Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
setup.exe

Overview

General Information

Sample name:setup.exe
Analysis ID:1465692
MD5:b0cfe4185035fc751ed0a62b1a95af98
SHA1:dc90ec29c5da5414702e9163ae0133d207608960
SHA256:ef5d295050a33cb9c2bd069a90855c74df58d0f7f6238885b48a6422eb6da137
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RedLine Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • setup.exe (PID: 5284 cmdline: "C:\Users\user\Desktop\setup.exe" MD5: B0CFE4185035FC751ED0A62B1A95AF98)
    • conhost.exe (PID: 5868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 3704 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • WerFault.exe (PID: 7040 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5284 -s 156 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "77.105.135.107:3445", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000002.00000002.1826335497.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000002.00000002.1827907274.0000000002BF3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 3 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                2.2.RegAsm.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.setup.exe.650000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    Timestamp:07/02/24-00:17:01.604285
                    SID:2046045
                    Source Port:49738
                    Destination Port:3445
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:07/02/24-00:17:12.934132
                    SID:2043231
                    Source Port:49738
                    Destination Port:3445
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:07/02/24-00:17:01.811299
                    SID:2043234
                    Source Port:3445
                    Destination Port:49738
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:07/02/24-00:17:07.057189
                    SID:2046056
                    Source Port:3445
                    Destination Port:49738
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: setup.exeAvira: detected
                    Found malware configuration
                    Source: 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "77.105.135.107:3445", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}
                    Multi AV Scanner detection for submitted file
                    Source: setup.exeReversingLabs: Detection: 83%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: setup.exeJoe Sandbox ML: detected
                    Source: setup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.4:49738 -> 77.105.135.107:3445
                    Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49738 -> 77.105.135.107:3445
                    Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 77.105.135.107:3445 -> 192.168.2.4:49738
                    Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 77.105.135.107:3445 -> 192.168.2.4:49738
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 77.105.135.107:3445
                    Source: global trafficTCP traffic: 192.168.2.4:49738 -> 77.105.135.107:3445
                    Source: Joe Sandbox ViewASN Name: PLUSTELECOM-ASRU PLUSTELECOM-ASRU
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002DE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002BF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002DE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1827907274.0000000002DD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002DE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002DE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                    Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
                    Source: RegAsm.exe, 00000002.00000002.1832420361.0000000003E26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: setup.exe, 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000002.00000002.1826335497.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                    Source: RegAsm.exe, 00000002.00000002.1832420361.0000000003E26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: RegAsm.exe, 00000002.00000002.1832420361.0000000003E26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: RegAsm.exe, 00000002.00000002.1832420361.0000000003E26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: RegAsm.exe, 00000002.00000002.1832420361.0000000003E26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: RegAsm.exe, 00000002.00000002.1832420361.0000000003E26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabS
                    Source: RegAsm.exe, 00000002.00000002.1832420361.0000000003E26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: RegAsm.exe, 00000002.00000002.1832420361.0000000003E26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: RegAsm.exe, 00000002.00000002.1832420361.0000000003E26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_006759400_2_00675940
                    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_006668A90_2_006668A9
                    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0065E1B20_2_0065E1B2
                    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_006653790_2_00665379
                    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0066F4EC0_2_0066F4EC
                    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0065E4FA0_2_0065E4FA
                    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00653D500_2_00653D50
                    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_006616100_2_00661610
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00D9DC742_2_00D9DC74
                    Source: C:\Users\user\Desktop\setup.exeCode function: String function: 00657F20 appears 51 times
                    Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5284 -s 156
                    Source: setup.exe, 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePunningly.exe8 vs setup.exe
                    Source: setup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/6@0/1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\SystemCacheJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5284
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5868:120:WilError_03
                    Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\be52fb3c-df2e-40ba-9969-75157a7950ecJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                    Source: C:\Users\user\Desktop\setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: setup.exeReversingLabs: Detection: 83%
                    Source: unknownProcess created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"
                    Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5284 -s 156
                    Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: acgenral.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: msacm32.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: acgenral.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0065661B push 8B006761h; iretd 0_2_00656620
                    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_006576DD push ecx; ret 0_2_006576F0
                    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_006567E0 push 8B006761h; iretd 0_2_006567E5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: D90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2AC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2900000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 1635Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 7163Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6820Thread sleep time: -26747778906878833s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6440Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\setup.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: Amcache.hve.4.drBinary or memory string: VMware
                    Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
                    Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
                    Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: RegAsm.exe, 00000002.00000002.1826798165.0000000000C10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: Amcache.hve.4.drBinary or memory string: vmci.sys
                    Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                    Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
                    Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.4.drBinary or memory string: VMware20,1
                    Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0065BA33 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0065BA33
                    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_006676EC mov eax, dword ptr fs:[00000030h]0_2_006676EC
                    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00662AD4 mov ecx, dword ptr fs:[00000030h]0_2_00662AD4
                    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00667730 mov eax, dword ptr fs:[00000030h]0_2_00667730
                    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0066EC64 GetProcessHeap,0_2_0066EC64
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_006579F6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_006579F6
                    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0065BA33 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0065BA33
                    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00657CF9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00657CF9
                    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00657E55 SetUnhandledExceptionFilter,0_2_00657E55
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\setup.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Contains functionality to inject code into remote processes
                    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0127018D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_0127018D
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\setup.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\setup.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\setup.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\setup.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000Jump to behavior
                    Source: C:\Users\user\Desktop\setup.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44E000Jump to behavior
                    Source: C:\Users\user\Desktop\setup.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 916008Jump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_006577CC cpuid 0_2_006577CC
                    Source: C:\Users\user\Desktop\setup.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0066E82D
                    Source: C:\Users\user\Desktop\setup.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_0066E09E
                    Source: C:\Users\user\Desktop\setup.exeCode function: GetLocaleInfoW,0_2_0066E933
                    Source: C:\Users\user\Desktop\setup.exeCode function: GetLocaleInfoW,0_2_006661B9
                    Source: C:\Users\user\Desktop\setup.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0066EA02
                    Source: C:\Users\user\Desktop\setup.exeCode function: GetLocaleInfoW,0_2_0066E299
                    Source: C:\Users\user\Desktop\setup.exeCode function: EnumSystemLocalesW,0_2_0066E340
                    Source: C:\Users\user\Desktop\setup.exeCode function: EnumSystemLocalesW,0_2_0066E38B
                    Source: C:\Users\user\Desktop\setup.exeCode function: EnumSystemLocalesW,0_2_00665C53
                    Source: C:\Users\user\Desktop\setup.exeCode function: EnumSystemLocalesW,0_2_0066E426
                    Source: C:\Users\user\Desktop\setup.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_0066E4B1
                    Source: C:\Users\user\Desktop\setup.exeCode function: GetLocaleInfoW,0_2_0066E704
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00657BF3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00657BF3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.setup.exe.650000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1826335497.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: setup.exe PID: 5284, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3704, type: MEMORYSTR
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002BF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum\wallets
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002BF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $fq1C:\Users\user\AppData\Roaming\Electrum\wallets\*
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002BF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $fq-cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002BF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLRfq
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002BF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLRfq
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002BF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLRfq
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002BF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $fq%appdata%`,fqdC:\Users\user\AppData\Roaming`,fqdC:\Users\user\AppData\Roaming\Binance
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002BF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLRfq
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002BF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $fq&%localappdata%\Coinomi\Coinomi\walletsLRfq4
                    Source: RegAsm.exe, 00000002.00000002.1827907274.0000000002BF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $fq5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                    Source: Yara matchFile source: 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1827907274.0000000002BF3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3704, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.setup.exe.650000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1826335497.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: setup.exe PID: 5284, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3704, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		411
                    Process Injection                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		1
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		LSASS Memory261
                    Security Software Discovery                    		Remote Desktop Protocol3
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)251
                    Virtualization/Sandbox Evasion                    		Security Account Manager1
                    Process Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
                    Process Injection                    		NTDS251
                    Virtualization/Sandbox Evasion                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    Application Window Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Obfuscated Files or Information                    		Cached Domain Credentials134
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    setup.exe83%ReversingLabsWin32.Trojan.Convagent
                    setup.exe100%AviraHEUR/AGEN.1317026
                    setup.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://tempuri.org/0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    https://api.ip.sb/ip0%URL Reputationsafe
                    https://www.ecosia.org/newtab/0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%URL Reputationsafe
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id14ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%Avira URL Cloudsafe
                    https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%Avira URL Cloudsafe
                    77.105.135.107:34450%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%Avira URL Cloudsafe
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id6ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                    http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id13ResponseD0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/04/sc0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%Avira URL Cloudsafe
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id21ResponseD0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/04/trust0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id10ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id15ResponseD0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/Renew0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id11ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT0%Avira URL Cloudsafe
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID0%Avira URL Cloudsafe
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.00%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2006/02/addressingidentity0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id8ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id17ResponseD0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    77.105.135.107:3445true
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/sc/sctRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/ac/?q=RegAsm.exe, 00000002.00000002.1832420361.0000000003E26000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id14ResponseDRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id23ResponseDRegAsm.exe, 00000002.00000002.1827907274.0000000002DE0000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id12ResponseRegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id2ResponseRegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id21ResponseRegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id9RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id8RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id6ResponseDRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id5RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id4RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id7RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id6RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id19ResponseRegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceRegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id13ResponseDRegAsm.exe, 00000002.00000002.1827907274.0000000002DE0000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/faultRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsatRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      http://tempuri.org/Entity/Id15ResponseRegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id5ResponseDRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id6ResponseRegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://api.ip.sb/ipsetup.exe, 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000002.00000002.1826335497.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/scRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id1ResponseDRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id9ResponseRegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegAsm.exe, 00000002.00000002.1832420361.0000000003E26000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id20RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id21RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id22RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id23RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1827907274.0000000002DD8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id24RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id24ResponseRegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.ecosia.org/newtab/RegAsm.exe, 00000002.00000002.1832420361.0000000003E26000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id1ResponseRegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedRegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id21ResponseDRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/08/addressingRegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/trustRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id10RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id11RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id10ResponseDRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id12RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id16ResponseRegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id13RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id14RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id15RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id16RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/NonceRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id17RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id18RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id5ResponseRegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id19RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsRegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id15ResponseDRegAsm.exe, 00000002.00000002.1827907274.0000000002BF3000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id10ResponseRegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RenewRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id11ResponseDRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id8ResponseRegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0RegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2006/02/addressingidentityRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id17ResponseDRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/soap/envelope/RegAsm.exe, 00000002.00000002.1827907274.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id8ResponseDRegAsm.exe, 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      77.105.135.107
                      		unknownRussian Federation
                      		42031PLUSTELECOM-ASRUtrue

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1465692
                      Start date and time:2024-07-02 00:16:06 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 3m 12s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:6
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:setup.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@5/6@0/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 33
                      • Number of non-executed functions: 55
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Stop behavior analysis, all processes terminated

                      Warnings

                      • Exclude process from analysis (whitelisted): WerFault.exe, SIHClient.exe
                      • Excluded IPs from analysis (whitelisted): 20.189.173.21
                      • Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, umwatson.events.data.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                      • VT rate limit hit for: setup.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      18:17:05API Interceptor1x Sleep call for process: WerFault.exe modified
                      18:17:07API Interceptor45x Sleep call for process: RegAsm.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      77.105.135.1071719859269.0326595_setup.exeGet hashmaliciousLummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, XmrigBrowse

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        PLUSTELECOM-ASRU1719859269.0326595_setup.exeGet hashmaliciousLummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, XmrigBrowse
                        • 77.105.135.107
                        zyJWi2vy29.exeGet hashmaliciousLummaC, PureLog Stealer, RisePro Stealer, Vidar, zgRATBrowse
                        • 77.105.132.27
                        1719520929.094843_setup.exeGet hashmaliciousLummaC Stealer, Mars Stealer, PrivateLoader, PureLog Stealer, Socks5Systemz, Stealc, VidarBrowse
                        • 77.105.132.27
                        1Cvd8TyYPm.exeGet hashmaliciousLummaC, Mars Stealer, PureLog Stealer, Stealc, Vidar, Xmrig, zgRATBrowse
                        • 77.105.133.27
                        HXUYIDwIMY.exeGet hashmaliciousMeduza StealerBrowse
                        • 77.105.147.172
                        lhZOo8vhuI.elfGet hashmaliciousUnknownBrowse
                        • 77.105.138.202
                        file.exeGet hashmaliciousPrivateLoader, PureLog StealerBrowse
                        • 77.105.147.130
                        yqeO67O9gY.elfGet hashmaliciousMiraiBrowse
                        • 77.105.140.109
                        676767.exeGet hashmaliciousRemcosBrowse
                        • 77.105.132.92
                        setup.exeGet hashmaliciousPureLog Stealer, RHADAMANTHYSBrowse
                        • 77.105.147.130

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_setup.exe_unknow_d795e61bb36a5b66a28bc5ab663876d6c3a884d6_99ceb0df_d18f51e4-4d2a-4fde-9e32-dff53f2c61f8\Report.wer

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.9142851505283975
                        Encrypted:false
                        SSDEEP:96:H+FsQgUs1hqRouyDqPQXIDcQJc6rcEbcw3v+HbHg/1AnQECaVDPCoLnNfoU+jF9R:emQgUjO0nvh4jICBwzuiFSZ24IO83
                        MD5:0F41BF53B48E069291CB5DAD44597FD5
                        SHA1:17B4A4961F4643541CAC861D58B7A73A0A34CB06
                        SHA-256:1E9763320CCEDF2FBEEA2E1339C3BC824DBF839E3C3B26590C7D2D4BB768CA86
                        SHA-512:AA5DE2E13E61CE3D11419E3F710C94E47692A28A491198C9A5379294C19FE860A47C191BDE8D6F40ECCF40DC081D470E2DAA0DDCCB2AB05F9D2F5304E30F3120
                        Malicious:true
                        Reputation:low
                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.3.4.5.8.2.1.2.0.5.8.3.3.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.3.4.5.8.2.1.5.4.9.5.8.2.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.1.8.f.5.1.e.4.-.4.d.2.a.-.4.f.d.e.-.9.e.3.2.-.d.f.f.5.3.f.2.c.6.1.f.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.c.e.5.4.a.f.4.-.6.f.6.c.-.4.d.1.1.-.b.0.f.d.-.0.0.0.d.2.8.8.c.c.1.5.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.e.t.u.p...e.x.e._.u.n.k.n.o.w.n.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.a.4.-.0.0.0.1.-.0.0.1.4.-.4.2.a.9.-.d.1.6.3.0.4.c.c.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.6.6.e.3.a.f.a.d.a.5.8.7.7.4.c.1.3.7.3.d.f.b.1.9.a.0.8.c.0.4.9.0.0.0.0.f.f.f.f.!.0.0.0.0.d.c.9.0.e.c.2.9.c.5.d.a.5.4.1.4.7.0.2.e.9.1.6.3.a.e.0.1.3.3.d.2.0.7.6.0.8.9.6.0.!.s.e.t.u.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER5570.tmp.dmp

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Mini DuMP crash report, 14 streams, Mon Jul 1 22:17:01 2024, 0x1205a4 type
                        Category:dropped
                        Size (bytes):45772
                        Entropy (8bit):2.016482351138773
                        Encrypted:false
                        SSDEEP:192:/szefaYiXQvrYX5lMOYs3SadhZ8JPlWvyBOUXf+1hcpz4ZG:/TbfvriDL3SafGPlWwOUX21hcgG
                        MD5:A7D0025C690507CDE4EB07DAF095E6A7
                        SHA1:CFF18380F7DC22712529E62E9A51B4A12CEB2EF2
                        SHA-256:E9BEE09F1CEACD3C1F0889D2D9A5531012723AA94AFB92092D8DE82C53BAE8D4
                        SHA-512:1541EED3805FEC0A40158F69BB4EB32BAF81FC043B3CE70DEA5D336A98055A554A6ECADACE840573B7926DBDECFB9944A40BA159E0A2424FECE8F50791515533
                        Malicious:false
                        Reputation:low
                        Preview:MDMP..a..... ........*.f........................l................-..........T.......8...........T...............<.......................................................................................................eJ..............GenuineIntel............T............*.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER564C.tmp.WERInternalMetadata.xml

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):8358
                        Entropy (8bit):3.6976837904810864
                        Encrypted:false
                        SSDEEP:192:R6l7wVeJ9a6qg6Y9JSU9zfgmf2JJD/Ppr+89bfdsfa1m:R6lXJA6d6YDSU9zfgmf2JJD/VfWfx
                        MD5:A4CA2F45498B61A1F96C223668B9C5EA
                        SHA1:E02095A0093B82FED4F30C03253E1DD6E74472CC
                        SHA-256:0A385D2C0B3749BE288CED20B29CB6A86100CD94095F0729D3A25C528A898EBE
                        SHA-512:F1138DE2F6BEF190C8AE3489EAF662C29B8FB254F7F8467C9779F3B589B3CC3AE9F3AD018FAD7CB0B99CFECD896317B3DBBC7BBE67EC7050B4B399D45DE274A4
                        Malicious:false
                        Reputation:low
                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.8.4.<./.P.i.

