->518 559 6b049d0-6b049f2 541->559 560 6b049f4-6b04a0d 541->560 550 6b04b0c-6b04b0e 544->550 554 6b04c06-6b04c3a 545->554 555 6b04b28-6b04b44 545->555 548->538 557 6b04a80-6b04a90 549->557 558 6b04a92-6b04a97 549->558 550->545 579 6b04c52-6b04c54 554->579 580 6b04c3c-6b04c50 554->580 569 6b04bf2-6b04c00 555->569 557->558 566 6b04a99-6b04aa9 557->566 558->538 559->540 559->560 560->540 581 6b04a0f-6b04a14 560->581 577 6b04ab2-6b04ac2 566->577 578 6b04aab-6b04ab0 566->578 569->554 570 6b04b49-6b04b52 569->570 575 6b04e11-6b04e38 570->575 576 6b04b58-6b04b6b 570->576 589 6b04ecc-6b04f08 575->589 590 6b04e3e-6b04e40 575->590 576->575 584 6b04b71-6b04b83 576->584 594 6b04ac4-6b04ac9 577->594 595 6b04acb-6b04adb 577->595 578->538 582 6b04c84-6b04cc4 579->582 583 6b04c56-6b04c68 579->583 580->579 581->518 677 6b04cc6 call 6b054f8 582->677 678 6b04cc6 call 6b05508 582->678 583->582 598 6b04c6a-6b04c7c 583->598 599 6b04b85-6b04b91 584->599 600 6b04bef 584->600 633 6b04f73-6b04f79 589->633 634 6b04f0a-6b04f0c 589->634 590->589 597 6b04e46-6b04e48 590->597 594->538 606 6b04ae4-6b04ae9 595->606 607 6b04add-6b04ae2 595->607 597->589 601 6b04e4e-6b04e52 597->601 598->582 599->575 603 6b04b97-6b04bec 599->603 600->569 601->589 608 6b04e54-6b04e58 601->608 603->600 606->538 607->538 610 6b04e6a-6b04eac 608->610 611 6b04e5a-6b04e68 608->611 620 6b04eb4-6b04ec9 610->620 611->620 614 6b04ccc-6b04ce0 626 6b04ce2-6b04cf9 614->626 627 6b04d27-6b04d74 614->627 645 6b04d07-6b04d1f call 6b03f50 626->645 646 6b04cfb-6b04d05 626->646 664 6b04d76-6b04d8f 627->664 665 6b04dc8 627->665 644 6b04fe4 633->644 635 6b04f50-6b04f71 634->635 636 6b04f0e-6b04f1d 634->636 635->633 639 6b04f2d-6b04f37 636->639 640 6b04f1f-6b04f2c 636->640 654 6b04f46-6b04f4c 639->654 655 6b04f39-6b04f44 639->655 650 6b04fc6-6b04fde 644->650 651 6b04fe6-6b05017 644->651 645->627 646->645 650->644 666 6b04f4e 654->666 655->666 672 6b04d91 664->672 673 6b04d99-6b04dc5 664->673 668 6b04dd2-6b04ddf 665->668 666->635 670 6b04de1-6b04dfc 668->670 671 6b04e05-6b04e0e 668->671 670->671 672->673 673->665 677->614 678->614
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a863820e956dd6e4f101d6aecfca84c26783c7f809367fa0f1b5a8013ef75ee4
                • Instruction ID: 7c407da4981aad5a91b8d799c5691360b266aabcd990eb365d11cc55a4e2ea1d
                • Opcode Fuzzy Hash: a863820e956dd6e4f101d6aecfca84c26783c7f809367fa0f1b5a8013ef75ee4
                • Instruction Fuzzy Hash: 27323974B00605CFDB54DF69D598A6ABBF2FF89304B1584A9E606CB3A2DB30EC45CB50
                Function 06B048A8 Relevance: .3, Instructions: 280COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 12c0e3c4e19d60182bb17ceb9e747bba1b9acf8724130c490ce775056234a4db
                • Instruction ID: c953896f489e7b3debd7463d92cd871280805b5cc76c2bafc3b7620f1df44fff
                • Opcode Fuzzy Hash: 12c0e3c4e19d60182bb17ceb9e747bba1b9acf8724130c490ce775056234a4db
                • Instruction Fuzzy Hash: EDB11374B00605CFDB54DF29D998AAABBF2FF89305B1540A9E546DB3A2DB30EC05CB50
                Function 06B07D58 Relevance: .1, Instructions: 147COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d4965a1c3b8a24c323e3fb9fe4001c4b1cb3ca4fddbd4b7bba77d194a5612f8b
                • Instruction ID: 3b382bf10d7ee3ad221c7227158ba1278a2210cb0a98cc4813b8c2364c6770bc
                • Opcode Fuzzy Hash: d4965a1c3b8a24c323e3fb9fe4001c4b1cb3ca4fddbd4b7bba77d194a5612f8b
                • Instruction Fuzzy Hash: CC5125B1E10258DFEB54CFA9C844BDEFFB5AF88300F14856AD415AB280DB74A846CF81
                Function 06B07D4C Relevance: .1, Instructions: 132COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d25ff9ef842ab11b1d99662c7a77fc93bf8698c45e5fca17828d034ba60d1a0e
                • Instruction ID: 3275ffefd402c6c2b4e68a0a2846b99858ab53b1e55ff27e5700d09319669e56
                • Opcode Fuzzy Hash: d25ff9ef842ab11b1d99662c7a77fc93bf8698c45e5fca17828d034ba60d1a0e