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER566C.tmp.xml

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4634
                        Entropy (8bit):4.491751117395461
                        Encrypted:false
                        SSDEEP:48:cvIwWl8zsQJg77aI9pi+yWpW8VYDYm8M4JSd+wFz+q8R+2qfydd:uIjfWI7Hi67VrJSdViFqfydd
                        MD5:10C254C6A8F9F55ACDDE85BEFD749333
                        SHA1:60BFC0BBB1E3490B92C50EAE5194C0006B9AC2EC
                        SHA-256:D05E0B503AF1D54E566AA4F27662ED1D0C7D17054E580D5B9FEC741F945CF58D
                        SHA-512:360A5B37A2EC0C823F79BAEA53DB07D45DC6883ED450951070A1776F49B5749EA42728AA2431356BF68C8AF5272B70A68AB2900C3F94B87E538956D19A94D3F1
                        Malicious:false
                        Reputation:low
                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="392479" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):3094
                        Entropy (8bit):5.33145931749415
                        Encrypted:false
                        SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                        MD5:2A56468A7C0F324A42EA599BF0511FAF
                        SHA1:404B343A86EDEDF5B908D7359EB8AA957D1D4333
                        SHA-256:6398E0BD46082BBC30008BC72A2BA092E0A1269052153D343AA40F935C59957C
                        SHA-512:19B79181C40AA51C7ECEFCD4C9ED42D5BA19EA493AE99654D3A763EA9B21B1ABE5B5739AAC425E461609E1165BCEA749CFB997DE0D35303B4CF2A29BDEF30B17
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                        C:\Windows\appcompat\Programs\Amcache.hve

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:MS Windows registry file, NT/2000 or above
                        Category:dropped
                        Size (bytes):1835008
                        Entropy (8bit):4.465273110827348
                        Encrypted:false
                        SSDEEP:6144:yIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNHdwBCswSbu:3XD94+WlLZMM6YFH1+u
                        MD5:F0BFE9E928956C3A7CD6237B98732EAF
                        SHA1:9E25A7E61C73672A972ED3F0106BD2ED1A86BF4E
                        SHA-256:1ED4DD1985E01DD2A8AB1148417075115D227CEB2A6EDF18A001646F7AEE74A0
                        SHA-512:957D715B8E1CA13F060F283527F840258FBEDF2607BC03C1501CF0349E1C03CF112D5547E1EDE0E123490EB5FBBC3B7220CE64438AE0A323027EF1E49D50F5DF
                        Malicious:false
                        Reputation:low
                        Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmz.;e.................................................................................................................................................................................................................................................................................................................................................W-Q........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        Static File Info

                        General

                        File type:PE32 executable (console) Intel 80386, for MS Windows
                        Entropy (8bit):7.647344150799475
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:setup.exe
                        File size:514'560 bytes
                        MD5:b0cfe4185035fc751ed0a62b1a95af98
                        SHA1:dc90ec29c5da5414702e9163ae0133d207608960
                        SHA256:ef5d295050a33cb9c2bd069a90855c74df58d0f7f6238885b48a6422eb6da137
                        SHA512:22d2dda36d5a7a1d29560db389b4811481c6ee39158903e5debc2a95a641929317a3d487cf138bc7e06c55dd05fdd92687159e81ed5fa5d9d18b5660e5c39c24
                        SSDEEP:12288:R9Z5uG0VGH6CNq93+xYg1dSjBYSuBbT+g6:vlOGaCT7ZBBbq
                        TLSH:4CB4F11574C08072D662113206F4D7B89E3DF9304F669ECF67D80B7E4F742D29936AAA
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........x...+...+...+z..*...+z..*...+z..*...+k\.*...+k\.*...+z..*...+...+(..+k\.*...+Z_.*...+Z_.*...+Z_.*...+Rich...+........PE..L..

                        File Icon

                        Icon Hash:90cececece8e8eb0

                        Static PE Info

                        General

                        Entrypoint:0x407482
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows cui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Time Stamp:0x668189BD [Sun Jun 30 16:37:17 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:6
                        OS Version Minor:0
                        File Version Major:6
                        File Version Minor:0
                        Subsystem Version Major:6
                        Subsystem Version Minor:0
                        Import Hash:bdd081110ce6691ddde6cfe79c51d26e

                        Entrypoint Preview

                        Instruction
                        call 00007F3C14C65B0Eh
                        jmp 00007F3C14C651C9h
                        push ebp
                        mov ebp, esp
                        mov eax, dword ptr [ebp+08h]
                        push esi
                        mov ecx, dword ptr [eax+3Ch]
                        add ecx, eax
                        movzx eax, word ptr [ecx+14h]
                        lea edx, dword ptr [ecx+18h]
                        add edx, eax
                        movzx eax, word ptr [ecx+06h]
                        imul esi, eax, 28h
                        add esi, edx
                        cmp edx, esi
                        je 00007F3C14C6536Bh
                        mov ecx, dword ptr [ebp+0Ch]
                        cmp ecx, dword ptr [edx+0Ch]
                        jc 00007F3C14C6535Ch
                        mov eax, dword ptr [edx+08h]
                        add eax, dword ptr [edx+0Ch]
                        cmp ecx, eax
                        jc 00007F3C14C6535Eh
                        add edx, 28h
                        cmp edx, esi
                        jne 00007F3C14C6533Ch
                        xor eax, eax
                        pop esi
                        pop ebp
                        ret
                        mov eax, edx
                        jmp 00007F3C14C6534Bh
                        push esi
                        call 00007F3C14C65DE4h
                        test eax, eax
                        je 00007F3C14C65372h
                        mov eax, dword ptr fs:[00000018h]
                        mov esi, 0047D1F0h
                        mov edx, dword ptr [eax+04h]
                        jmp 00007F3C14C65356h
                        cmp edx, eax
                        je 00007F3C14C65362h
                        xor eax, eax
                        mov ecx, edx
                        lock cmpxchg dword ptr [esi], ecx
                        test eax, eax
                        jne 00007F3C14C65342h
                        xor al, al
                        pop esi
                        ret
                        mov al, 01h
                        pop esi
                        ret
                        push ebp
                        mov ebp, esp
                        cmp dword ptr [ebp+08h], 00000000h
                        jne 00007F3C14C65359h
                        mov byte ptr [0047D1F4h], 00000001h
                        call 00007F3C14C6560Ah
                        call 00007F3C14C68377h
                        test al, al
                        jne 00007F3C14C65356h
                        xor al, al
                        pop ebp
                        ret
                        call 00007F3C14C72624h
                        test al, al
                        jne 00007F3C14C6535Ch
                        push 00000000h
                        call 00007F3C14C6837Eh
                        pop ecx
                        jmp 00007F3C14C6533Bh
                        mov al, 01h
                        pop ebp
                        ret
                        push ebp
                        mov ebp, esp
                        cmp byte ptr [0047D1F5h], 00000000h
                        je 00007F3C14C65356h
                        mov al, 01h

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x306e00x48.rdata
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x307280x3c.rdata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x7e0000x1d50.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x2e9680x1c.rdata
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2e8a80x40.rdata
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x260000x168.rdata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x239060x23a009cc9e69cc2b919f4e3f3891ad6c09974False0.5678042763157894data6.66321463190122IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .bss0x250000xe2d0x1000b9555079f4058c9191f53fd081cbcf20False0.574951171875data6.000697093127323IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rdata0x260000xaf580xb0002bd26ddbeffdb48edc2e50a044d14002False0.4250266335227273data5.052866112468185IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .data0x310000x4ccf40x4be00d8c33e9ef3ef203725dc0a1620b4286aFalse0.9878726060543658data7.990013177731962IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .reloc0x7e0000x1d500x1e00674489e8e66aae028e5dbee205e11986False0.7651041666666667data6.5116983386410325IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Imports

                        DLLImport
                        USER32.dllOffsetRect
                        KERNEL32.dllCreateFileW, HeapSize, GetProcessHeap, SetStdHandle, WaitForSingleObject, Sleep, CreateThread, VirtualAlloc, GetModuleHandleA, GetProcAddress, GetConsoleWindow, CloseHandle, WaitForSingleObjectEx, GetCurrentThreadId, GetExitCodeThread, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, QueryPerformanceCounter, ReleaseSRWLockExclusive, WakeAllConditionVariable, EncodePointer, DecodePointer, MultiByteToWideChar, LCMapStringEx, GetSystemTimeAsFileTime, GetModuleHandleW, GetStringTypeW, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, SetEnvironmentVariableW, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW

                        Exports

                        NameOrdinalAddress
                        AwakeSound10x425d20

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        07/02/24-00:17:01.604285TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)497383445192.168.2.477.105.135.107
                        07/02/24-00:17:12.934132TCP2043231ET TROJAN Redline Stealer TCP CnC Activity497383445192.168.2.477.105.135.107
                        07/02/24-00:17:01.811299TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response34454973877.105.135.107192.168.2.4
                        07/02/24-00:17:07.057189TCP2046056ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)34454973877.105.135.107192.168.2.4

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jul 2, 2024 00:17:00.838109016 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:00.843267918 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:00.843349934 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:01.052797079 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:01.057750940 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:01.569092989 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:01.604285002 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:01.609064102 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:01.811299086 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:01.854051113 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:06.857810974 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:06.862693071 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:07.057188988 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:07.057213068 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:07.057224035 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:07.057235003 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:07.057246923 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:07.057265043 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:07.057305098 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:07.103959084 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:07.212430000 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:07.218878031 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:07.443856955 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:07.448075056 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:07.454642057 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:07.663541079 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:07.672015905 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:07.678582907 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:07.678595066 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:07.678605080 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:07.680237055 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:07.680247068 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:07.681916952 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:07.975444078 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:08.025706053 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:08.442112923 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:08.442146063 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:08.446959972 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:08.446975946 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:08.447052002 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:08.639066935 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:08.641696930 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:08.646445990 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:08.837197065 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:08.885078907 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:09.010349989 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:09.015310049 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:09.206284046 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:09.210994959 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:09.215781927 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:09.406528950 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:09.447581053 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:09.475181103 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:09.481986046 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:09.690736055 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:09.693005085 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:09.699201107 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:09.891371012 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:09.917754889 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:09.924108982 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.118889093 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.122035980 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.128609896 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.320873976 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.369455099 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.436168909 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.443479061 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.443490028 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.443525076 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.443530083 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.443536043 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.443574905 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.443618059 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.445616961 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.445621967 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.445683002 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.445770025 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.445796967 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.445944071 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.447340965 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.447359085 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.447390079 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.447395086 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.447432995 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.447443962 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.447480917 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.449146032 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.449151039 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.449295998 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.461766005 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.461905003 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.472291946 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.472634077 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.479325056 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.479335070 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.479341030 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.479408979 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.479413986 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.479413986 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.479433060 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.479454041 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.479464054 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.479480028 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.479490995 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.479510069 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.479585886 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.479590893 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.479618073 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.479655981 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.479666948 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.479672909 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.479742050 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.479746103 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.479842901 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.479846954 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.479857922 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.479898930 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.479995012 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.480000973 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.480011940 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.480026960 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.480053902 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.480072021 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.480082035 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.481117964 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.481193066 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.481715918 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.481723070 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.481759071 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.481784105 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.481795073 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.481827974 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.481832027 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.481842995 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.481884003 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.481889009 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.481934071 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.481937885 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.481988907 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.481992960 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.484040976 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.484055996 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.484219074 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.485825062 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.485829115 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.485856056 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.486252069 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.487483025 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.487498999 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.487521887 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.487526894 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.487551928 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.487565994 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.487571001 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.487584114 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.487620115 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.487624884 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.487624884 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.487634897 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.487642050 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.487713099 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.487716913 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.487729073 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.487734079 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.487776041 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.487781048 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.487807989 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.487812042 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.487822056 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.487828970 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.487855911 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.487862110 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.487885952 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.487891912 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.487910032 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.487915039 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.487956047 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.487961054 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.487989902 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.488003969 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.488023043 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.488030910 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.488100052 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.488104105 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.488188982 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.489480019 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.489598036 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.489602089 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.489733934 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.489737988 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.489748001 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.489778996 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.489784956 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.489795923 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.489821911 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.489830017 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.489869118 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.489872932 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.490011930 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.490015984 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.490082026 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.490088940 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.490151882 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.490317106 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.490567923 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.490634918 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.493192911 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493197918 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493274927 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493280888 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493295908 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493311882 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493328094 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493350983 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493359089 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493370056 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493391037 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493396044 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493484020 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493505955 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493509054 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493520021 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493525982 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493551970 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493565083 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493582010 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493586063 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493597984 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493643045 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493647099 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493727922 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493783951 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493788004 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493808985 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493813992 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493850946 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493855953 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493865967 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493890047 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493894100 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.493908882 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.494043112 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.494050026 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.494107962 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.494167089 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.494172096 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.494189978 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.494236946 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.494242907 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.495403051 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.495408058 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.495448112 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.495474100 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.495480061 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.495537996 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.495543003 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.495549917 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.495630026 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.495635986 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.495893002 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.496114016 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.496195078 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.497792006 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.497797012 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.497843981 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.497859955 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.497927904 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.497932911 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.498003960 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.498008013 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.498050928 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.498054981 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.498090982 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.498095036 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.498181105 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.498184919 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.498198986 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.498214960 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.498274088 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.498287916 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.498303890 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.498323917 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.498339891 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.498361111 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.498369932 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.498440027 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.498552084 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.498560905 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.498574972 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.498579025 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.498589039 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.498617887 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.498632908 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.498655081 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.498661995 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.498708010 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.498713017 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.500967026 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.501111984 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.501116991 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.501220942 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.501226902 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.501351118 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.501390934 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.501395941 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.501405954 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.501471043 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.501475096 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.501523018 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.501528025 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.501584053 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.501588106 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.501627922 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.501754999 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.501811028 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.502502918 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.502676010 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.502706051 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.502711058 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.502720118 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.502799034 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.502830982 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.502881050 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.502924919 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.502931118 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.502993107 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.502996922 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.503092051 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.503096104 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.503177881 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.503181934 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.503272057 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.503276110 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.503329039 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.503333092 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.503343105 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.503349066 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.503494024 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.503499031 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.503549099 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.503582954 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.503588915 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.503726006 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.503731966 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.503741980 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.503798962 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.503803015 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.503927946 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.504007101 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.504046917 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.504051924 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.504157066 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.504169941 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.504184008 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.504194021 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.504349947 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.504354000 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.504467010 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.504477024 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.504560947 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.504566908 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.504654884 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.504658937 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.504698992 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.504762888 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.504951954 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.505114079 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.505394936 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.505477905 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.505481958 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.505503893 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.509027958 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.509260893 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.509345055 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.509439945 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.509447098 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.509475946 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.509480953 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.509557962 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.509565115 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.509649992 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.509654045 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.509702921 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.509785891 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.509789944 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.509800911 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.509840012 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.509844065 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.509999037 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.510013103 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.510015965 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.510020971 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.510026932 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.510031939 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.510044098 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.510049105 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.510071039 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.510076046 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.510093927 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.510097980 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.510107994 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.510113955 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.510214090 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.510232925 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.510236979 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.510246992 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.510252953 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.510272026 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.510276079 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.510341883 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.510391951 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.510396004 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.510519028 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.510521889 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.510533094 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.511128902 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.511152029 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.511154890 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.511215925 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.511226892 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.511231899 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.511296034 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.511298895 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.511310101 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.511317015 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.511368990 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.515547991 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.515571117 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.515583992 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.515609026 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.515628099 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.515631914 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.515690088 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.515695095 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.515778065 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.515852928 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.516096115 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.516136885 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.516273022 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.516294956 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.516316891 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.516345978 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.516386986 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.516401052 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.516412020 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.516474009 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.516489029 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.516490936 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.516522884 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.516527891 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.516599894 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.516623020 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.516628027 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.516638041 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.516690969 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.516700983 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.516757965 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.516762018 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.516823053 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.516827106 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.516836882 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.516948938 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.516952991 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.516963005 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.516978025 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.516982079 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.516988039 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.516993046 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.517003059 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.517009020 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.517080069 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.517092943 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.517098904 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.517107964 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.517113924 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.517123938 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.517128944 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.517139912 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.517144918 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.517167091 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.517177105 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522393942 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522414923 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522419930 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522429943 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522455931 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522460938 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522485971 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522501945 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522516966 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522522926 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522557974 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522562027 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522564888 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.522629976 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.522634983 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522650957 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522661924 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522666931 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522682905 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522687912 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522797108 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522805929 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522815943 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522834063 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522838116 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522849083 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522875071 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522880077 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522897005 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522902012 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522922993 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522928953 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522957087 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.522993088 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.523086071 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.523093939 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.523143053 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.523241997 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.523246050 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.523256063 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.523292065 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.523294926 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.523370981 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.523397923 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.523411036 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.523431063 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.523443937 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.523453951 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.523511887 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.523515940 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.523525953 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.523533106 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.523570061 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.523574114 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.523626089 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.529011011 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.529028893 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.529033899 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.529046059 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.529050112 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.529238939 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:10.529480934 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.529486895 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.529582977 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.529587984 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.529597998 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.529603958 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.529685974 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.529704094 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.529706955 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.529716969 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.529731989 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.529737949 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.529798985 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.529803991 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.529808998 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.529814005 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.529843092 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.529845953 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.529869080 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.529875040 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.529953957 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.529958963 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.529977083 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.529980898 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.530010939 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.530015945 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.530101061 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.530105114 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.530404091 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.530409098 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.530467987 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.530477047 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.530482054 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.531060934 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.531064987 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.531126022 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.531132936 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.531163931 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.531184912 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.531189919 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.531199932 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.531225920 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.531253099 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.531256914 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.531266928 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.531280994 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.531296968 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.531307936 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.535609961 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.535614014 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.535691977 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.535696030 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.535706043 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.535727024 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.535731077 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.535756111 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.535769939 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.535789013 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.535792112 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.535801888 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.535832882 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.535836935 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.535846949 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.535852909 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.535934925 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.535938978 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.535969973 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.535981894 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.535993099 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.535998106 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.536027908 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.536034107 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.536053896 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.536058903 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.536072016 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.536082983 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.536101103 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.536104918 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.536115885 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:10.582221985 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:11.333679914 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:11.341424942 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:11.346362114 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:11.537065983 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:11.539323092 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:11.544548988 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:11.735193014 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:11.736357927 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:11.741122961 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:11.932440996 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:11.978921890 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:12.046344042 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:12.051140070 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:12.242465019 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:12.291351080 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:12.308113098 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:12.313256025 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:12.313267946 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:12.313277006 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:12.313287973 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:12.313296080 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:12.313304901 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:12.313313007 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:12.313322067 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:12.313338041 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:12.313345909 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:12.313354969 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:12.317679882 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:12.317745924 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:12.317951918 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:12.317960978 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:12.514306068 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:12.520543098 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:12.527107000 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:12.734816074 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:12.735574007 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:12.742120028 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:12.933120966 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:12.934132099 CEST497383445192.168.2.477.105.135.107
                        Jul 2, 2024 00:17:12.941072941 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:13.132956028 CEST34454973877.105.135.107192.168.2.4
                        Jul 2, 2024 00:17:13.173402071 CEST497383445192.168.2.477.105.135.107

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:18:16:58
                        Start date:01/07/2024
                        Path:C:\Users\user\Desktop\setup.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\setup.exe"
                        Imagebase:0x650000
                        File size:514'560 bytes
                        MD5 hash:B0CFE4185035FC751ED0A62B1A95AF98
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:1
                        Start time:18:16:58
                        Start date:01/07/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:2
                        Start time:18:16:59
                        Start date:01/07/2024
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                        Imagebase:0x690000
                        File size:65'440 bytes
                        MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1826335497.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1827907274.0000000002B55000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1827907274.0000000002BF3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:4
                        Start time:18:17:01
                        Start date:01/07/2024
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5284 -s 156
                        Imagebase:0xce0000
                        File size:483'680 bytes
                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:4.5%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:2.6%
                          Total number of Nodes:2000
                          Total number of Limit Nodes:53
                          execution_graph 19881 66ec76 19882 66ec8f 19881->19882 19883 66ecad 19881->19883 19882->19883 19884 66661a 2 API calls 19882->19884 19884->19882 21835 669772 21836 66977f 21835->21836 21840 669797 21835->21840 21837 6600ae __dosmaperr 14 API calls 21836->21837 21838 669784 21837->21838 21839 65bc2f __strnicoll 41 API calls 21838->21839 21842 66978f 21839->21842 21841 6697f6 21840->21841 21840->21842 21843 66ad6e 14 API calls 21840->21843 21844 66758b __fread_nolock 41 API calls 21841->21844 21843->21841 21845 66980f 21844->21845 21855 66a656 21845->21855 21848 66758b __fread_nolock 41 API calls 21849 669848 21848->21849 21849->21842 21850 66758b __fread_nolock 41 API calls 21849->21850 21851 669856 21850->21851 21851->21842 21852 66758b __fread_nolock 41 API calls 21851->21852 21853 669864 21852->21853 21854 66758b __fread_nolock 41 API calls 21853->21854 21854->21842 21856 66a662 __FrameHandler3::FrameUnwindToState 21855->21856 21857 66a682 21856->21857 21858 66a66a 21856->21858 21860 66a73f 21857->21860 21865 66a6b8 21857->21865 21859 66009b __dosmaperr 14 API calls 21858->21859 21862 66a66f 21859->21862 21861 66009b __dosmaperr 14 API calls 21860->21861 21863 66a744 21861->21863 21864 6600ae __dosmaperr 14 API calls 21862->21864 21866 6600ae __dosmaperr 14 API calls 21863->21866 21884 669817 21864->21884 21867 66a6d6 21865->21867 21868 66a6c1 21865->21868 21870 66a6ce 21866->21870 21885 66c7e4 EnterCriticalSection 21867->21885 21871 66009b __dosmaperr 14 API calls 21868->21871 21877 65bc2f __strnicoll 41 API calls 21870->21877 21872 66a6c6 21871->21872 21874 6600ae __dosmaperr 14 API calls 21872->21874 21873 66a6dc 21875 66a70d 21873->21875 21876 66a6f8 21873->21876 21874->21870 21879 66a76a __fread_nolock 53 API calls 21875->21879 21878 6600ae __dosmaperr 14 API calls 21876->21878 21877->21884 21880 66a6fd 21878->21880 21881 66a708 21879->21881 21882 66009b __dosmaperr 14 API calls 21880->21882 21886 66a737 21881->21886 21882->21881 21884->21842 21884->21848 21885->21873 21889 66c807 LeaveCriticalSection 21886->21889 21888 66a73d 21888->21884 21889->21888 22179 66052a 22180 66053c 22179->22180 22184 660545 ___scrt_uninitialize_crt 22179->22184 22181 6603ae ___scrt_uninitialize_crt 70 API calls 22180->22181 22182 660542 22181->22182 22183 660556 22184->22183 22187 66034e 22184->22187 22188 66035a __FrameHandler3::FrameUnwindToState 22187->22188 22195 65c967 EnterCriticalSection 22188->22195 22190 660368 22191 6604bc ___scrt_uninitialize_crt 70 API calls 22190->22191 22192 660379 22191->22192 22196 6603a2 22192->22196 22195->22190 22199 65c97b LeaveCriticalSection 22196->22199 22198 66038b 22199->22198 19656 669f38 19657 66758b __fread_nolock 41 API calls 19656->19657 19659 669f45 19657->19659 19658 669f51 19659->19658 19660 669f9d 19659->19660 19679 66a100 19659->19679 19660->19658 19662 669fff 19660->19662 19664 6675c7 41 API calls 19660->19664 19668 66a02e 19662->19668 19666 669ff2 19664->19666 19666->19662 19687 66ad6e 19666->19687 19669 66758b __fread_nolock 41 API calls 19668->19669 19670 66a03d 19669->19670 19671 66a0e3 19670->19671 19672 66a050 19670->19672 19673 66946a ___scrt_uninitialize_crt 66 API calls 19671->19673 19674 66a06d 19672->19674 19676 66a094 19672->19676 19677 66a010 19673->19677 19675 66946a ___scrt_uninitialize_crt 66 API calls 19674->19675 19675->19677 19676->19677 19692 66acb2 19676->19692 19680 66a116 19679->19680 19681 66a11a 19679->19681 19680->19660 19682 66c8bb __fread_nolock 41 API calls 19681->19682 19686 66a169 19681->19686 19683 66a13b 19682->19683 19684 66a143 SetFilePointerEx 19683->19684 19683->19686 19685 66a15a GetFileSizeEx 19684->19685 19684->19686 19685->19686 19686->19660 19688 6659bf __Getctype 14 API calls 19687->19688 19689 66ad8b 19688->19689 19690 665a1c ___free_lconv_mon 14 API calls 19689->19690 19691 66ad95 19690->19691 19691->19662 19693 66acc6 _Fputc 19692->19693 19698 66ab09 19693->19698 19696 65b96b _Fputc 41 API calls 19697 66acea 19696->19697 19697->19677 19699 66ab15 __FrameHandler3::FrameUnwindToState 19698->19699 19700 66abf3 19699->19700 19702 66ab1d 19699->19702 19703 66ab71 19699->19703 19701 65bbb2 _Fputc 41 API calls 19700->19701 19701->19702 19702->19696 19709 66c7e4 EnterCriticalSection 19703->19709 19705 66ab77 19706 66ab9c 19705->19706 19710 66ac2f 19705->19710 19716 66abeb 19706->19716 19709->19705 19711 66c8bb __fread_nolock 41 API calls 19710->19711 19712 66ac41 19711->19712 19713 66ac5d SetFilePointerEx 19712->19713 19715 66ac49 __fread_nolock 19712->19715 19714 66ac75 GetLastError 19713->19714 19713->19715 19714->19715 19715->19706 19719 66c807 LeaveCriticalSection 19716->19719 19718 66abf1 19718->19702 19719->19718 17772 657300 17773 65730c __FrameHandler3::FrameUnwindToState 17772->17773 17798 657502 17773->17798 17775 657313 17776 65746c 17775->17776 17785 65733d ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState ___scrt_release_startup_lock 17775->17785 17839 657cf9 IsProcessorFeaturePresent 17776->17839 17778 657473 17843 662be1 17778->17843 17783 65735c 17784 6573dd 17809 66281f 17784->17809 17785->17783 17785->17784 17821 662bbb 17785->17821 17788 6573e3 17813 675d30 GetModuleHandleA GetProcAddress GetConsoleWindow 17788->17813 17793 657411 17833 657673 17793->17833 17794 657408 17794->17793 17830 662b96 17794->17830 17799 65750b 17798->17799 17849 6577cc IsProcessorFeaturePresent 17799->17849 17803 65751c 17804 657520 17803->17804 17859 6647f8 17803->17859 17804->17775 17807 657537 17807->17775 17810 66282d 17809->17810 17811 662828 17809->17811 17810->17788 17931 662579 17811->17931 17814 675d85 GetModuleHandleA GetProcAddress FreeConsole 17813->17814 18399 6571c7 17814->18399 17816 6573fa 17828 657e13 GetModuleHandleW 17816->17828 17819 675dc0 17819->17816 18435 6755a0 17819->18435 17822 662bd1 std::_Lockit::_Lockit 17821->17822 17823 65f006 __FrameHandler3::FrameUnwindToState 17821->17823 17822->17784 17824 664cf0 __Getctype 41 API calls 17823->17824 17827 65f017 17824->17827 17825 65f6cf __FrameHandler3::FrameUnwindToState 41 API calls 17826 65f041 17825->17826 17827->17825 17829 657404 17828->17829 17829->17778 17829->17794 19446 6629c9 17830->19446 17834 65767f 17833->17834 17836 65741a 17834->17836 19521 66480a 17834->19521 17836->17783 17837 65768d 17838 65a55d ___scrt_uninitialize_crt 7 API calls 17837->17838 17838->17836 17840 657d0f __fread_nolock __FrameHandler3::FrameUnwindToState 17839->17840 17841 657dba IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 17840->17841 17842 657dfe __FrameHandler3::FrameUnwindToState 17841->17842 17842->17778 17844 6629c9 __FrameHandler3::FrameUnwindToState 23 API calls 17843->17844 17845 657479 17844->17845 17846 662ba5 17845->17846 17847 6629c9 __FrameHandler3::FrameUnwindToState 23 API calls 17846->17847 17848 657481 17847->17848 17850 657517 17849->17850 17851 65a53e 17850->17851 17868 65b617 17851->17868 17854 65a547 17854->17803 17856 65a54f 17857 65a55a 17856->17857 17882 65b653 17856->17882 17857->17803 17922 66ec7f 17859->17922 17862 65a55d 17863 65a566 17862->17863 17864 65a570 17862->17864 17865 65a6d6 ___vcrt_uninitialize_ptd 6 API calls 17863->17865 17864->17804 17866 65a56b 17865->17866 17867 65b653 ___vcrt_uninitialize_locks DeleteCriticalSection 17866->17867 17867->17864 17870 65b620 17868->17870 17871 65b649 17870->17871 17872 65a543 17870->17872 17886 65b85c 17870->17886 17873 65b653 ___vcrt_uninitialize_locks DeleteCriticalSection 17871->17873 17872->17854 17874 65a6a3 17872->17874 17873->17872 17903 65b76d 17874->17903 17879 65a6d3 17879->17856 17881 65a6b8 17881->17856 17883 65b65e 17882->17883 17885 65b67d 17882->17885 17884 65b668 DeleteCriticalSection 17883->17884 17884->17884 17884->17885 17885->17854 17891 65b682 17886->17891 17889 65b894 InitializeCriticalSectionAndSpinCount 17890 65b87f 17889->17890 17890->17870 17892 65b69f 17891->17892 17895 65b6a3 17891->17895 17892->17889 17892->17890 17893 65b70b GetProcAddress 17893->17892 17895->17892 17895->17893 17896 65b6fc 17895->17896 17898 65b722 LoadLibraryExW 17895->17898 17896->17893 17897 65b704 FreeLibrary 17896->17897 17897->17893 17899 65b739 GetLastError 17898->17899 17900 65b769 17898->17900 17899->17900 17901 65b744 ___vcrt_InitializeCriticalSectionEx 17899->17901 17900->17895 17901->17900 17902 65b75a LoadLibraryExW 17901->17902 17902->17895 17904 65b682 ___vcrt_InitializeCriticalSectionEx 5 API calls 17903->17904 17905 65b787 17904->17905 17906 65b7a0 TlsAlloc 17905->17906 17907 65a6ad 17905->17907 17907->17881 17908 65b81e 17907->17908 17909 65b682 ___vcrt_InitializeCriticalSectionEx 5 API calls 17908->17909 17910 65b838 17909->17910 17911 65b853 TlsSetValue 17910->17911 17912 65a6c6 17910->17912 17911->17912 17912->17879 17913 65a6d6 17912->17913 17914 65a6e0 17913->17914 17915 65a6e6 17913->17915 17917 65b7a8 17914->17917 17915->17881 17918 65b682 ___vcrt_InitializeCriticalSectionEx 5 API calls 17917->17918 17919 65b7c2 17918->17919 17920 65b7da TlsFree 17919->17920 17921 65b7ce 17919->17921 17920->17921 17921->17915 17923 66ec8f 17922->17923 17924 657529 17922->17924 17923->17924 17926 66661a 17923->17926 17924->17807 17924->17862 17927 666621 17926->17927 17928 666664 GetStdHandle 17927->17928 17929 6666c6 17927->17929 17930 666677 GetFileType 17927->17930 17928->17927 17929->17923 17930->17927 17932 662582 17931->17932 17935 662598 17931->17935 17932->17935 17937 6625a5 17932->17937 17934 66258f 17934->17935 17954 662710 17934->17954 17935->17810 17938 6625b1 17937->17938 17939 6625ae 17937->17939 17962 66bf6c 17938->17962 17939->17934 17944 6625c2 17946 665a1c ___free_lconv_mon 14 API calls 17944->17946 17945 6625ce 17989 6625ff 17945->17989 17948 6625c8 17946->17948 17948->17934 17950 665a1c ___free_lconv_mon 14 API calls 17951 6625f2 17950->17951 17952 665a1c ___free_lconv_mon 14 API calls 17951->17952 17953 6625f8 17952->17953 17953->17934 17955 662781 17954->17955 17960 66271f 17954->17960 17955->17935 17956 66aebc WideCharToMultiByte std::_Locinfo::_Locinfo_dtor 17956->17960 17957 6659bf __Getctype 14 API calls 17957->17960 17958 662785 17959 665a1c ___free_lconv_mon 14 API calls 17958->17959 17959->17955 17960->17955 17960->17956 17960->17957 17960->17958 17961 665a1c ___free_lconv_mon 14 API calls 17960->17961 17961->17960 17963 66bf75 17962->17963 17964 6625b7 17962->17964 18011 664dab 17963->18011 17968 66c26e GetEnvironmentStringsW 17964->17968 17969 66c286 17968->17969 17970 6625bc 17968->17970 17971 66aebc std::_Locinfo::_Locinfo_dtor WideCharToMultiByte 17969->17971 17970->17944 17970->17945 17972 66c2a3 17971->17972 17973 66c2ad FreeEnvironmentStringsW 17972->17973 17974 66c2b8 17972->17974 17973->17970 17975 666756 std::_Locinfo::_Locinfo_dtor 15 API calls 17974->17975 17976 66c2bf 17975->17976 17977 66c2c7 17976->17977 17978 66c2d8 17976->17978 17980 665a1c ___free_lconv_mon 14 API calls 17977->17980 17979 66aebc std::_Locinfo::_Locinfo_dtor WideCharToMultiByte 17978->17979 17981 66c2e8 17979->17981 17982 66c2cc FreeEnvironmentStringsW 17980->17982 17983 66c2f7 17981->17983 17984 66c2ef 17981->17984 17982->17970 17986 665a1c ___free_lconv_mon 14 API calls 17983->17986 17985 665a1c ___free_lconv_mon 14 API calls 17984->17985 17987 66c2f5 FreeEnvironmentStringsW 17985->17987 17986->17987 17987->17970 17990 662614 17989->17990 17991 6659bf __Getctype 14 API calls 17990->17991 17992 66263b 17991->17992 17993 662643 17992->17993 18002 66264d 17992->18002 17994 665a1c ___free_lconv_mon 14 API calls 17993->17994 18010 6625d5 17994->18010 17995 6626aa 17996 665a1c ___free_lconv_mon 14 API calls 17995->17996 17996->18010 17997 6659bf __Getctype 14 API calls 17997->18002 17998 6626b9 18389 6626e1 17998->18389 18002->17995 18002->17997 18002->17998 18004 6626d4 18002->18004 18007 665a1c ___free_lconv_mon 14 API calls 18002->18007 18380 664899 18002->18380 18003 665a1c ___free_lconv_mon 14 API calls 18006 6626c6 18003->18006 18395 65bc5c IsProcessorFeaturePresent 18004->18395 18009 665a1c ___free_lconv_mon 14 API calls 18006->18009 18007->18002 18008 6626e0 18009->18010 18010->17950 18012 664db6 18011->18012 18013 664dbc 18011->18013 18014 666138 __Getctype 6 API calls 18012->18014 18015 666177 __Getctype 6 API calls 18013->18015 18033 664dc2 18013->18033 18014->18013 18016 664dd6 18015->18016 18019 6659bf __Getctype 14 API calls 18016->18019 18016->18033 18018 664dc7 18036 66bd77 18018->18036 18021 664de6 18019->18021 18022 664e03 18021->18022 18023 664dee 18021->18023 18024 666177 __Getctype 6 API calls 18022->18024 18025 666177 __Getctype 6 API calls 18023->18025 18026 664e0f 18024->18026 18027 664dfa 18025->18027 18028 664e22 18026->18028 18029 664e13 18026->18029 18030 665a1c ___free_lconv_mon 14 API calls 18027->18030 18032 664b1e __Getctype 14 API calls 18028->18032 18031 666177 __Getctype 6 API calls 18029->18031 18030->18033 18031->18027 18034 664e2d 18032->18034 18033->18018 18059 65f6cf 18033->18059 18035 665a1c ___free_lconv_mon 14 API calls 18034->18035 18035->18018 18185 66becc 18036->18185 18041 66bdba 18041->17964 18043 66bdcb 18044 66bdd3 18043->18044 18045 66bde1 18043->18045 18046 665a1c ___free_lconv_mon 14 API calls 18044->18046 18210 66bfc7 18045->18210 18046->18041 18049 66be19 18050 6600ae __dosmaperr 14 API calls 18049->18050 18052 66be1e 18050->18052 18051 66be60 18054 66bea9 18051->18054 18221 66b9e9 18051->18221 18055 665a1c ___free_lconv_mon 14 API calls 18052->18055 18053 66be34 18053->18051 18056 665a1c ___free_lconv_mon 14 API calls 18053->18056 18058 665a1c ___free_lconv_mon 14 API calls 18054->18058 18055->18041 18056->18051 18058->18041 18070 667a70 18059->18070 18061 65f6df 18064 65f6e9 IsProcessorFeaturePresent 18061->18064 18065 65f708 18061->18065 18066 65f6f5 18064->18066 18067 662ba5 __FrameHandler3::FrameUnwindToState 23 API calls 18065->18067 18100 65ba33 18066->18100 18069 65f712 18067->18069 18106 6679a2 18070->18106 18073 667ab5 18074 667ac1 __FrameHandler3::FrameUnwindToState 18073->18074 18075 667ae8 __FrameHandler3::FrameUnwindToState 18074->18075 18076 664e41 __dosmaperr 14 API calls 18074->18076 18079 667aee __FrameHandler3::FrameUnwindToState 18074->18079 18077 667b35 18075->18077 18075->18079 18080 667b1f 18075->18080 18076->18075 18078 6600ae __dosmaperr 14 API calls 18077->18078 18081 667b3a 18078->18081 18082 667b61 18079->18082 18120 65f659 EnterCriticalSection 18079->18120 