                • Instruction Fuzzy Hash: B05125B0D112589FEB54CFA9C884BDEFFF5AF48700F148529E405AB280DB74A845CF91
                Function 06B03DE0 Relevance: .1, Instructions: 114COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 651d4876e1bcdb2cdf0c083e05ed8f3d15d247609b24e2253b9107d8bc740420
                • Instruction ID: 7e193b85104875408a834b7b1358757c7da1eea41e91c74bc564ed1cf548a8bb
                • Opcode Fuzzy Hash: 651d4876e1bcdb2cdf0c083e05ed8f3d15d247609b24e2253b9107d8bc740420
                • Instruction Fuzzy Hash: 8B3125717053118FC716E738A8606AE7BE6EFCA21030544AAE806CB781CE35EC07C7A2
                Function 06B05579 Relevance: .1, Instructions: 104COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c16f1f1fed5b432d13ee20e1609d129066e958154badedfc9046588a33c99127
                • Instruction ID: c22a819a27306d267c22ef1d75d06428121119e85d3ff2e381dfd421dae08f4e
                • Opcode Fuzzy Hash: c16f1f1fed5b432d13ee20e1609d129066e958154badedfc9046588a33c99127
                • Instruction Fuzzy Hash: 38317A75B012119FCB55DF38D884AAE7FB2FF8A201B5085AAE905CB395DB30DD05CB91
                Function 06B084C8 Relevance: .1, Instructions: 103COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a28c15b3eaa5e3fc105c716df373dfcfc65cd4228efd32e55395937b8158b233
                • Instruction ID: 5ffe0b6d5f9c8de0f9f2b5d35058deaeba4d5a9033c5f8d28d9226e73dda1925
                • Opcode Fuzzy Hash: a28c15b3eaa5e3fc105c716df373dfcfc65cd4228efd32e55395937b8158b233
                • Instruction Fuzzy Hash: BD318F717012458FCB05EB79A8645AE7AE7EFC9300B504479E606CB384EF35AD4687E2
                Function 06B05588 Relevance: .1, Instructions: 96COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3cf41e78e8daceeb920ea808033ca7de5548f0f022ec977e295dd56195df13e8
                • Instruction ID: 80d85216d44e2638625c1696db5c6b206e22ceaeb3a2b926445bb4209884d64e
                • Opcode Fuzzy Hash: 3cf41e78e8daceeb920ea808033ca7de5548f0f022ec977e295dd56195df13e8
                • Instruction Fuzzy Hash: 3A314675B012159FDB55DF38E884AAEBFB2FF89200B5085A9E905CB395DB30ED05CB90
                Function 06B087A0 Relevance: .1, Instructions: 93COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e30cb5078783637cac6cf4acfcd3bb2194647c340058eb92f99bd6e021923a08
                • Instruction ID: b04045d5114152bd8efb30ac4103a4c94035f04d7357e37eba934e50fb122d61
                • Opcode Fuzzy Hash: e30cb5078783637cac6cf4acfcd3bb2194647c340058eb92f99bd6e021923a08
                • Instruction Fuzzy Hash: AC41F0B1D01648DFEF54CFAAD944ADEBFB6AF88310F14806AE415B7290DB34A945CF90
                Function 06B08797 Relevance: .1, Instructions: 81COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 94f74b6dd3db70d801e2c68fcec951a74dadc4094148e77c553e612a02a4623a
                • Instruction ID: f129ead22a9a642d1e306df46f26b182401d2f3f19c2102e6115cac781516277
                • Opcode Fuzzy Hash: 94f74b6dd3db70d801e2c68fcec951a74dadc4094148e77c553e612a02a4623a
                • Instruction Fuzzy Hash: B4310EB1D017489FEF14CFAAC940ADEBFF6AF88310F14802AE415AA290DB349945CF90
                Function 06B08A98 Relevance: .1, Instructions: 77COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b38022c6f5a817b7e577fca002fe3304b7a7aae3a901056c50a522bf93345971
                • Instruction ID: 50e3e5e44452c0edc5a11ad32b7f7f396b70cec26eb0e049671f9075612f05a1
                • Opcode Fuzzy Hash: b38022c6f5a817b7e577fca002fe3304b7a7aae3a901056c50a522bf93345971
                • Instruction Fuzzy Hash: 1B3102B1D01258DFEF54CFA9D894BDEBFF5AF88310F14806AE405A7280CB75A945CB90
                Function 06B06E73 Relevance: .1, Instructions: 76COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 59fee8a9cc03fca1f5faaf9e6f086938694fa6e749bb9ac7983056f9098e8bdf
                • Instruction ID: 307a2e9b9056b7da496cd8336e834a509b337699d5adf79d8759ee6499c45cab
                • Opcode Fuzzy Hash: 59fee8a9cc03fca1f5faaf9e6f086938694fa6e749bb9ac7983056f9098e8bdf