18080->18061 18117 65bc2f 18081->18117 18086 667c94 18082->18086 18087 667ba3 18082->18087 18097 667bd2 18082->18097 18088 667c9f 18086->18088 18152 65f6a1 LeaveCriticalSection 18086->18152 18087->18097 18121 664cf0 GetLastError 18087->18121 18091 662ba5 __FrameHandler3::FrameUnwindToState 23 API calls 18088->18091 18092 667ca7 18091->18092 18094 664cf0 __Getctype 41 API calls 18098 667c27 18094->18098 18096 664cf0 __Getctype 41 API calls 18096->18097 18148 667c41 18097->18148 18098->18080 18099 664cf0 __Getctype 41 API calls 18098->18099 18099->18080 18101 65ba4f __fread_nolock __FrameHandler3::FrameUnwindToState 18100->18101 18102 65ba7b IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 18101->18102 18105 65bb4c __FrameHandler3::FrameUnwindToState 18102->18105 18104 65bb6a 18104->18065 18177 65720a 18105->18177 18107 6679ae __FrameHandler3::FrameUnwindToState 18106->18107 18112 65f659 EnterCriticalSection 18107->18112 18109 6679bc 18113 6679fa 18109->18113 18112->18109 18116 65f6a1 LeaveCriticalSection 18113->18116 18115 65f6d4 18115->18061 18115->18073 18116->18115 18153 65bb7b 18117->18153 18120->18082 18122 664d06 18121->18122 18125 664d0c 18121->18125 18123 666138 __Getctype 6 API calls 18122->18123 18123->18125 18124 666177 __Getctype 6 API calls 18126 664d28 18124->18126 18125->18124 18145 664d10 SetLastError 18125->18145 18128 6659bf __Getctype 14 API calls 18126->18128 18126->18145 18131 664d3d 18128->18131 18129 664da5 18134 65f6cf __FrameHandler3::FrameUnwindToState 39 API calls 18129->18134 18130 664da0 18130->18096 18132 664d56 18131->18132 18133 664d45 18131->18133 18136 666177 __Getctype 6 API calls 18132->18136 18135 666177 __Getctype 6 API calls 18133->18135 18137 664daa 18134->18137 18138 664d53 18135->18138 18139 664d62 18136->18139 18143 665a1c ___free_lconv_mon 14 API calls 18138->18143 18140 664d66 18139->18140 18141 664d7d 18139->18141 18142 666177 __Getctype 6 API calls 18140->18142 18144 664b1e __Getctype 14 API calls 18141->18144 18142->18138 18143->18145 18146 664d88 18144->18146 18145->18129 18145->18130 18147 665a1c ___free_lconv_mon 14 API calls 18146->18147 18147->18145 18149 667c47 18148->18149 18150 667c18 18148->18150 18176 65f6a1 LeaveCriticalSection 18149->18176 18150->18080 18150->18094 18150->18098 18152->18088 18154 65bb8d _Fputc 18153->18154 18159 65bbb2 18154->18159 18156 65bba5 18170 65b96b 18156->18170 18160 65bbc2 18159->18160 18163 65bbc9 18159->18163 18161 65b9d0 _Fputc 16 API calls 18160->18161 18161->18163 18162 65b9a7 _Fputc GetLastError SetLastError 18165 65bbfe 18162->18165 18163->18162 18164 65bbd7 18163->18164 18164->18156 18165->18164 18166 65bc5c __Getctype 11 API calls 18165->18166 18167 65bc2e 18166->18167 18168 65bb7b __strnicoll 41 API calls 18167->18168 18169 65bc3b 18168->18169 18169->18156 18171 65b977 18170->18171 18172 65b98e 18171->18172 18173 65ba16 _Fputc 41 API calls 18171->18173 18174 65ba16 _Fputc 41 API calls 18172->18174 18175 65b9a1 18172->18175 18173->18172 18174->18175 18175->18080 18176->18150 18178 657213 IsProcessorFeaturePresent 18177->18178 18179 657212 18177->18179 18181 657a33 18178->18181 18179->18104 18184 6579f6 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 18181->18184 18183 657b16 18183->18104 18184->18183 18186 66bed8 __FrameHandler3::FrameUnwindToState 18185->18186 18187 66bef2 18186->18187 18229 65f659 EnterCriticalSection 18186->18229 18190 66bda1 18187->18190 18192 65f6cf __FrameHandler3::FrameUnwindToState 41 API calls 18187->18192 18189 66bf02 18194 665a1c ___free_lconv_mon 14 API calls 18189->18194 18195 66bf2e 18189->18195 18196 66baf7 18190->18196 18193 66bf6b 18192->18193 18194->18195 18230 66bf4b 18195->18230 18234 66158d 18196->18234 18199 66bb2a 18201 66bb2f GetACP 18199->18201 18202 66bb41 18199->18202 18200 66bb18 GetOEMCP 18200->18202 18201->18202 18202->18041 18203 666756 18202->18203 18204 666794 18203->18204 18208 666764 __Getctype 18203->18208 18206 6600ae __dosmaperr 14 API calls 18204->18206 18205 66677f HeapAlloc 18207 666792 18205->18207 18205->18208 18206->18207 18207->18043 18208->18204 18208->18205 18209 661ffd codecvt 2 API calls 18208->18209 18209->18208 18211 66baf7 43 API calls 18210->18211 18212 66bfe7 18211->18212 18213 66c024 IsValidCodePage 18212->18213 18219 66c060 __fread_nolock 18212->18219 18215 66c036 18213->18215 18213->18219 18214 65720a __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 18216 66be0e 18214->18216 18217 66c065 GetCPInfo 18215->18217 18220 66c03f __fread_nolock 18215->18220 18216->18049 18216->18053 18217->18219 18217->18220 18219->18214 18276 66bbcb 18220->18276 18222 66b9f5 __FrameHandler3::FrameUnwindToState 18221->18222 18354 65f659 EnterCriticalSection 18222->18354 18224 66b9ff 18355 66ba36 18224->18355 18229->18189 18233 65f6a1 LeaveCriticalSection 18230->18233 18232 66bf52 18232->18187 18233->18232 18235 6615a4 18234->18235 18236 6615ab 18234->18236 18235->18199 18235->18200 18236->18235 18237 664cf0 __Getctype 41 API calls 18236->18237 18238 6615cc 18237->18238 18242 665b8a 18238->18242 18243 6615e2 18242->18243 18244 665b9d 18242->18244 18246 665be8 18243->18246 18244->18243 18250 66d8d1 18244->18250 18247 665c10 18246->18247 18248 665bfb 18246->18248 18247->18235 18248->18247 18271 66bfb4 18248->18271 18251 66d8dd __FrameHandler3::FrameUnwindToState 18250->18251 18252 664cf0 __Getctype 41 API calls 18251->18252 18253 66d8e6 18252->18253 18260 66d92c 18253->18260 18263 65f659 EnterCriticalSection 18253->18263 18255 66d904 18264 66d952 18255->18264 18260->18243 18261 65f6cf __FrameHandler3::FrameUnwindToState 41 API calls 18262 66d951 18261->18262 18263->18255 18265 66d960 __Getctype 18264->18265 18267 66d915 18264->18267 18266 66d685 __Getctype 14 API calls 18265->18266 18265->18267 18266->18267 18268 66d931 18267->18268 18269 65f6a1 std::_Lockit::~_Lockit LeaveCriticalSection 18268->18269 18270 66d928 18269->18270 18270->18260 18270->18261 18272 664cf0 __Getctype 41 API calls 18271->18272 18273 66bfb9 18272->18273 18274 66becc __strnicoll 41 API calls 18273->18274 18275 66bfc4 18274->18275 18275->18247 18277 66bbf3 GetCPInfo 18276->18277 18278 66bcbc 18276->18278 18277->18278 18283 66bc0b 18277->18283 18279 65720a __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 18278->18279 18281 66bd75 18279->18281 18281->18219 18287 6685ea 18283->18287 18286 6688e1 45 API calls 18286->18278 18288 66158d __strnicoll 41 API calls 18287->18288 18289 66860a 18288->18289 18307 66ae40 18289->18307 18291 6686ce 18294 65720a __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 18291->18294 18292 6686c6 18310 657024 18292->18310 18293 668637 18293->18291 18293->18292 18297 666756 std::_Locinfo::_Locinfo_dtor 15 API calls 18293->18297 18298 66865c __fread_nolock __alloca_probe_16 18293->18298 18295 6686f1 18294->18295 18302 6688e1 18295->18302 18297->18298 18298->18292 18299 66ae40 __fread_nolock MultiByteToWideChar 18298->18299 18300 6686a7 18299->18300 18300->18292 18301 6686b2 GetStringTypeW 18300->18301 18301->18292 18303 66158d __strnicoll 41 API calls 18302->18303 18304 6688f4 18303->18304 18317 6686f3 18304->18317 18308 66ae51 MultiByteToWideChar 18307->18308 18308->18293 18311 65702e 18310->18311 18313 65703f 18310->18313 18311->18313 18314 65bd95 18311->18314 18313->18291 18315 665a1c ___free_lconv_mon 14 API calls 18314->18315 18316 65bdad 18315->18316 18316->18313 18318 66870e 18317->18318 18319 66ae40 __fread_nolock MultiByteToWideChar 18318->18319 18322 668754 18319->18322 18320 6688cc 18321 65720a __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 18320->18321 18323 6688df 18321->18323 18322->18320 18324 666756 std::_Locinfo::_Locinfo_dtor 15 API calls 18322->18324 18326 66877a __alloca_probe_16 18322->18326 18333 668800 18322->18333 18323->18286 18324->18326 18325 657024 __freea 14 API calls 18325->18320 18327 66ae40 __fread_nolock MultiByteToWideChar 18326->18327 18326->18333 18328 6687bf 18327->18328 18328->18333 18345 6662f6 18328->18345 18331 6687f1 18331->18333 18332 668829 18333->18325 18346 665de8 std::_Lockit::_Lockit 5 API calls 18345->18346 18347 666301 18346->18347 18348 666353 std::_Locinfo::_Locinfo_dtor 5 API calls 18347->18348 18350 666307 18347->18350 18349 666347 LCMapStringW 18348->18349 18349->18350 18350->18331 18350->18332 18350->18333 18354->18224 18365 660b50 18355->18365 18357 66ba58 18358 660b50 __fread_nolock 41 API calls 18357->18358 18359 66ba77 18358->18359 18360 665a1c ___free_lconv_mon 14 API calls 18359->18360 18361 66ba0c 18359->18361 18360->18361 18362 66ba2a 18361->18362 18379 65f6a1 LeaveCriticalSection 18362->18379 18364 66ba18 18364->18054 18366 660b61 18365->18366 18369 660b5d _Yarn 18365->18369 18367 660b68 18366->18367 18371 660b7b __fread_nolock 18366->18371 18368 6600ae __dosmaperr 14 API calls 18367->18368 18370 660b6d 18368->18370 18369->18357 18372 65bc2f __strnicoll 41 API calls 18370->18372 18371->18369 18373 660bb2 18371->18373 18374 660ba9 18371->18374 18372->18369 18373->18369 18377 6600ae __dosmaperr 14 API calls 18373->18377 18375 6600ae __dosmaperr 14 API calls 18374->18375 18376 660bae 18375->18376 18378 65bc2f __strnicoll 41 API calls 18376->18378 18377->18376 18378->18369 18379->18364 18381 6648a7 18380->18381 18382 6648b5 18380->18382 18381->18382 18387 6648cd 18381->18387 18383 6600ae __dosmaperr 14 API calls 18382->18383 18384 6648bd 18383->18384 18385 65bc2f __strnicoll 41 API calls 18384->18385 18386 6648c7 18385->18386 18386->18002 18387->18386 18388 6600ae __dosmaperr 14 API calls 18387->18388 18388->18384 18393 6626ee 18389->18393 18394 6626bf 18389->18394 18390 662705 18392 665a1c ___free_lconv_mon 14 API calls 18390->18392 18391 665a1c ___free_lconv_mon 14 API calls 18391->18393 18392->18394 18393->18390 18393->18391 18394->18003 18396 65bc68 18395->18396 18397 65ba33 __FrameHandler3::FrameUnwindToState 8 API calls 18396->18397 18398 65bc7d GetCurrentProcess TerminateProcess 18397->18398 18398->18008 18402 6571cc 18399->18402 18401 6571e6 18401->17816 18407 675000 18401->18407 18402->18401 18403 661ffd codecvt 2 API calls 18402->18403 18404 6571e8 codecvt 18402->18404 18442 65f713 18402->18442 18403->18402 18451 658050 18404->18451 18406 6579f0 18454 654e70 18407->18454 18414 6571c7 codecvt 16 API calls 18415 675030 18414->18415 18416 6571c7 codecvt 16 API calls 18415->18416 18417 67506f 18415->18417 18418 675040 18416->18418 18419 6750b9 18417->18419 18420 675079 GetCurrentThreadId 18417->18420 18482 65f1c6 18418->18482 18421 6552bb std::_Throw_Cpp_error 43 API calls 18419->18421 18422 675083 18420->18422 18423 6750c0 18420->18423 18421->18423 18497 655105 WaitForSingleObjectEx 18422->18497 18424 6552bb std::_Throw_Cpp_error 43 API calls 18423->18424 18428 6750c7 18424->18428 18431 6552bb std::_Throw_Cpp_error 43 API calls 18428->18431 18429 675096 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 18429->17819 18430 675066 18430->18417 18432 6750ac 18430->18432 18433 6750ce 18431->18433 18436 654e70 72 API calls 18435->18436 18437 6755b2 18436->18437 18443 666756 18442->18443 18444 666794 18443->18444 18445 66677f HeapAlloc 18443->18445 18449 666768 __Getctype 18443->18449 18446 6600ae __dosmaperr 14 API calls 18444->18446 18448 666792 18445->18448 18445->18449 18447 666799 18446->18447 18447->18402 18448->18447 18449->18444 18449->18445 18450 661ffd codecvt 2 API calls 18449->18450 18450->18449 18452 658097 RaiseException 18451->18452 18453 65806a 18451->18453 18452->18406 18453->18452 18455 654e7c 18454->18455 18509 65eedb 18455->18509 18458 651160 18459 651196 18458->18459 18859 652950 18459->18859 18462 65130a 18867 6550fa 18462->18867 18464 6511e3 18468 6511e8 18464->18468 18864 654dd0 18464->18864 18465 65130f 18467 65131d 18465->18467 18871 653540 18465->18871 18466 651343 std::ios_base::_Init 18875 652860 18466->18875 18474 651e70 18467->18474 18468->18462 18468->18466 18472 658050 Concurrency::cancel_current_task RaiseException 18473 651385 18472->18473 18475 651e90 18474->18475 19055 651ee0 18475->19055 18477 651e9a 19084 654be0 18477->19084 18480 6546e0 51 API calls 18481 651ed5 18480->18481 18481->18414 18483 65f1e7 18482->18483 18484 65f1d3 18482->18484 19359 65f176 18483->19359 18485 6600ae __dosmaperr 14 API calls 18484->18485 18487 65f1d8 18485->18487 18489 65bc2f __strnicoll 41 API calls 18487->18489 18491 65f1e3 18489->18491 18491->18430 18498 65511c 18497->18498 18501 65514e 18497->18501 18499 655123 GetExitCodeThread 18498->18499 18500 655139 CloseHandle 18498->18500 18499->18501 18502 655134 18499->18502 18500->18501 18501->18428 18501->18429 18502->18500 18510 65eeef _Fputc 18509->18510 18511 65ef11 18510->18511 18513 65ef38 18510->18513 18512 65bbb2 _Fputc 41 API calls 18511->18512 18514 65ef2c 18512->18514 18518 65c98f 18513->18518 18516 65b96b _Fputc 41 API calls 18514->18516 18517 654e97 18516->18517 18517->18458 18519 65c99b __FrameHandler3::FrameUnwindToState 18518->18519 18526 65c967 EnterCriticalSection 18519->18526 18521 65c9a9 18527 65d722 18521->18527 18526->18521 18541 667602 18527->18541 18529 65d749 18550 65d96a 18529->18550 18536 65720a __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 18537 65c9b6 18536->18537 18538 65c9de 18537->18538 18858 65c97b LeaveCriticalSection 18538->18858 18540 65c9c7 18540->18514 18572 6675c7 18541->18572 18543 667613 18544 667663 18543->18544 18545 66768c 18543->18545 18546 666756 std::_Locinfo::_Locinfo_dtor 15 API calls 18544->18546 18545->18529 18547 66766d 18546->18547 18548 665a1c ___free_lconv_mon 14 API calls 18547->18548 18549 667676 18548->18549 18549->18545 18594 65ec7d 18550->18594 18553 65d993 18554 65bbb2 _Fputc 41 API calls 18553->18554 18555 65d790 18554->18555 18565 65d6e4 18555->18565 18560 65d9be std::_Locinfo::_Locinfo_dtor 18560->18555 18561 65db9b 18560->18561 18600 65c690 18560->18600 18607 65d8f2 18560->18607 18610 65def6 18560->18610 18644 65e1b2 18560->18644 18562 65bbb2 _Fputc 41 API calls 18561->18562 18563 65dbb7 18562->18563 18564 65bbb2 _Fputc 41 API calls 18563->18564 18564->18555 18566 665a1c ___free_lconv_mon 14 API calls 18565->18566 18567 65d6f4 18566->18567 18568 6676ae 18567->18568 18569 65d7aa 18568->18569 18570 6676b9 18568->18570 18569->18536 18570->18569 18809 660453 18570->18809 18573 6675d3 18572->18573 18577 6675f4 18573->18577 18578 66758b 18573->18578 18575 6675ee 18585 670c4c 18575->18585 18577->18543 18579 667597 18578->18579 18580 6675ac 18578->18580 18581 6600ae __dosmaperr 14 API calls 18579->18581 18580->18575 18582 66759c 18581->18582 18583 65bc2f __strnicoll 41 API calls 18582->18583 18584 6675a7 18583->18584 18584->18575 18586 670c66 18585->18586 18587 670c59 18585->18587 18589 670c72 18586->18589 18590 6600ae __dosmaperr 14 API calls 18586->18590 18588 6600ae __dosmaperr 14 API calls 18587->18588 18591 670c5e 18588->18591 18589->18577 18592 670c93 18590->18592 18591->18577 18593 65bc2f __strnicoll 41 API calls 18592->18593 18593->18591 18595 65ec88 18594->18595 18596 65ecaa 18594->18596 18597 65bbb2 _Fputc 41 API calls 18595->18597 18673 65ece6 18596->18673 18599 65d985 18597->18599 18599->18553 18599->18555 18599->18560 18681 65ba16 18600->18681 18700 65ccc7 18607->18700 18609 65d92d 18609->18560 18611 65df14 18610->18611 18612 65defd 18610->18612 18615 65bbb2 _Fputc 41 API calls 18611->18615 18623 65df53 18611->18623 18613 65e247 18612->18613 18614 65e1d6 18612->18614 18612->18623 18619 65e24c 18613->18619 18620 65e29a 18613->18620 18616 65e274 18614->18616 18617 65e1dc 18614->18617 18618 65df48 18615->18618 18742 65d071 18616->18742 18628 65e219 18617->18628 18630 65e1e2 18617->18630 18618->18560 18621 65e28e 18619->18621 18622 65e24e 18619->18622 18620->18616 18620->18628 18643 65e1fe 18620->18643 18759 65ebf6 18621->18759 18624 65e253 18622->18624 18625 65e1f0 18622->18625 18623->18560 18624->18616 18629 65e258 18624->18629 18642 65e212 18625->18642 18625->18643 18749 65e936 18625->18749 18628->18642 18723 65d1ee 18628->18723 18633 65e25d 18629->18633 18634 65e26b 18629->18634 18630->18625 18632 65e22e 18630->18632 18630->18643 18632->18642 18730 65eac0 18632->18730 18633->18642 18734 65ebd9 18633->18734 18738 65eb55 18634->18738 18638 65720a __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 18639 65e4f8 18638->18639 18639->18560 18642->18638 18643->18642 18762 6672ee 18643->18762 18645 65e247 18644->18645 18646 65e1d6 18644->18646 18649 65e24c 18645->18649 18650 65e29a 18645->18650 18647 65e274 18646->18647 18648 65e1dc 18646->18648 18657 65d071 42 API calls 18647->18657 18656 65e219 18648->18656 18660 65e1e2 18648->18660 18651 65e28e 18649->18651 18652 65e24e 18649->18652 18650->18647 18650->18656 18672 65e1fe 18650->18672 18655 65ebf6 42 API calls 18651->18655 18653 65e253 18652->18653 18654 65e1f0 18652->18654 18653->18647 18658 65e258 18653->18658 18661 65e936 44 API calls 18654->18661 18671 65e212 18654->18671 18654->18672 18655->18672 18664 65d1ee 42 API calls 18656->18664 18656->18671 18657->18672 18662 65e25d 18658->18662 18663 65e26b 18658->18663 18659 65e22e 18666 65eac0 43 API calls 18659->18666 18659->18671 18660->18654 18660->18659 18660->18672 18661->18672 18669 65ebd9 42 API calls 18662->18669 18662->18671 18665 65eb55 41 API calls 18663->18665 18664->18672 18665->18672 18666->18672 18667 65720a __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 18668 65e4f8 18667->18668 18668->18560 18669->18672 18670 6672ee 43 API calls 18670->18672 18671->18667 18672->18670 18672->18671 18674 65ecfa 18673->18674 18680 65ed64 18673->18680 18675 66758b __fread_nolock 41 API calls 18674->18675 18676 65ed01 18675->18676 18677 6600ae __dosmaperr 14 API calls 18676->18677 18676->18680 18678 65ed59 18677->18678 18679 65bc2f __strnicoll 41 API calls 18678->18679 18679->18680 18680->18599 18682 65ba20 18681->18682 18683 65ba29 18681->18683 18696 65b9d0 GetLastError 18682->18696 18688 665bb7 18683->18688 18685 65ba25 18685->18683 18686 65f6cf __FrameHandler3::FrameUnwindToState 41 API calls 18685->18686 18687 65ba32 18686->18687 18689 65c6bd 18688->18689 18690 665bce 18688->18690 18692 665c15 18689->18692 18690->18689 18691 66d8d1 __Getctype 41 API calls 18690->18691 18691->18689 18693 65c6ca 18692->18693 18694 665c2c 18692->18694 18693->18560 18694->18693 18695 66bfb4 __strnicoll 41 API calls 18694->18695 18695->18693 18697 65b9e9 18696->18697 18698 664ef2 _Fputc 14 API calls 18697->18698 18699 65ba01 SetLastError 18698->18699 18699->18685 18710 65c6eb 18700->18710 18702 65ccee 18704 65bbb2 _Fputc 41 API calls 18702->18704 18703 65ccd9 18703->18702 18706 65cd21 18703->18706 18709 65cd09 std::_Locinfo::_Locinfo_dtor 18703->18709 18704->18709 18705 65cdb8 18707 65c632 41 API calls 18705->18707 18706->18705 18717 65c632 18706->18717 18707->18709 18709->18609 18711 65c6f0 18710->18711 18712 65c703 18710->18712 18713 6600ae __dosmaperr 14 API calls 18711->18713 18712->18703 18714 65c6f5 18713->18714 18715 65bc2f __strnicoll 41 API calls 18714->18715 18716 65c700 18715->18716 18716->18703 18718 65c657 18717->18718 18719 65c643 18717->18719 18718->18705 18719->18718 18720 6600ae __dosmaperr 14 API calls 18719->18720 18721 65c64c 18720->18721 18722 65bc2f __strnicoll 41 API calls 18721->18722 18722->18718 18724 65d202 18723->18724 18725 65d24b 18724->18725 18726 65d224 18724->18726 18729 65d241 18725->18729 18772 65cc15 18725->18772 18727 65bbb2 _Fputc 41 API calls 18726->18727 18727->18729 18729->18643 18731 65eadb 18730->18731 18732 65eb12 18731->18732 18733 6672ee 43 API calls 18731->18733 18732->18643 18733->18732 18735 65ebe5 18734->18735 18783 65cef4 18735->18783 18737 65ebf5 18737->18643 18741 65eb6a 18738->18741 18739 65bbb2 _Fputc 41 API calls 18740 65eb8b 18739->18740 18740->18643 18741->18739 18741->18740 18743 65d085 18742->18743 18744 65d0a7 18743->18744 18745 65d0ce 18743->18745 18746 65bbb2 _Fputc 41 API calls 18744->18746 18747 65cc15 15 API calls 18745->18747 18748 65d0c4 18745->18748 18746->18748 18747->18748 18748->18643 18750 65e950 18749->18750 18751 65cc15 15 API calls 18750->18751 18752 65e991 18751->18752 18790 66716d 18752->18790 18755 65c690 std::_Locinfo::_Locinfo_dtor 41 API calls 18756 65ea3f 18755->18756 18757 65c690 std::_Locinfo::_Locinfo_dtor 41 API calls 18756->18757 18758 65ea72 18756->18758 18757->18758 18758->18643 18758->18758 18760 65d1ee 42 API calls 18759->18760 18761 65ec0b 18760->18761 18761->18643 18763 667303 18762->18763 18764 667344 18763->18764 18765 65c690 std::_Locinfo::_Locinfo_dtor 41 API calls 18763->18765 18770 667307 __fread_nolock std::_Locinfo::_Locinfo_dtor 18763->18770 18771 667330 __fread_nolock 18763->18771 18767 66aebc std::_Locinfo::_Locinfo_dtor WideCharToMultiByte 18764->18767 18764->18770 18764->18771 18765->18764 18766 65bbb2 _Fputc 41 API calls 18766->18770 18768 6673ff 18767->18768 18769 667415 GetLastError 18768->18769 18768->18770 18769->18770 18769->18771 18770->18643 18771->18766 18771->18770 18773 65cc3c 18772->18773 18782 65cc2a 18772->18782 18774 666756 std::_Locinfo::_Locinfo_dtor 15 API calls 18773->18774 18773->18782 18775 65cc60 18774->18775 18776 65cc73 18775->18776 18777 65cc68 18775->18777 18779 65d6fe 14 API calls 18776->18779 18778 665a1c ___free_lconv_mon 14 API calls 18777->18778 18778->18782 18780 65cc7e 18779->18780 18781 665a1c ___free_lconv_mon 14 API calls 18780->18781 18781->18782 18782->18729 18785 65cf08 18783->18785 18784 65cf51 18788 65cc15 15 API calls 18784->18788 18789 65cf47 18784->18789 18785->18784 18786 65cf2a 18785->18786 18787 65bbb2 _Fputc 41 API calls 18786->18787 18787->18789 18788->18789 18789->18737 18791 6671a2 18790->18791 18793 66717e 18790->18793 18791->18793 18794 6671d5 18791->18794 18792 65bbb2 _Fputc 41 API calls 18804 65ea1b 18792->18804 18793->18792 18795 66720e 18794->18795 18797 66723d 18794->18797 18800 667011 41 API calls 18795->18800 18796 667266 18801 667293 18796->18801 18802 6672cd 18796->18802 18797->18796 18798 66726b 18797->18798 18799 6668a9 43 API calls 18798->18799 18799->18804 18800->18804 18805 6672b3 18801->18805 18806 667298 18801->18806 18803 666bd5 43 API calls 18802->18803 18803->18804 18804->18755 18804->18756 18808 666dbe 43 API calls 18805->18808 18807 666f42 43 API calls 18806->18807 18807->18804 18808->18804 18810 660493 18809->18810 18811 66046c 18809->18811 18810->18569 18811->18810 18812 66758b __fread_nolock 41 API calls 18811->18812 18813 660488 18812->18813 18815 66946a 18813->18815 18816 669476 __FrameHandler3::FrameUnwindToState 18815->18816 18817 66953a 18816->18817 18819 6694cb 18816->18819 18825 66947e 18816->18825 18818 65bbb2 _Fputc 41 API calls 18817->18818 18818->18825 18826 66c7e4 EnterCriticalSection 18819->18826 18821 6694d1 18822 6694ee 18821->18822 18827 669572 18821->18827 18855 669532 18822->18855 18825->18810 18826->18821 18828 669597 18827->18828 18854 6695ba __fread_nolock 18827->18854 18829 66959b 18828->18829 18831 6695f9 18828->18831 18830 65bbb2 _Fputc 41 API calls 18829->18830 18830->18854 18832 669610 18831->18832 18833 66ad50 ___scrt_uninitialize_crt 43 API calls 18831->18833 18834 6690f6 ___scrt_uninitialize_crt 42 API calls 18832->18834 18833->18832 18835 66961a 18834->18835 18836 669660 18835->18836 18837 669620 18835->18837 18840 669674 18836->18840 18841 6696c3 WriteFile 18836->18841 18838 669627 18837->18838 18839 66964a 18837->18839 18848 66908e ___scrt_uninitialize_crt 6 API calls 18838->18848 18838->18854 18844 668cbc ___scrt_uninitialize_crt 47 API calls 18839->18844 18842 6696b1 18840->18842 18843 66967c 18840->18843 18845 6696e5 GetLastError 18841->18845 18853 66965b 18841->18853 18849 669174 ___scrt_uninitialize_crt 7 API calls 18842->18849 18846 669681 18843->18846 18847 66969f 18843->18847 18844->18853 18845->18853 18850 66968a 18846->18850 18846->18854 18851 669338 ___scrt_uninitialize_crt 8 API calls 18847->18851 18848->18854 18849->18854 18852 66924f ___scrt_uninitialize_crt 7 API calls 18850->18852 18851->18853 18852->18854 18853->18854 18854->18822 18856 66c807 ___scrt_uninitialize_crt LeaveCriticalSection 18855->18856 18857 669538 18856->18857 18857->18825 18858->18540 18860 652967 18859->18860 18861 65297b 18860->18861 18889 6546e0 18860->18889 18861->18464 18903 656a31 18864->18903 18865 654de3 18865->18468 18867->18465 18868 658b4a 18867->18868 18950 65a66c 18868->18950 18870 658b4f 18870->18465 18872 6535a3 18871->18872 18873 65357e 18871->18873 18872->18467 18873->18872 18960 654d60 18873->18960 18876 6528a0 18875->18876 18876->18876 18967 651450 18876->18967 18878 6528b4 18975 652490 18878->18975 18880 6528c2 18883 652911 18880->18883 18884 6528ea std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 18880->18884 18881 65720a __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 18882 651377 18881->18882 18882->18472 18999 65bc3f 18883->18999 18884->18881 18890 654721 18889->18890 18895 652997 18889->18895 18891 652950 51 API calls 18890->18891 18894 65472a 18891->18894 18892 6547a2 18893 6550fa 8 API calls 18892->18893 18896 6547a7 18893->18896 18894->18892 18898 6547dc std::ios_base::_Init 18894->18898 18895->18464 18896->18895 18897 653540 43 API calls 18896->18897 18897->18895 18899 652860 std::ios_base::_Init 43 API calls 18898->18899 18900 65480e 18899->18900 18901 658050 Concurrency::cancel_current_task RaiseException 18900->18901 18902 65481c 18901->18902 18904 656a40 18903->18904 18905 656a53 _Yarn 18903->18905 18904->18865 18905->18904 18907 6611e9 18905->18907 18908 6611fc _Fputc 18907->18908 18913 660fc8 18908->18913 18910 661211 18911 65b96b _Fputc 41 API calls 18910->18911 18912 66121e 18911->18912 18912->18904 18914 660fd6 18913->18914 18919 660ffe 18913->18919 18915 661005 18914->18915 18916 660fe3 18914->18916 18914->18919 18921 660f21 18915->18921 18917 65bbb2 _Fputc 41 API calls 18916->18917 18917->18919 18919->18910 18922 660f2d __FrameHandler3::FrameUnwindToState 18921->18922 18929 65c967 EnterCriticalSection 18922->18929 18924 660f3b 18930 660f7c 18924->18930 18929->18924 18931 667602 42 API calls 18930->18931 18932 660f94 18931->18932 18940 66103f 18932->18940 18935 6676ae 66 API calls 18936 660f48 18935->18936 18937 660f70 18936->18937 18949 65c97b LeaveCriticalSection 18937->18949 18939 660f59 18939->18910 18942 661051 18940->18942 18948 660fb2 18940->18948 18941 66105f 18943 65bbb2 _Fputc 41 API calls 18941->18943 18942->18941 18946 661095 _Yarn _Fputc 18942->18946 18942->18948 18943->18948 18944 660453 ___scrt_uninitialize_crt 66 API calls 18944->18946 18945 66758b __fread_nolock 41 API calls 18945->18946 18946->18944 18946->18945 18947 66946a ___scrt_uninitialize_crt 66 API calls 18946->18947 18946->18948 18947->18946 18948->18935 18949->18939 18951 65a675 18950->18951 18952 65a678 GetLastError 18950->18952 18951->18870 18955 65b7e3 18952->18955 18956 65b682 ___vcrt_InitializeCriticalSectionEx 5 API calls 18955->18956 18957 65b7fd 18956->18957 18958 65b815 TlsGetValue 18957->18958 18959 65a68d SetLastError 18957->18959 18958->18959 18959->18870 18963 6539e0 18960->18963 18964 6539f4 std::ios_base::_Init 18963->18964 18965 6539fd 18963->18965 18964->18965 18966 652860 std::ios_base::_Init 43 API calls 18964->18966 18965->18872 18968 6514d9 18967->18968 18972 651460 18967->18972 19018 6536f0 18968->19018 18971 651465 _Yarn 18971->18878 18972->18971 19004 6513f0 18972->19004 18974 6514b3 _Yarn 18974->18878 18976 6524b8 18975->18976 18977 652675 18976->18977 18982 6524c9 18976->18982 18979 6536f0 std::_Throw_Cpp_error 43 API calls 18977->18979 18978 6524ce _Yarn 18980 652565 18978->18980 19049 653880 18978->19049 18981 65267a 18979->18981 18987 653880 std::_Throw_Cpp_error 43 API calls 18980->18987 18983 65bc3f std::_Throw_Cpp_error 41 API calls 18981->18983 18982->18978 18986 6513f0 std::_Throw_Cpp_error 43 API calls 18982->18986 18985 65267f 18983->18985 18988 65bc3f std::_Throw_Cpp_error 41 API calls 18985->18988 18986->18978 18989 65258e 18987->18989 18990 652684 18988->18990 18989->18981 18992 6525ba std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 18989->18992 18991 657fce std::bad_exception::bad_exception 42 API calls 18990->18991 18993 6526b2 18991->18993 18994 657fce std::bad_exception::bad_exception 42 API calls 18992->18994 18993->18880 18995 65260f 18994->18995 18995->18985 18996 652640 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 18995->18996 18997 65720a __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 18996->18997 18998 65266f 18997->18998 18998->18880 19000 65bb7b __strnicoll 41 API calls 18999->19000 19001 65bc4e 19000->19001 19002 65bc5c __Getctype 11 API calls 19001->19002 19003 65bc5b 19002->19003 19005 651400 19004->19005 19006 651423 19004->19006 19007 651407 19005->19007 19008 65143a 19005->19008 19009 651434 19006->19009 19012 6571c7 codecvt 16 API calls 19006->19012 19011 6571c7 codecvt 16 API calls 19007->19011 19026 6536b0 19008->19026 19009->18974 19014 65140d 19011->19014 19013 65142d 19012->19013 19013->18974 19015 65bc3f std::_Throw_Cpp_error 41 API calls 19014->19015 19016 651416 19014->19016 19017 651444 19015->19017 19016->18974 19030 65509a 19018->19030 19027 6536bb codecvt 19026->19027 19028 658050 Concurrency::cancel_current_task RaiseException 19027->19028 19029 6536ca 19028->19029 19035 654fbd 19030->19035 19033 658050 Concurrency::cancel_current_task RaiseException 19034 6550b9 19033->19034 19038 6527d0 19035->19038 19041 657fce 19038->19041 19042 657fdb 19041->19042 19048 6527fe 19041->19048 19043 65f713 _Yarn 15 API calls 19042->19043 19042->19048 19044 657ff8 19043->19044 19045 658008 19044->19045 19046 664899 std::bad_exception::bad_exception 41 API calls 19044->19046 19047 65bd95 std::locale::_Locimp::~_Locimp 14 API calls 19045->19047 19046->19045 19047->19048 19048->19033 19050 6538cf 19049->19050 19051 6536f0 std::_Throw_Cpp_error 43 API calls 19050->19051 19052 6539ce 19051->19052 19053 65bc3f std::_Throw_Cpp_error 41 API calls 19052->19053 19054 6539d3 19053->19054 19097 654efb 19055->19097 19058 654efb std::_Lockit::_Lockit 7 API calls 19059 651f14 19058->19059 19103 654f53 19059->19103 19060 651f35 19064 651f97 19060->19064 19065 651f82 19060->19065 19075 652064 19060->19075 19061 654f53 std::_Lockit::~_Lockit 2 API calls 19063 65207d 19061->19063 19063->18477 19067 6571c7 codecvt 16 API calls 19064->19067 19066 654f53 std::_Lockit::~_Lockit 2 API calls 19065->19066 19068 651f8d 19066->19068 19071 651f9e 19067->19071 19068->18477 19069 65203a 19070 65205e 19069->19070 19131 652a70 19069->19131 19146 655478 19070->19146 19071->19069 19074 654efb std::_Lockit::_Lockit 7 API calls 19071->19074 19076 651fd2 19074->19076 19075->19061 19077 652087 19076->19077 19078 652018 19076->19078 19149 6550da 19077->19149 19110 6555a8 19078->19110 19085 652950 51 API calls 19084->19085 19087 654c1e 19085->19087 19086 654ca8 19088 6550fa 8 API calls 19086->19088 19087->19086 19091 654ce3 std::ios_base::_Init 19087->19091 19089 654cad 19088->19089 19090 651ece 19089->19090 19092 653540 43 API calls 19089->19092 19090->18480 19093 652860 std::ios_base::_Init 43 API calls 19091->19093 19092->19090 19094 654d15 19093->19094 19095 658050 Concurrency::cancel_current_task RaiseException 19094->19095 19096 654d23 19095->19096 19098 654f11 19097->19098 19099 654f0a 19097->19099 19101 651efa 19098->19101 19159 656d5a EnterCriticalSection 19098->19159 19154 65f6b8 19099->19154 19101->19058 19101->19060 19104 65f6c6 19103->19104 19105 654f5d 19103->19105 19212 65f6a1 LeaveCriticalSection 19104->19212 19107 654f70 19105->19107 19211 656d68 LeaveCriticalSection 19105->19211 19107->19060 19108 65f6cd 19108->19060 19213 65f973 19110->19213 19352 6555f3 19131->19352 19134 652a89 19136 652aa0 19134->19136 19137 65bd95 std::locale::_Locimp::~_Locimp 14 API calls 19134->19137 19135 65bd95 std::locale::_Locimp::~_Locimp 14 API calls 19135->19134 19138 652ab7 19136->19138 19139 65bd95 std::locale::_Locimp::~_Locimp 14 API calls 19136->19139 19137->19136 19140 652ace 19138->19140 19142 65bd95 std::locale::_Locimp::~_Locimp 14 API calls 19138->19142 19139->19138 19141 652ae5 19140->19141 