                • Instruction Fuzzy Hash: AA1157722092E42FC7524AA85C14EFB3FA9DB8A151B084197FAC0D7283C428CD2697B1
                Function 013DD3D8 Relevance: .1, Instructions: 75COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3320670775.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_13dd000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 446b1e07e283279ec9f0feacf80eb135edb4ded9ad81d6eece870c93706c195b
                • Instruction ID: c5221c5183d8acbbfe4c6a4c38c0fbaafcae0ccdb36456d3a3a399f717582d32
                • Opcode Fuzzy Hash: 446b1e07e283279ec9f0feacf80eb135edb4ded9ad81d6eece870c93706c195b
                • Instruction Fuzzy Hash: 442145B2500204EFDB01DF94E9C0B66BF79FB84328F20C16CD9091B286C736E456CAA2
                Function 013DD4C4 Relevance: .1, Instructions: 75COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3320670775.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_13dd000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b78ee0fd496529ca7c9fbdd36163b4da51e5f32e323aa71e51c772fe99010ca5
                • Instruction ID: 66fec763f28bf8d7426fad1258419f55a8f545ff4532684ba64dcb99119a3b50
                • Opcode Fuzzy Hash: b78ee0fd496529ca7c9fbdd36163b4da51e5f32e323aa71e51c772fe99010ca5
                • Instruction Fuzzy Hash: 5C210372500244EFDB15DF68E9C0B26BF66FB8431CF24C569D9090B686C336D456CBA2
                Function 013ED01C Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3320723167.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_13ed000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fdc5f3c2dc8fa1847d94f9e2f7c9ddbcf9e9e6e72835c5195df4c5ed9630507c
                • Instruction ID: 2ff58438eb711bb4ce6bc8605128adade245f88e34418312bc78376c49bc39f3
                • Opcode Fuzzy Hash: fdc5f3c2dc8fa1847d94f9e2f7c9ddbcf9e9e6e72835c5195df4c5ed9630507c
                • Instruction Fuzzy Hash: 3E210071604304EFDB15DF68D988B26BFA5FB84318F28C56DD90A4B686C33AD846CA61
                Function 06B08F43 Relevance: .1, Instructions: 70COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f49da5d1f0a12946eed88795f6f8dc9b1d091b690574f986e2e7234d4c110389
                • Instruction ID: 6756b30e53a785fa3c8981f0e9e863039d27ec6e500f2474d2a9706dd07cfe31
                • Opcode Fuzzy Hash: f49da5d1f0a12946eed88795f6f8dc9b1d091b690574f986e2e7234d4c110389
                • Instruction Fuzzy Hash: D12102B8D0425ADFDF10CFA8D484AEEBFB5EB09311F2044AAE415AB391D7345A81CB90
                Function 06B08A8C Relevance: .1, Instructions: 70COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bfa908d56d209ecf442d190813145353696d693f98ddaa8c6501480a5ee2865a
                • Instruction ID: 750e11692e2b88a91d280004c311bc0f756e900d62d8d87cfd7213b1ebeae9fa
                • Opcode Fuzzy Hash: bfa908d56d209ecf442d190813145353696d693f98ddaa8c6501480a5ee2865a
                • Instruction Fuzzy Hash: 732124B1D01248DFEF14CFA9C894BDEBFF8AF48310F14802AE404A7280CB759945CBA4
                Function 013DD4BF Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3320670775.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_13dd000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a994b626c5b1a2b6fd6d27e6a0f022d141ef464c75df6f036bdb8b2bbfaa7e2a
                • Instruction ID: 3b60e76044b362d4ab1b506ec40d1bf488e683e6887156a48727eaa3ac5f37a4
                • Opcode Fuzzy Hash: a994b626c5b1a2b6fd6d27e6a0f022d141ef464c75df6f036bdb8b2bbfaa7e2a
                • Instruction Fuzzy Hash: 62112672504280DFCB12CF54D9C0B16BF72FB84318F24C6A9D8090B657C33AD45ACBA2
                Function 013DD3D3 Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3320670775.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_13dd000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a994b626c5b1a2b6fd6d27e6a0f022d141ef464c75df6f036bdb8b2bbfaa7e2a
                • Instruction ID: b310530fdeefec7d699ce53275a6dd36b7e55a7825c26dd9c45508896c13f782
                • Opcode Fuzzy Hash: a994b626c5b1a2b6fd6d27e6a0f022d141ef464c75df6f036bdb8b2bbfaa7e2a
                • Instruction Fuzzy Hash: EB1126B2504280DFCB12CF44D9C0B56BF71FB84328F24C6A9D8090B657C33AE45ACBA2
                Function 013ED017 Relevance: .1, Instructions: 53COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3320723167.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_13ed000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ac9c5df3739d9922357d97ee08fe41b46f5237faea4d682c3f3ac9d5e7d34632
                • Instruction ID: e9295326139a62ea4fb80e593547b55d58d63b1664183759072009bb1538a361
                • Opcode Fuzzy Hash: ac9c5df3739d9922357d97ee08fe41b46f5237faea4d682c3f3ac9d5e7d34632
                • Instruction Fuzzy Hash: 7F11D075504380DFCB12CF54D5C4B15FFA1FB44318F28C6A9D8094B696C33AD84ACB62
                Function 06B0BC5F Relevance: .1, Instructions: 52COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 559bf2a501b053d2d439e245074e828d9f3c2811f8269780df9e7f3c080ca57a
                • Instruction ID: cef795055539d4f4d8f8c1f068348a0fd78c96d062bdcf54824edbe00a23a16e
                • Opcode Fuzzy Hash: 559bf2a501b053d2d439e245074e828d9f3c2811f8269780df9e7f3c080ca57a
                • Instruction Fuzzy Hash: F40161723002069BC794AB38F4687BE7AB7FFC6254754481CE24787640DE706D4687B5
                Function 06B08350 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 44478a845740d692d1417b471bbaf5645f75b07f305414360d385a46d6476eb0
                • Instruction ID: 1f53b78a49b4cb16111b54ecf13347c44a2fb727ef37a27564fb7bd5f9e9dfbe
                • Opcode Fuzzy Hash: 44478a845740d692d1417b471bbaf5645f75b07f305414360d385a46d6476eb0
                • Instruction Fuzzy Hash: E8018871B002199BDF10DEA9EC44ABFBBFAFBD8351B144036E604D3240DB309D5587A1
                Function 06B0C499 Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f27a2211ccd544ea5694a13168a1ae23d2aaff542841a6fb736005df0e19a0cb
                • Instruction ID: 20860e6714702c5bff49ec9ae3aef14d3c034236eb041dd2b036623c2823512f
                • Opcode Fuzzy Hash: f27a2211ccd544ea5694a13168a1ae23d2aaff542841a6fb736005df0e19a0cb
                • Instruction Fuzzy Hash: 23018E712006068BD324AF29E01875A77E3FFC9315F108A2DD14A97B44DF74AC0ACBA1
                Function 06B0BC70 Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 97f68a275918e29b1dae0646851637631624caf8c8fe4b984f47b2c9cf7a60e3
                • Instruction ID: dc3d133fb8f04359012541c09589d5400e944296887f812eee245d782ac2c04a
                • Opcode Fuzzy Hash: 97f68a275918e29b1dae0646851637631624caf8c8fe4b984f47b2c9cf7a60e3
                • Instruction Fuzzy Hash: 9F012C723002068BCB95A77CF46867E7AB3FFC6258754492CE2078B650DE70BD4687B6
                Function 06B0C4A8 Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dc74dc44a57ecc5f49b88f684f316c3633dc2fc35f51745c3d2cec1e0c34c47d
                • Instruction ID: 5ad3cb9e6d57a7caed83efbba95624f683cb5123c53e941dd46d4e0da8e18383
                • Opcode Fuzzy Hash: dc74dc44a57ecc5f49b88f684f316c3633dc2fc35f51745c3d2cec1e0c34c47d
                • Instruction Fuzzy Hash: 5E0180712006058BD325AF79F05869A77E3EBC9315B148A2DD14A97B44DF74AC09CBE1
                Function 06B05508 Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 379dbcf5bb7be5fc4650d17ba3c9f69027cef95bdda7d3f00cc87eb8fdd32dee
                • Instruction ID: 99da83e627db7a817ec317488735e0a49d31dee16306c7f6833503440ba70f16
                • Opcode Fuzzy Hash: 379dbcf5bb7be5fc4650d17ba3c9f69027cef95bdda7d3f00cc87eb8fdd32dee
                • Instruction Fuzzy Hash: AD01DB79A11702CFE7B48A39A6047277FF7FF84205704987DD20282A84DA71E480CF80
                Function 06B0E8B0 Relevance: .0, Instructions: 40COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b1b3b0dca85957cad4ee6df3e8bfe5db10000492fdd73986690673f8a098fe7f
                • Instruction ID: 11017df39be1e1f6d1bd39f8b5f207589b90a900216b005f16d91c314b5859bc