19143 65bd95 std::locale::_Locimp::~_Locimp 14 API calls 19140->19143 19144 652afc 19141->19144 19145 65bd95 std::locale::_Locimp::~_Locimp 14 API calls 19141->19145 19142->19140 19143->19141 19145->19144 19147 6571c7 codecvt 16 API calls 19146->19147 19148 655483 19147->19148 19148->19075 19356 655031 19149->19356 19152 658050 Concurrency::cancel_current_task RaiseException 19153 6550f9 19152->19153 19160 6663f8 19154->19160 19159->19101 19181 665cfe 19160->19181 19182 665ee7 std::_Lockit::_Lockit 5 API calls 19181->19182 19183 665d14 19182->19183 19184 665d18 19183->19184 19185 665ee7 std::_Lockit::_Lockit 5 API calls 19184->19185 19186 665d2e 19185->19186 19187 665d32 19186->19187 19188 665ee7 std::_Lockit::_Lockit 5 API calls 19187->19188 19189 665d48 19188->19189 19190 665d4c 19189->19190 19191 665ee7 std::_Lockit::_Lockit 5 API calls 19190->19191 19192 665d62 19191->19192 19193 665d66 19192->19193 19194 665ee7 std::_Lockit::_Lockit 5 API calls 19193->19194 19195 665d7c 19194->19195 19196 665d80 19195->19196 19197 665ee7 std::_Lockit::_Lockit 5 API calls 19196->19197 19198 665d96 19197->19198 19199 665d9a 19198->19199 19200 665ee7 std::_Lockit::_Lockit 5 API calls 19199->19200 19201 665db0 19200->19201 19202 665db4 19201->19202 19203 665ee7 std::_Lockit::_Lockit 5 API calls 19202->19203 19204 665dca 19203->19204 19205 665de8 19204->19205 19211->19107 19212->19108 19214 6663f8 std::_Lockit::_Lockit 5 API calls 19213->19214 19215 65f980 19214->19215 19224 65f71e 19215->19224 19225 65f72a __FrameHandler3::FrameUnwindToState 19224->19225 19232 65f659 EnterCriticalSection 19225->19232 19227 65f738 19233 65f779 19227->19233 19232->19227 19258 65f8d8 19233->19258 19235 65f794 19259 65f8e4 19258->19259 19260 65f8f2 19258->19260 19288 66369e 19259->19288 19303 667f53 19260->19303 19263 65f8ee 19263->19235 19265 65f968 19267 65bc5c __Getctype 11 API calls 19265->19267 19266 6659bf __Getctype 14 API calls 19268 65f924 19266->19268 19289 6636b4 19288->19289 19290 6636c8 19288->19290 19292 6600ae __dosmaperr 14 API calls 19289->19292 19291 664cf0 __Getctype 41 API calls 19290->19291 19293 6636cd 19291->19293 19294 6636b9 19292->19294 19295 6663f8 std::_Lockit::_Lockit 5 API calls 19293->19295 19296 65bc2f __strnicoll 41 API calls 19294->19296 19297 6636d5 19295->19297 19298 6636c4 19296->19298 19299 66d8d1 __Getctype 41 API calls 19297->19299 19298->19263 19300 6636da 19299->19300 19304 667f66 _Fputc 19303->19304 19305 667ca8 std::_Locinfo::_Locinfo_dtor 43 API calls 19304->19305 19306 667f7e 19305->19306 19307 65b96b _Fputc 41 API calls 19306->19307 19308 65f909 19307->19308 19308->19265 19308->19266 19353 6555ff 19352->19353 19354 652a79 19352->19354 19355 65f973 std::_Locinfo::_Locinfo_dtor 68 API calls 19353->19355 19354->19134 19354->19135 19355->19354 19357 6527d0 std::invalid_argument::invalid_argument 42 API calls 19356->19357 19358 655043 19357->19358 19358->19152 19360 6659bf __Getctype 14 API calls 19359->19360 19361 65f187 19360->19361 19362 665a1c ___free_lconv_mon 14 API calls 19361->19362 19363 65f194 19362->19363 19364 65f1b8 19363->19364 19365 65f19b GetModuleHandleExW 19363->19365 19365->19364 19447 6629f6 19446->19447 19455 662a07 19446->19455 19457 662a91 GetModuleHandleW 19447->19457 19451 662a45 19451->17793 19464 662891 19455->19464 19458 6629fb 19457->19458 19458->19455 19459 662af6 GetModuleHandleExW 19458->19459 19460 662b49 19459->19460 19461 662b35 GetProcAddress 19459->19461 19462 662b65 19460->19462 19463 662b5c FreeLibrary 19460->19463 19461->19460 19462->19455 19463->19462 19465 66289d __FrameHandler3::FrameUnwindToState 19464->19465 19479 65f659 EnterCriticalSection 19465->19479 19467 6628a7 19480 6628de 19467->19480 19469 6628b4 19484 6628d2 19469->19484 19472 662a60 19509 662ad4 19472->19509 19475 662a7e 19477 662af6 __FrameHandler3::FrameUnwindToState 3 API calls 19475->19477 19476 662a6e GetCurrentProcess TerminateProcess 19476->19475 19478 662a86 ExitProcess 19477->19478 19479->19467 19481 6628ea __FrameHandler3::FrameUnwindToState 19480->19481 19483 662951 __FrameHandler3::FrameUnwindToState 19481->19483 19487 664663 19481->19487 19483->19469 19508 65f6a1 LeaveCriticalSection 19484->19508 19486 6628c0 19486->19451 19486->19472 19488 66466f __EH_prolog3 19487->19488 19491 6643bb 19488->19491 19490 664696 codecvt 19490->19483 19492 6643c7 __FrameHandler3::FrameUnwindToState 19491->19492 19499 65f659 EnterCriticalSection 19492->19499 19494 6643d5 19500 664573 19494->19500 19499->19494 19501 664592 19500->19501 19502 6643e2 19500->19502 19501->19502 19503 665a1c ___free_lconv_mon 14 API calls 19501->19503 19504 66440a 19502->19504 19503->19502 19507 65f6a1 LeaveCriticalSection 19504->19507 19506 6643f3 19506->19490 19507->19506 19508->19486 19514 667730 GetPEB 19509->19514 19512 662a6a 19512->19475 19512->19476 19513 662ade GetPEB 19513->19512 19515 66774a 19514->19515 19516 662ad9 19514->19516 19518 665f6a 19515->19518 19516->19512 19516->19513 19519 665ee7 std::_Lockit::_Lockit 5 API calls 19518->19519 19520 665f86 19519->19520 19520->19516 19522 664827 ___scrt_uninitialize_crt 19521->19522 19523 664815 19521->19523 19522->17837 19524 664823 19523->19524 19526 660521 19523->19526 19524->17837 19529 6603ae 19526->19529 19532 6602a2 19529->19532 19533 6602ae __FrameHandler3::FrameUnwindToState 19532->19533 19540 65f659 EnterCriticalSection 19533->19540 19535 6602b8 ___scrt_uninitialize_crt 19536 660324 19535->19536 19541 660216 19535->19541 19549 660342 19536->19549 19540->19535 19542 660222 __FrameHandler3::FrameUnwindToState 19541->19542 19552 65c967 EnterCriticalSection 19542->19552 19544 66022c ___scrt_uninitialize_crt 19545 660265 19544->19545 19553 6604bc 19544->19553 19566 660296 19545->19566 19611 65f6a1 LeaveCriticalSection 19549->19611 19551 660330 19551->19524 19552->19544 19554 6604d1 _Fputc 19553->19554 19555 6604e3 19554->19555 19556 6604d8 19554->19556 19558 660453 ___scrt_uninitialize_crt 66 API calls 19555->19558 19557 6603ae ___scrt_uninitialize_crt 70 API calls 19556->19557 19559 6604de 19557->19559 19560 6604ed 19558->19560 19561 65b96b _Fputc 41 API calls 19559->19561 19560->19559 19563 66758b __fread_nolock 41 API calls 19560->19563 19562 66051b 19561->19562 19562->19545 19564 660504 19563->19564 19569 668c3f 19564->19569 19610 65c97b LeaveCriticalSection 19566->19610 19568 660284 19568->19535 19570 668c50 19569->19570 19574 668c5d 19569->19574 19571 6600ae __dosmaperr 14 API calls 19570->19571 19576 668c55 19571->19576 19572 668ca6 19573 6600ae __dosmaperr 14 API calls 19572->19573 19575 668cab 19573->19575 19574->19572 19577 668c84 19574->19577 19579 65bc2f __strnicoll 41 API calls 19575->19579 19576->19559 19580 668b9d 19577->19580 19579->19576 19581 668ba9 __FrameHandler3::FrameUnwindToState 19580->19581 19593 66c7e4 EnterCriticalSection 19581->19593 19583 668bb8 19584 668bfd 19583->19584 19594 66c8bb 19583->19594 19586 6600ae __dosmaperr 14 API calls 19584->19586 19588 668c04 19586->19588 19587 668be4 FlushFileBuffers 19587->19588 19589 668bf0 GetLastError 19587->19589 19607 668c33 19588->19607 19590 66009b __dosmaperr 14 API calls 19589->19590 19590->19584 19593->19583 19595 66c8c8 19594->19595 19597 66c8dd 19594->19597 19596 66009b __dosmaperr 14 API calls 19595->19596 19599 66c8cd 19596->19599 19598 66009b __dosmaperr 14 API calls 19597->19598 19600 66c902 19597->19600 19601 66c90d 19598->19601 19602 6600ae __dosmaperr 14 API calls 19599->19602 19600->19587 19604 6600ae __dosmaperr 14 API calls 19601->19604 19603 66c8d5 19602->19603 19603->19587 19605 66c915 19604->19605 19606 65bc2f __strnicoll 41 API calls 19605->19606 19606->19603 19608 66c807 ___scrt_uninitialize_crt LeaveCriticalSection 19607->19608 19609 668c1c 19608->19609 19609->19576 19610->19568 19611->19551 22423 6613e7 22424 6613fa _Fputc 22423->22424 22429 66131e 22424->22429 22426 66140f 22427 65b96b _Fputc 41 API calls 22426->22427 22428 66141c 22427->22428 22430 661330 22429->22430 22432 661353 22429->22432 22431 65bbb2 _Fputc 41 API calls 22430->22431 22433 66134b 22431->22433 22432->22430 22434 66137a 22432->22434 22433->22426 22437 661223 22434->22437 22438 66122f __FrameHandler3::FrameUnwindToState 22437->22438 22445 65c967 EnterCriticalSection 22438->22445 22440 66123d 22446 66127e 22440->22446 22442 66124a 22455 661272 22442->22455 22445->22440 22447 660453 ___scrt_uninitialize_crt 66 API calls 22446->22447 22448 661299 22447->22448 22449 666524 14 API calls 22448->22449 22450 6612a3 22449->22450 22451 6659bf __Getctype 14 API calls 22450->22451 22454 6612be 22450->22454 22452 6612e2 22451->22452 22453 665a1c ___free_lconv_mon 14 API calls 22452->22453 22453->22454 22454->22442 22458 65c97b LeaveCriticalSection 22455->22458 22457 66125b 22457->22426 22458->22457 20580 6560e0 20581 6560e7 20580->20581 20582 656133 20580->20582 20585 65c967 EnterCriticalSection 20581->20585 20584 6560ec 20585->20584 20606 6564ff 20607 656521 20606->20607 20611 656536 20606->20611 20612 655e23 20607->20612 20615 655e3d 20612->20615 20616 655e8c 20612->20616 20613 65720a __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 20614 655ea3 20613->20614 20614->20611 20618 660bd1 20614->20618 20615->20616 20617 6611e9 69 API calls 20615->20617 20616->20613 20617->20616 20619 660bf1 20618->20619 20620 660bdc 20618->20620 20619->20620 20621 660bf8 20619->20621 20622 6600ae __dosmaperr 14 API calls 20620->20622 20628 660ee7 20621->20628 20624 660be1 20622->20624 20626 65bc2f __strnicoll 41 API calls 20624->20626 20627 660bec 20626->20627 20627->20611 20629 660efa _Fputc 20628->20629 20634 660c86 20629->20634 20632 65b96b _Fputc 41 API calls 20633 660c07 20632->20633 20633->20611 20637 660c92 __FrameHandler3::FrameUnwindToState 20634->20637 20635 660c98 20636 65bbb2 _Fputc 41 API calls 20635->20636 20640 660cb3 20636->20640 20637->20635 20638 660ccc 20637->20638 20645 65c967 EnterCriticalSection 20638->20645 20640->20632 20641 660cd8 20646 660dfb 20641->20646 20643 660cef 20655 660d18 20643->20655 20645->20641 20647 660e21 20646->20647 20648 660e0e 20646->20648 20658 660d22 20647->20658 20648->20643 20650 660ed2 20650->20643 20651 660e44 20651->20650 20652 660453 ___scrt_uninitialize_crt 66 API calls 20651->20652 20653 660e72 20652->20653 20662 66ad50 20653->20662 20671 65c97b LeaveCriticalSection 20655->20671 20657 660d20 20657->20640 20659 660d8b 20658->20659 20660 660d33 20658->20660 20659->20651 20660->20659 20665 66ad10 20660->20665 20663 66ac2f __fread_nolock 43 API calls 20662->20663 20664 66ad69 20663->20664 20664->20650 20666 66ad24 _Fputc 20665->20666 20667 66ac2f __fread_nolock 43 API calls 20666->20667 20668 66ad39 20667->20668 20669 65b96b _Fputc 41 API calls 20668->20669 20670 66ad48 20669->20670 20670->20659 20671->20657 20690 6606c7 20691 6606e7 20690->20691 20692 6606d2 20690->20692 20693 660704 20691->20693 20694 6606ef 20691->20694 20695 6600ae __dosmaperr 14 API calls 20692->20695 20704 669ef7 20693->20704 20697 6600ae __dosmaperr 14 API calls 20694->20697 20696 6606d7 20695->20696 20699 65bc2f __strnicoll 41 API calls 20696->20699 20700 6606f4 20697->20700 20702 6606e2 20699->20702 20703 65bc2f __strnicoll 41 API calls 20700->20703 20701 6606ff 20703->20701 20705 669f0b _Fputc 20704->20705 20710 66990c 20705->20710 20708 65b96b _Fputc 41 API calls 20709 669f25 20708->20709 20709->20701 20711 669918 __FrameHandler3::FrameUnwindToState 20710->20711 20712 669942 20711->20712 20713 66991f 20711->20713 20721 65c967 EnterCriticalSection 20712->20721 20715 65bbb2 _Fputc 41 API calls 20713->20715 20717 669938 20715->20717 20716 669950 20722 66999b 20716->20722 20717->20708 20719 66995f 20735 669991 20719->20735 20721->20716 20723 6699d2 20722->20723 20724 6699aa 20722->20724 20726 66758b __fread_nolock 41 API calls 20723->20726 20725 65bbb2 _Fputc 41 API calls 20724->20725 20734 6699c5 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 20725->20734 20727 6699db 20726->20727 20738 66acf2 20727->20738 20730 669a85 20741 669cfb 20730->20741 20732 669a9c 20732->20734 20753 669b3c 20732->20753 20734->20719 20760 65c97b LeaveCriticalSection 20735->20760 20737 669999 20737->20717 20739 66ab09 45 API calls 20738->20739 20740 6699f9 20739->20740 20740->20730 20740->20732 20740->20734 20742 669d0a ___scrt_uninitialize_crt 20741->20742 20743 66758b __fread_nolock 41 API calls 20742->20743 20745 669d26 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 20743->20745 20744 65720a __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 20746 669ea4 20744->20746 20747 66acf2 45 API calls 20745->20747 20752 669d32 20745->20752 20746->20734 20748 669d86 20747->20748 20749 669db8 ReadFile 20748->20749 20748->20752 20750 669ddf 20749->20750 20749->20752 20751 66acf2 45 API calls 20750->20751 20751->20752 20752->20744 20754 66758b __fread_nolock 41 API calls 20753->20754 20755 669b4f 20754->20755 20756 66acf2 45 API calls 20755->20756 20759 669b97 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 20755->20759 20757 669bea 20756->20757 20758 66acf2 45 API calls 20757->20758 20757->20759 20758->20759 20759->20734 20760->20737 19649 127018d 19650 12701c5 CreateProcessA VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 19649->19650 19652 12703a2 WriteProcessMemory 19650->19652 19653 12703e7 19652->19653 19654 12703ec WriteProcessMemory 19653->19654 19655 1270429 WriteProcessMemory Wow64SetThreadContext ResumeThread 19653->19655 19654->19653 20837 65c8d5 20838 660521 ___scrt_uninitialize_crt 70 API calls 20837->20838 20839 65c8dd 20838->20839 20847 666479 20839->20847 20841 65c8e2 20857 666524 20841->20857 20844 65c90c 20845 665a1c ___free_lconv_mon 14 API calls 20844->20845 20846 65c917 20845->20846 20848 666485 __FrameHandler3::FrameUnwindToState 20847->20848 20861 65f659 EnterCriticalSection 20848->20861 20850 6664fc 20868 66651b 20850->20868 20853 6664d0 DeleteCriticalSection 20854 665a1c ___free_lconv_mon 14 API calls 20853->20854 20856 666490 20854->20856 20856->20850 20856->20853 20862 6601e6 20856->20862 20858 66653b 20857->20858 20860 65c8f1 DeleteCriticalSection 20857->20860 20859 665a1c ___free_lconv_mon 14 API calls 20858->20859 20858->20860 20859->20860 20860->20841 20860->20844 20861->20856 20863 6601f9 _Fputc 20862->20863 20871 6600c1 20863->20871 20865 660205 20866 65b96b _Fputc 41 API calls 20865->20866 20867 660211 20866->20867 20867->20856 20943 65f6a1 LeaveCriticalSection 20868->20943 20870 666508 20870->20841 20872 6600cd __FrameHandler3::FrameUnwindToState 20871->20872 20873 6600d7 20872->20873 20874 6600fa 20872->20874 20875 65bbb2 _Fputc 41 API calls 20873->20875 20876 6600f2 20874->20876 20882 65c967 EnterCriticalSection 20874->20882 20875->20876 20876->20865 20878 660118 20883 660158 20878->20883 20880 660125 20897 660150 20880->20897 20882->20878 20884 660165 20883->20884 20885 660188 20883->20885 20886 65bbb2 _Fputc 41 API calls 20884->20886 20887 660453 ___scrt_uninitialize_crt 66 API calls 20885->20887 20895 660180 20885->20895 20886->20895 20888 6601a0 20887->20888 20889 666524 14 API calls 20888->20889 20890 6601a8 20889->20890 20891 66758b __fread_nolock 41 API calls 20890->20891 20892 6601b4 20891->20892 20900 668a1f 20892->20900 20895->20880 20896 665a1c ___free_lconv_mon 14 API calls 20896->20895 20942 65c97b LeaveCriticalSection 20897->20942 20899 660156 20899->20876 20901 668a48 20900->20901 20906 6601bb 20900->20906 20902 668a97 20901->20902 20904 668a6f 20901->20904 20903 65bbb2 _Fputc 41 API calls 20902->20903 20903->20906 20907 66898e 20904->20907 20906->20895 20906->20896 20908 66899a __FrameHandler3::FrameUnwindToState 20907->20908 20915 66c7e4 EnterCriticalSection 20908->20915 20910 6689a8 20911 6689d9 20910->20911 20916 668ac2 20910->20916 20929 668a13 20911->20929 20915->20910 20917 66c8bb __fread_nolock 41 API calls 20916->20917 20919 668ad2 20917->20919 20918 668ad8 20932 66c82a 20918->20932 20919->20918 20920 668b0a 20919->20920 20922 66c8bb __fread_nolock 41 API calls 20919->20922 20920->20918 20923 66c8bb __fread_nolock 41 API calls 20920->20923 20924 668b01 20922->20924 20925 668b16 CloseHandle 20923->20925 20926 66c8bb __fread_nolock 41 API calls 20924->20926 20925->20918 20927 668b22 GetLastError 20925->20927 20926->20920 20927->20918 20928 668b30 __fread_nolock 20928->20911 20941 66c807 LeaveCriticalSection 20929->20941 20931 6689fc 20931->20906 20933 66c8a0 20932->20933 20934 66c839 20932->20934 20935 6600ae __dosmaperr 14 API calls 20933->20935 20934->20933 20940 66c863 20934->20940 20936 66c8a5 20935->20936 20937 66009b __dosmaperr 14 API calls 20936->20937 20938 66c890 20937->20938 20938->20928 20939 66c88a SetStdHandle 20939->20938 20940->20938 20940->20939 20941->20931 20942->20899 20943->20870 22734 6559b3 22737 6605bb 22734->22737 22736 6559be 22738 6605c7 __FrameHandler3::FrameUnwindToState 22737->22738 22739 6605d1 22738->22739 22740 6605e9 22738->22740 22741 6600ae __dosmaperr 14 API calls 22739->22741 22757 65c967 EnterCriticalSection 22740->22757 22743 6605d6 22741->22743 22745 65bc2f __strnicoll 41 API calls 22743->22745 22744 6605f3 22746 66068f 22744->22746 22747 66758b __fread_nolock 41 API calls 22744->22747 22756 6605e1 _Fputc 22745->22756 22758 66057f 22746->22758 22752 660610 22747->22752 22749 660695 22765 6606bf 22749->22765 22751 660667 22753 6600ae __dosmaperr 14 API calls 22751->22753 22752->22746 22752->22751 22754 66066c 22753->22754 22755 65bc2f __strnicoll 41 API calls 22754->22755 22755->22756 22756->22736 22757->22744 22759 66058b 22758->22759 22762 6605a0 __fread_nolock 22758->22762 22760 6600ae __dosmaperr 14 API calls 22759->22760 22761 660590 22760->22761 22763 65bc2f __strnicoll 41 API calls 22761->22763 22762->22749 22764 66059b 22763->22764 22764->22749 22768 65c97b LeaveCriticalSection 22765->22768 22767 6606c5 22767->22756 22768->22767 19612 65628d 19615 6562b0 19612->19615 19620 6562a9 19612->19620 19613 65720a __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 19614 656393 19613->19614 19617 656356 19615->19617 19618 6562f9 19615->19618 19615->19620 19619 6611e9 69 API calls 19617->19619 19617->19620 19618->19620 19621 6559d3 19618->19621 19619->19620 19620->19613 19624 66087c 19621->19624 19625 66088f _Fputc 19624->19625 19630 660722 19625->19630 19627 66089e 19628 65b96b _Fputc 41 API calls 19627->19628 19629 6559e3 19628->19629 19629->19620 19631 66072e __FrameHandler3::FrameUnwindToState 19630->19631 19632 660737 19631->19632 19633 66075b 19631->19633 19635 65bbb2 _Fputc 41 API calls 19632->19635 19644 65c967 EnterCriticalSection 19633->19644 19643 660750 _Fputc 19635->19643 19636 660764 19637 66080f _Fputc 19636->19637 19638 66758b __fread_nolock 41 API calls 19636->19638 19645 660847 19637->19645 19640 66077d 19638->19640 19640->19637 19641 6607de 19640->19641 19642 65bbb2 _Fputc 41 API calls 19641->19642 19642->19643 19643->19627 19644->19636 19648 65c97b LeaveCriticalSection 19645->19648 19647 66084d 19647->19643 19648->19647 17542 65bd95 17545 665a1c 17542->17545 17546 665a27 RtlFreeHeap 17545->17546 17550 65bdad 17545->17550 17547 665a3c GetLastError 17546->17547 17546->17550 17548 665a49 __dosmaperr 17547->17548 17551 6600ae 17548->17551 17554 664e41 GetLastError 17551->17554 17553 6600b3 17553->17550 17555 664e57 17554->17555 17559 664e5d 17554->17559 17577 666138 17555->17577 17574 664e61 SetLastError 17559->17574 17582 666177 17559->17582 17563 664e96 17565 666177 __Getctype 6 API calls 17563->17565 17564 664ea7 17566 666177 __Getctype 6 API calls 17564->17566 17567 664ea4 17565->17567 17568 664eb3 17566->17568 17573 665a1c ___free_lconv_mon 12 API calls 17567->17573 17569 664eb7 17568->17569 17570 664ece 17568->17570 17572 666177 __Getctype 6 API calls 17569->17572 17596 664b1e 17570->17596 17572->17567 17573->17574 17574->17553 17576 665a1c ___free_lconv_mon 12 API calls 17576->17574 17601 665ee7 17577->17601 17580 66616f TlsGetValue 17581 66615d 17581->17559 17583 665ee7 std::_Lockit::_Lockit 5 API calls 17582->17583 17584 666193 17583->17584 17585 6661b1 TlsSetValue 17584->17585 17586 664e79 17584->17586 17586->17574 17587 6659bf 17586->17587 17588 6659cc 17587->17588 17589 665a0c 17588->17589 17590 6659f7 HeapAlloc 17588->17590 17595 6659e0 __Getctype 17588->17595 17592 6600ae __dosmaperr 13 API calls 17589->17592 17591 665a0a 17590->17591 17590->17595 17593 664e8e 17591->17593 17592->17593 17593->17563 17593->17564 17595->17589 17595->17590 17616 661ffd 17595->17616 17630 6649b2 17596->17630 17602 665f15 17601->17602 17606 665f11 17601->17606 17602->17606 17608 665e1c 17602->17608 17605 665f2f GetProcAddress 17605->17606 17607 665f3f std::_Lockit::_Lockit 17605->17607 17606->17580 17606->17581 17607->17606 17614 665e2d ___vcrt_InitializeCriticalSectionEx 17608->17614 17609 665ec3 17609->17605 17609->17606 17610 665e4b LoadLibraryExW 17611 665e66 GetLastError 17610->17611 17612 665eca 17610->17612 17611->17614 17612->17609 17613 665edc FreeLibrary 17612->17613 17613->17609 17614->17609 17614->17610 17615 665e99 LoadLibraryExW 17614->17615 17615->17612 17615->17614 17619 66202a 17616->17619 17620 662036 __FrameHandler3::FrameUnwindToState 17619->17620 17625 65f659 EnterCriticalSection 17620->17625 17622 662041 17626 66207d 17622->17626 17625->17622 17629 65f6a1 LeaveCriticalSection 17626->17629 17628 662008 17628->17595 17629->17628 17631 6649be __FrameHandler3::FrameUnwindToState 17630->17631 17644 65f659 EnterCriticalSection 17631->17644 17633 6649c8 17645 6649f8 17633->17645 17636 664ac4 17637 664ad0 __FrameHandler3::FrameUnwindToState 17636->17637 17649 65f659 EnterCriticalSection 17637->17649 17639 664ada 17650 664ca5 17639->17650 17641 664af2 17654 664b12 17641->17654 17644->17633 17648 65f6a1 LeaveCriticalSection 17645->17648 17647 6649e6 17647->17636 17648->17647 17649->17639 17651 664cb4 __Getctype 17650->17651 17652 664cdb __Getctype 17650->17652 17651->17652 17657 66d685 17651->17657 17652->17641 17771 65f6a1 LeaveCriticalSection 17654->17771 17656 664b00 17656->17576 17659 66d705 17657->17659 17660 66d69b 17657->17660 17661 665a1c ___free_lconv_mon 14 API calls 17659->17661 17683 66d753 17659->17683 17660->17659 17665 665a1c ___free_lconv_mon 14 API calls 17660->17665 17666 66d6ce 17660->17666 17662 66d727 17661->17662 17663 665a1c ___free_lconv_mon 14 API calls 17662->17663 17667 66d73a 17663->17667 17664 665a1c ___free_lconv_mon 14 API calls 17668 66d6fa 17664->17668 17670 66d6c3 17665->17670 17671 665a1c ___free_lconv_mon 14 API calls 17666->17671 17682 66d6f0 17666->17682 17672 665a1c ___free_lconv_mon 14 API calls 17667->17672 17673 665a1c ___free_lconv_mon 14 API calls 17668->17673 17669 66d7c1 17674 665a1c ___free_lconv_mon 14 API calls 17669->17674 17685 66c93b 17670->17685 17676 66d6e5 17671->17676 17677 66d748 17672->17677 17673->17659 17681 66d7c7 17674->17681 17713 66cdef 17676->17713 17679 665a1c ___free_lconv_mon 14 API calls 17677->17679 17679->17683 17680 665a1c 14 API calls ___free_lconv_mon 17684 66d761 17680->17684 17681->17652 17682->17664 17725 66d7f6 17683->17725 17684->17669 17684->17680 17686 66c94c 17685->17686 17712 66ca35 17685->17712 17687 66c95d 17686->17687 17688 665a1c ___free_lconv_mon 14 API calls 17686->17688 17689 66c96f 17687->17689 17690 665a1c ___free_lconv_mon 14 API calls 17687->17690 17688->17687 17691 66c981 17689->17691 17693 665a1c ___free_lconv_mon 14 API calls 17689->17693 17690->17689 17692 66c993 17691->17692 17694 665a1c ___free_lconv_mon 14 API calls 17691->17694 17695 66c9a5 17692->17695 17696 665a1c ___free_lconv_mon 14 API calls 17692->17696 17693->17691 17694->17692 17697 66c9b7 17695->17697 17698 665a1c ___free_lconv_mon 14 API calls 17695->17698 17696->17695 17699 66c9c9 17697->17699 17701 665a1c ___free_lconv_mon 14 API calls 17697->17701 17698->17697 17700 66c9db 17699->17700 17702 665a1c ___free_lconv_mon 14 API calls 17699->17702 17703 66c9ed 17700->17703 17704 665a1c ___free_lconv_mon 14 API calls 17700->17704 17701->17699 17702->17700 17705 66c9ff 17703->17705 17706 665a1c ___free_lconv_mon 14 API calls 17703->17706 17704->17703 17707 66ca11 17705->17707 17709 665a1c ___free_lconv_mon 14 API calls 17705->17709 17706->17705 17708 66ca23 17707->17708 17710 665a1c ___free_lconv_mon 14 API calls 17707->17710 17711 665a1c ___free_lconv_mon 14 API calls 17708->17711 17708->17712 17709->17707 17710->17708 17711->17712 17712->17666 17714 66ce54 17713->17714 17715 66cdfc 17713->17715 17714->17682 17716 66ce0c 17715->17716 17717 665a1c ___free_lconv_mon 14 API calls 17715->17717 17718 66ce1e 17716->17718 17719 665a1c ___free_lconv_mon 14 API calls 17716->17719 17717->17716 17720 66ce30 17718->17720 17722 665a1c ___free_lconv_mon 14 API calls 17718->17722 17719->17718 17721 66ce42 17720->17721 17723 665a1c ___free_lconv_mon 14 API calls 17720->17723 17721->17714 17724 665a1c ___free_lconv_mon 14 API calls 17721->17724 17722->17720 17723->17721 17724->17714 17726 66d822 17725->17726 17727 66d803 17725->17727 17726->17684 17727->17726 17731 66d30a 17727->17731 17730 665a1c ___free_lconv_mon 14 API calls 17730->17726 17732 66d3e8 17731->17732 17733 66d31b 17731->17733 17732->17730 17767 66d069 17733->17767 17736 66d069 __Getctype 14 API calls 17737 66d32e 17736->17737 17738 66d069 __Getctype 14 API calls 17737->17738 17739 66d339 17738->17739 17740 66d069 __Getctype 14 API calls 17739->17740 17741 66d344 17740->17741 17742 66d069 __Getctype 14 API calls 17741->17742 17743 66d352 17742->17743 17744 665a1c ___free_lconv_mon 14 API calls 17743->17744 17745 66d35d 17744->17745 17746 665a1c ___free_lconv_mon 14 API calls 17745->17746 17747 66d368 17746->17747 17748 665a1c ___free_lconv_mon 14 API calls 17747->17748 17749 66d373 17748->17749 17750 66d069 __Getctype 14 API calls 17749->17750 17751 66d381 17750->17751 17752 66d069 __Getctype 14 API calls 17751->17752 17753 66d38f 17752->17753 17754 66d069 __Getctype 14 API calls 17753->17754 17755 66d3a0 17754->17755 17756 66d069 __Getctype 14 API calls 17755->17756 17757 66d3ae 17756->17757 17758 66d069 __Getctype 14 API calls 17757->17758 17759 66d3bc 17758->17759 17760 665a1c ___free_lconv_mon 14 API calls 17759->17760 17761 66d3c7 17760->17761 17762 665a1c ___free_lconv_mon 14 API calls 17761->17762 17763 66d3d2 17762->17763 17764 665a1c ___free_lconv_mon 14 API calls 17763->17764 17765 66d3dd 17764->17765 17766 665a1c ___free_lconv_mon 14 API calls 17765->17766 17766->17732 17768 66d07b 17767->17768 17769 66d08a 17768->17769 17770 665a1c ___free_lconv_mon 14 API calls 17768->17770 17769->17736 17770->17768 17771->17656 21591 660a96 21594 660ab3 21591->21594 21595 660abf __FrameHandler3::FrameUnwindToState 21594->21595 21596 660ad2 __fread_nolock 21595->21596 21597 660b09 21595->21597 21606 660aae 21595->21606 21599 6600ae __dosmaperr 14 API calls 21596->21599 21607 65c967 EnterCriticalSection 21597->21607 21601 660aec 21599->21601 21600 660b13 21608 6608b0 21600->21608 21603 65bc2f __strnicoll 41 API calls 21601->21603 21603->21606 21607->21600 21612 6608c1 __fread_nolock 21608->21612 21620 6608dd 21608->21620 21609 6608cd 21610 6600ae __dosmaperr 14 API calls 21609->21610 21611 6608d2 21610->21611 21613 65bc2f __strnicoll 41 API calls 21611->21613 21612->21609 21617 66091f __fread_nolock 21612->21617 21612->21620 21613->21620 21614 660a46 __fread_nolock 21618 6600ae __dosmaperr 14 API calls 21614->21618 21615 660b50 __fread_nolock 41 API calls 21615->21617 21616 66758b __fread_nolock 41 API calls 21616->21617 21617->21614 21617->21615 21617->21616 21617->21620 21624 66a76a 21617->21624 21618->21611 21621 660b48 21620->21621 21712 65c97b LeaveCriticalSection 21621->21712 21623 660b4e 21623->21606 21625 66a794 21624->21625 21626 66a77c 21624->21626 21628 66aaea 21625->21628 21639 66a7da 21625->21639 21627 66009b __dosmaperr 14 API calls 21626->21627 21629 66a781 21627->21629 21630 66009b __dosmaperr 14 API calls 21628->21630 21631 6600ae __dosmaperr 14 API calls 21629->21631 21632 66aaef 21630->21632 21635 66a789 21631->21635 21633 6600ae __dosmaperr 14 API calls 21632->21633 21636 66a7f2 21633->21636 21634 66a7e5 21637 66009b __dosmaperr 14 API calls 21634->21637 21635->21617 21642 65bc2f __strnicoll 41 API calls 21636->21642 21638 66a7ea 21637->21638 21640 6600ae __dosmaperr 14 API calls 21638->21640 21639->21634 21639->21635 21641 66a815 21639->21641 21640->21636 21643 66a82e 21641->21643 21644 66a848 21641->21644 21645 66a879 21641->21645 21642->21635 21643->21644 21651 66a833 21643->21651 21646 66009b __dosmaperr 14 API calls 21644->21646 21647 666756 std::_Locinfo::_Locinfo_dtor 15 API calls 21645->21647 21648 66a84d 21646->21648 21650 66a88a 21647->21650 21652 6600ae __dosmaperr 14 API calls 21648->21652 21649 670c4c __fread_nolock 41 API calls 21653 66a9c6 21649->21653 21654 665a1c ___free_lconv_mon 14 API calls 21650->21654 21651->21649 21655 66a854 21652->21655 21656 66aa3a 21653->21656 21660 66a9df GetConsoleMode 21653->21660 21657 66a893 21654->21657 21658 65bc2f __strnicoll 41 API calls 21655->21658 21659 66aa3e ReadFile 21656->21659 21661 665a1c ___free_lconv_mon 14 API calls 21657->21661 21686 66a85f __fread_nolock 21658->21686 21662 66aa56 21659->21662 21663 66aab2 GetLastError 21659->21663 21660->21656 21664 66a9f0 21660->21664 21665 66a89a 21661->21665 21662->21663 21668 66aa2f 21662->21668 21666 66aa16 21663->21666 21667 66aabf 21663->21667 21664->21659 21669 66a9f6 ReadConsoleW 21664->21669 21670 66a8a4 21665->21670 21671 66a8bf 21665->21671 21678 660054 __dosmaperr 14 API calls 21666->21678 21666->21686 21672 6600ae __dosmaperr 14 API calls 21667->21672 21681 66aa92 21668->21681 21682 66aa7b 21668->21682 21668->21686 21669->21668 21674 66aa10 GetLastError 21669->21674 21676 6600ae __dosmaperr 14 API calls 21670->21676 21673 66ad10 __fread_nolock 43 API calls 21671->21673 21677 66aac4 21672->21677 21673->21651 21674->21666 21675 665a1c ___free_lconv_mon 14 API calls 21675->21635 21679 66a8a9 21676->21679 21680 66009b __dosmaperr 14 API calls 21677->21680 21678->21686 21683 66009b __dosmaperr 14 API calls 21679->21683 21680->21686 21681->21686 21700 66a2dc 21681->21700 21687 66a484 21682->21687 21683->21686 21686->21675 21706 66a190 21687->21706 21689 66ae40 __fread_nolock MultiByteToWideChar 21691 66a598 21689->21691 21693 66a4cc 21691->21693 21694 66a5a1 GetLastError 21691->21694 21692 66a516 21695 6600ae __dosmaperr 14 API calls 21692->21695 21693->21686 21696 660054 __dosmaperr 14 API calls 21694->21696 21695->21693 21696->21693 21697 66a526 21698 66a4e0 21697->21698 21699 66ad10 __fread_nolock 43 API calls 21697->21699 21698->21689 21699->21698 21701 66a313 21700->21701 21702 66a3a8 ReadFile 21701->21702 21703 66a3a3 21701->21703 21702->21703 21704 66a3c5 21702->21704 21703->21686 21704->21703 21705 66ad10 __fread_nolock 43 API calls 21704->21705 21705->21703 21707 66a1c4 21706->21707 21708 66a233 ReadFile 21707->21708 21709 66a22e 21707->21709 21708->21709 21710 66a24c 21708->21710 21709->21692 21709->21693 21709->21697 21709->21698 21710->21709 21711 66ad10 __fread_nolock 43 API calls 21710->21711 21711->21709 21712->21623 22880 65639d 22881 6563b0 22880->22881 22883 6563c4 22881->22883 22884 66151a 22881->22884 22885 661526 __FrameHandler3::FrameUnwindToState 22884->22885 22886 661542 22885->22886 22887 66152d 22885->22887 22897 65c967 EnterCriticalSection 22886->22897 22888 6600ae __dosmaperr 14 API calls 22887->22888 22890 661532 22888->22890 22892 65bc2f __strnicoll 41 API calls 22890->22892 22891 66154c 22898 661421 22891->22898 22894 66153d 22892->22894 22894->22883 22897->22891 22899 661439 22898->22899 22901 6614a9 22898->22901 22900 66758b __fread_nolock 41 API calls 22899->22900 22905 66143f 22900->22905 22902 66ad6e 14 API calls 22901->22902 22904 6614a1 22901->22904 22902->22904 22903 661491 22906 6600ae __dosmaperr 14 API calls 22903->22906 22909 661585 22904->22909 22905->22901 22905->22903 22907 661496 22906->22907 22908 65bc2f __strnicoll 41 API calls 22907->22908 22908->22904 22912 65c97b LeaveCriticalSection 22909->22912 22911 66158b 22911->22894 22912->22911