                • Opcode Fuzzy Hash: b1b3b0dca85957cad4ee6df3e8bfe5db10000492fdd73986690673f8a098fe7f
                • Instruction Fuzzy Hash: A201D134208308DFCB42AF74D8189697FB6EF86200B5088E9E5418B362EB36DC05DB91
                Function 013DD5F3 Relevance: .0, Instructions: 37COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3320670775.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_13dd000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: db0715171a2678f2fc3f70fb439b2b5cb8c312316e28be4ee94c5640f582f981
                • Instruction ID: f2eb2caa2aa3025ee071bf9f48abc63efea41fb7ae86c15678762cf42bb6aa79
                • Opcode Fuzzy Hash: db0715171a2678f2fc3f70fb439b2b5cb8c312316e28be4ee94c5640f582f981
                • Instruction Fuzzy Hash: 2BF049B6200A04AFD7208F0ADD84C23FBBDEBD4734319C55AE94A4B752C631EC41CAA0
                Function 06B08F50 Relevance: .0, Instructions: 37COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b1772c82b0f76b2718c42de8e9f70947ad4b90bd6b3b3d1777d9111434d50064
                • Instruction ID: a685d0cc70fd04ff6125fe15c1c5eb6056c0424b1d0249e3ba7fec99ce76aa5b
                • Opcode Fuzzy Hash: b1772c82b0f76b2718c42de8e9f70947ad4b90bd6b3b3d1777d9111434d50064
                • Instruction Fuzzy Hash: A601C4B4D04219EFEB54DFA9D5456AEBFF5BB48301F1094A99415B3390E7740B40DF90
                Function 06B0B358 Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 04a1a3c9436f57b72f7295803f8837fc912b0f24a77649432a0eb3d47aa85d88
                • Instruction ID: d072ff99f9839e17869f09748b052d89e1a22e9e670e639c07f2f59aeb810e55
                • Opcode Fuzzy Hash: 04a1a3c9436f57b72f7295803f8837fc912b0f24a77649432a0eb3d47aa85d88
                • Instruction Fuzzy Hash: BA017C70E0124AEFCB04EFB8F49969CBBB2FB44204F1404A8D906E7210EB341E40CB55
                Function 06B03EC8 Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9d917475b76da25f84e205d6ce96cf157d22037a5e6002b7a1c7852a74b1d23d
                • Instruction ID: f44f85db898e63d93f47ed362874bf58088cc682ca7757bc5025927433d056fc
                • Opcode Fuzzy Hash: 9d917475b76da25f84e205d6ce96cf157d22037a5e6002b7a1c7852a74b1d23d
                • Instruction Fuzzy Hash: 0BF030713006028FC619E77DF860AAE77E7EBCA210314492DE54B8B754EF74BD0687A2
                Function 013DD5E4 Relevance: .0, Instructions: 35COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3320670775.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_13dd000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d1b93ff50a9c004942444a3ec556a9ae7e6561f6eb559c28dfd3355ef3c1ea21
                • Instruction ID: 35ab934fcadae369e420aba2dc69c4c34368b8f0bfdcbda5b2629d49141a3715
                • Opcode Fuzzy Hash: d1b93ff50a9c004942444a3ec556a9ae7e6561f6eb559c28dfd3355ef3c1ea21
                • Instruction Fuzzy Hash: F6F04F75104A80AFD725CF05CD84C23BFB9EF867747198489E88A4B752C630FC42CBA0
                Function 06B06EA0 Relevance: .0, Instructions: 35COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d7e48a15daa6f5e997ad16f3b6c173230ab3981a878d66066c74e1318699cddb
                • Instruction ID: 5d39e121d4442d0786ff5b7f3fcb6cb17a6ec8d658a29474c30090ec52ec4c55
                • Opcode Fuzzy Hash: d7e48a15daa6f5e997ad16f3b6c173230ab3981a878d66066c74e1318699cddb
                • Instruction Fuzzy Hash: BBF082622041E83F8B514EAA5C14DFB3FEDDA8E1617084056FE98C2241C429C921ABB0
                Function 06B067C8 Relevance: .0, Instructions: 34COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0689cb50a9e264df9544d4ee7c46eba190db7df014a2b98bfaa1cd9e3df6d406
                • Instruction ID: 09c671fd5690ed6b9ed579559970971cf3beb8737a4e185047684475f3a508e5
                • Opcode Fuzzy Hash: 0689cb50a9e264df9544d4ee7c46eba190db7df014a2b98bfaa1cd9e3df6d406
                • Instruction Fuzzy Hash: D0F02E31B003009FE720CA28AC45FA13FE2EB46310F1482ABF250CB1E2E7B1D8098780
                Function 06B0ADE9 Relevance: .0, Instructions: 34COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 97eee5c701147b1fb7bea7fc41f42d49bf19da7eed9d568c0e5d2d3c61c3234e
                • Instruction ID: d735e40afcc2d66bec5b28f4decb8545d8dbb9dd1fe7b84aeb0a2536389adfa5
                • Opcode Fuzzy Hash: 97eee5c701147b1fb7bea7fc41f42d49bf19da7eed9d568c0e5d2d3c61c3234e
                • Instruction Fuzzy Hash: 24F0A7B2205211AFC7502B69B8A869B7FEEEBCA254B00446DF14BD7242DA751C4587B1
                Function 06B054F8 Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 45802c9a7dd6f4d5afb2f2e26b1d2c8899de51a1951ccdf348e4bc1d9378ac20
                • Instruction ID: f318592c50da5f5f8f0637a5c753fb3304d83f96df612c0c2af14736a55591a5
                • Opcode Fuzzy Hash: 45802c9a7dd6f4d5afb2f2e26b1d2c8899de51a1951ccdf348e4bc1d9378ac20
                • Instruction Fuzzy Hash: F4F022369053818FE7A18A61D60076BBFB2EF81210F0894DED04146DA5C730E445CF40
                Function 06B08FC0 Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7f82845eb3e39fe30723f64dd4c1d4cc5782e94febba1f07a655de1c10f2ccdc
                • Instruction ID: 2cc492cc11fc3812fd3d9dcdcfcdc3f9eaf43e0ba9ea9f746def82afa9b6d9df
                • Opcode Fuzzy Hash: 7f82845eb3e39fe30723f64dd4c1d4cc5782e94febba1f07a655de1c10f2ccdc
                • Instruction Fuzzy Hash: DEF0A9F5C08149EFEB00DBB0D8151AEBFB1EB6A201F0045CAE402E7391E6344A01DB40
                Function 06B0ACB8 Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: aaf3fb62fb011d993e916a17f6fc72fb1f551d7d6136502971f911a046de4da0
                • Instruction ID: 5294b1373b56bcc684c91a9c34272d7abb090de4f4c80a2ebe68b75085fc732d
                • Opcode Fuzzy Hash: aaf3fb62fb011d993e916a17f6fc72fb1f551d7d6136502971f911a046de4da0
                • Instruction Fuzzy Hash: 03F082F37091A09FD722277868280AD3FB6E9C769534944DFD187CB292DA544A06C3A2
                Function 06B0B368 Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8e30d94b983d871aa1638108020e1d48c6df1ec4f7190e0b369aacce0f970e21
                • Instruction ID: 7f9b41f940620e8046b962c1cf26392536c877b24c223d0d9e3ee3d8262faad7
                • Opcode Fuzzy Hash: 8e30d94b983d871aa1638108020e1d48c6df1ec4f7190e0b369aacce0f970e21
                • Instruction Fuzzy Hash: 6AF03C70E0124AEFCB04EFB8F59969C7BB6FB44204B1445A9D906E7750EA341E44CB95
                Function 06B0C110 Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: db2bfb66122adcf502f00fc1fbd6b67c302db160e81d21cf7f720ccc253308f8
                • Instruction ID: 9eb46f7f8b9a4c3aaade6669795b570c68222d2746bb31628857814ba62d0959
                • Opcode Fuzzy Hash: db2bfb66122adcf502f00fc1fbd6b67c302db160e81d21cf7f720ccc253308f8
                • Instruction Fuzzy Hash: 10F0B4312057918FC7129B38F81979F7FE7DF82308F08055DE2868BA41DBA1A80587A5
                Function 06B0C170 Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7a042159d0a3c8e8b57ba2c4181a6942b75c61f74ee231e015437e62c920b523
                • Instruction ID: 83eaec9b059f8ce786f5af39204549099061dd312e4556234bed6f1c05a0e0da
                • Opcode Fuzzy Hash: 7a042159d0a3c8e8b57ba2c4181a6942b75c61f74ee231e015437e62c920b523
                • Instruction Fuzzy Hash: ACF0A471500B058FE725DF25E40C621BBF6FB48341B10891ED48A83B00DB74A545CF94
                Function 06B08340 Relevance: .0, Instructions: 31COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0ab2c5b2fd919fc362841114d3202656b1c7d57b2d4e9044b9c2196ab08f25ca
                • Instruction ID: 8f3657e655794d594e1ba50e5340337a0306ba27f7535cfce284c5752aaae35f
                • Opcode Fuzzy Hash: 0ab2c5b2fd919fc362841114d3202656b1c7d57b2d4e9044b9c2196ab08f25ca
                • Instruction Fuzzy Hash: 06F0A772F142159BCF20DA68AC446FFBFEAEFD8151F0C042AE554D3141E730951583A1
                Function 06B0ADF8 Relevance: .0, Instructions: 28COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 86bddcfbca4227330fa5d7b878c97a7b675719a840527d6e859b6ae3bad64f5f
                • Instruction ID: b662c7dd67918355805e90be9f13b7144514c05fe02b745b29bb91cb40143959
                • Opcode Fuzzy Hash: 86bddcfbca4227330fa5d7b878c97a7b675719a840527d6e859b6ae3bad64f5f
                • Instruction Fuzzy Hash: 61E092B2300101ABC3102A6AB498AAE7BDEEBCA355B00442CF20FD3241CAB11C0547B5
                Function 06B0C180 Relevance: .0, Instructions: 27COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f9f37a859f8b0645968e2a6ac3b25465a519d7c6fbd2a4a4359e994ddf936dcb
                • Instruction ID: 04cc2029ec05bd39c01ebdbd0c90ad7f1965d5d042106af8f30200efd49b25c0
                • Opcode Fuzzy Hash: f9f37a859f8b0645968e2a6ac3b25465a519d7c6fbd2a4a4359e994ddf936dcb
                • Instruction Fuzzy Hash: F2F09075500B018FE715DF26E40C622BBF6FB88341700C62EE48A83A10DB74A509CFD8
                Function 06B0B500 Relevance: .0, Instructions: 26COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 00009d4b0e6d665ea999bb3e9bf9d63d79ef7d23f339c6ea9477ea56e2bca05b
                • Instruction ID: fc0e7d51dbc5801649078085c71895571cca3953cdb8529090cbc1bc9194c2b3
                • Opcode Fuzzy Hash: 00009d4b0e6d665ea999bb3e9bf9d63d79ef7d23f339c6ea9477ea56e2bca05b
                • Instruction Fuzzy Hash: 56F03935D0A20DFFCB01DFB4D94A9CDBFB9EB44204F1442A6E805E3250EA315B45CBA1
                Function 06B0C120 Relevance: .0, Instructions: 25COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9ec55d2880e0e2cf6c38ef6f8d1102f75d71568a698e46ac5d4744210a0097a8
                • Instruction ID: f3118bb41fe3dfa3ea810c423d5c29031b20c399023f0bcd17de0bcb4e789980
                • Opcode Fuzzy Hash: 9ec55d2880e0e2cf6c38ef6f8d1102f75d71568a698e46ac5d4744210a0097a8
                • Instruction Fuzzy Hash: AEE030312007528FC716A76DF4197AE7BE6DB85314F08052DE24687A41DAA5AC0587A5
                Function 06B05698 Relevance: .0, Instructions: 23COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b9950bfe9555c72a0bcb1541d86ab282d75b8e0618e603f351353969ab93d84c
                • Instruction ID: 9c6b1e7c3c7cf21a7cc57a09bbc98b826baf93ef320c08cf237f55f6aa23ff18
                • Opcode Fuzzy Hash: b9950bfe9555c72a0bcb1541d86ab282d75b8e0618e603f351353969ab93d84c
                • Instruction Fuzzy Hash: DCE092B220C3409FD305EB24EC458967FE4EB93210F0588AEE480C7581EB32D841CBA9
                Function 06B0E280 Relevance: .0, Instructions: 23COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2cad77f5f8e77012492868a3e2af67a7664a9b3990c4c41028be2efd451119ec
                • Instruction ID: 03b8a898292b0168090db7cb48ed161a5fdb337bd9507f4d48eb3c662afd54ef
                • Opcode Fuzzy Hash: 2cad77f5f8e77012492868a3e2af67a7664a9b3990c4c41028be2efd451119ec
                • Instruction Fuzzy Hash: 44E0DF72B012818FD755A238BF1A6C43B62E79A200B032085E8058BAA2C63C0E5687E2
                Function 06B0E1FF Relevance: .0, Instructions: 22COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 326e621b150ca90f800d0a0148e6b6c75bccd1bcec5965db65db5395c4fe0bf3
                • Instruction ID: 491fb0ff7af6a5ee20df8191a14218fb604910958d2932c06458f527a0c124c9
                • Opcode Fuzzy Hash: 326e621b150ca90f800d0a0148e6b6c75bccd1bcec5965db65db5395c4fe0bf3
                • Instruction Fuzzy Hash: 4DE048B2A09245EFCB01DB78B9549DD7BB1DB4621472142DAD809D7251D7301F158761
                Function 06B0CE88 Relevance: .0, Instructions: 22COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 83c02056e8374a568703fc86cf008ca081f78c7ad45f687e585d09f29bb7841b
                • Instruction ID: 8bf2d9d1a54ebe5cba34d2cfe656f36aacb984b43c6b109ae2562309adcf21e6
                • Opcode Fuzzy Hash: 83c02056e8374a568703fc86cf008ca081f78c7ad45f687e585d09f29bb7841b
                • Instruction Fuzzy Hash: AEE086B4A01241EFDB619B28F64D7D93FA6DB45315F010158ED4787A41CB3C5C5187A1
                Function 06B0AC80 Relevance: .0, Instructions: 20COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b66eb2aeb17d185f2b859ea100a10d70a3e0a8463c974c796100e37f120e9650
                • Instruction ID: 306c32ad26fa48f8b380cfd1dd091020d3b938ef246175e373fdebd9ef0f5d16
                • Opcode Fuzzy Hash: b66eb2aeb17d185f2b859ea100a10d70a3e0a8463c974c796100e37f120e9650
                • Instruction Fuzzy Hash: 81D05EB23001299B8A1537A9B4184FE7BAFEAC6662301002EE70BCB240CFA51D0687D6
                Function 06B0CC38 Relevance: .0, Instructions: 20COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 35ddef9b8abc13aa51e04b151f75b5dd744ac6ab3d53e9a2214803f9e07f3d9f
                • Instruction ID: 91e710cc6e54a4e019ac86e5f5b61e66bad8ddbee0f7c8166f115939069ec1b9
                • Opcode Fuzzy Hash: 35ddef9b8abc13aa51e04b151f75b5dd744ac6ab3d53e9a2214803f9e07f3d9f
                • Instruction Fuzzy Hash: A6E04672B001418BCB61AF1DF8087C9BBE1EB85211F128229D88987A42C7780C52CBA1
                Function 06B0B510 Relevance: .0, Instructions: 19COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 10ef9dd880480e12d1dc0fd7cfee8243c46eb0dc078670330968b63c266cb029
                • Instruction ID: 1b23e276b2949434dba30b209d2e27f3b4206ec11c6703a65c9e6f03e7626811
                • Opcode Fuzzy Hash: 10ef9dd880480e12d1dc0fd7cfee8243c46eb0dc078670330968b63c266cb029
                • Instruction Fuzzy Hash: 05E09275D0020DEFCB40DFE4E9499DDBBB9EB48200F1482AAD909E3200EB306B55DF90
                Function 06B0E210 Relevance: .0, Instructions: 16COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 728cea998b7ebd4f6f5d2b414c88cc51bb2ba0001f9a0ce4262ed1fbbd18da0f
                • Instruction ID: bf0a8baa2d9e3bdc4c475bc50ecfb4a2829fc38c0ad4e34c0f9847cc90e0965f
                • Opcode Fuzzy Hash: 728cea998b7ebd4f6f5d2b414c88cc51bb2ba0001f9a0ce4262ed1fbbd18da0f
                • Instruction Fuzzy Hash: 96D017B2A0020DFBCB40DFA8F914A9DB7B9EB45204B1041A99909E3200EA312F109BA1
                Function 06B0E8F8 Relevance: .0, Instructions: 15COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4fa999b035274bb64fb6d6c0d99674edb43678d7c80daac45157c651ad21993f
                • Instruction ID: 85302ee1115cc9592f030a11dd856d1923002dc21e33d1b99c0381226c22ad8f
                • Opcode Fuzzy Hash: 4fa999b035274bb64fb6d6c0d99674edb43678d7c80daac45157c651ad21993f
                • Instruction Fuzzy Hash: 7CD0523A210208EFC740AF48C880A407BF9BF48B00F508098F6804B320CB32E860EF50
                Function 06B0F8E0 Relevance: .0, Instructions: 15COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 59449d5fb06ba3ea798fdf2154e4fcaa53a9c39a698cddb480c341d8a7c8a37e
                • Instruction ID: 63b7a8765c4d9708f2a59d14ef1d8d99ac0df76ed1987b133c1fbb21bc8345ec
                • Opcode Fuzzy Hash: 59449d5fb06ba3ea798fdf2154e4fcaa53a9c39a698cddb480c341d8a7c8a37e
                • Instruction Fuzzy Hash: BAD0129BF8406117D79616ACB42826C5A83E7D96E7BCA016AEA07D3384C9125C720792
                Function 06B03721 Relevance: .0, Instructions: 11COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ad454e363e74c55f608244d01206c4c9a4e27fb334741075ae6dbb0d6860373c
                • Instruction ID: c05c2ca8fd9063e5125c41fee3eb71578058eaadec24388163a2787384d94686
                • Opcode Fuzzy Hash: ad454e363e74c55f608244d01206c4c9a4e27fb334741075ae6dbb0d6860373c
                • Instruction Fuzzy Hash: 58C080201193C09FD302A3142C06DA23F214F97640F050083F1518A083C3450534C272
                Function 06B0DFD1 Relevance: .0, Instructions: 9COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.3322414064.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_6b00000_RegAsm.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 65dcc91ed607218f6869f19ac1cd146c7c18282948f68cc27e892af555e94c27
                • Instruction ID: ca62b56cab18bcb2f4214a0d55b3e2734922eae15b9e8a1a495d11b285d531f6
                • Opcode Fuzzy Hash: 65dcc91ed607218f6869f19ac1cd146c7c18282948f68cc27e892af555e94c27
                • Instruction Fuzzy Hash: 69C09B3154F7D09FDF0257308C0D9853F16DF5271875501C6A3468F072DB224015CBA1