                          Executed Functions

                          Function 0127018D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282threadinjectionmemoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,012700FF,012700EF), ref: 012702FC
                          • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0127030F
                          • Wow64GetThreadContext.KERNEL32(0000008C,00000000), ref: 0127032D
                          • ReadProcessMemory.KERNELBASE(00000088,?,01270143,00000004,00000000), ref: 01270351
                          • VirtualAllocEx.KERNELBASE(00000088,?,?,00003000,00000040), ref: 0127037C
                          • WriteProcessMemory.KERNELBASE(00000088,00000000,?,?,00000000,?), ref: 012703D4
                          • WriteProcessMemory.KERNELBASE(00000088,00400000,?,?,00000000,?,00000028), ref: 0127041F
                          • WriteProcessMemory.KERNELBASE(00000088,-00000008,?,00000004,00000000), ref: 0127045D
                          • Wow64SetThreadContext.KERNEL32(0000008C,02C20000), ref: 01270499
                          • ResumeThread.KERNELBASE(0000008C), ref: 012704A8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761589453.0000000001270000.00000040.00001000.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1270000_setup.jbxd
                          Similarity
                          • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                          • API String ID: 2687962208-1257834847
                          • Opcode ID: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
                          • Instruction ID: 75ffed4ba5a25485f23c58fd16edf77980e42bd15f316e3eb309cd21cd5ad752
                          • Opcode Fuzzy Hash: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
                          • Instruction Fuzzy Hash: 0FB1E57664028AAFDB60CF68CC80BDA77A5FF88714F158524FA0CAB341D774FA418B94
                          Function 00675940 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 214synchronizationthreadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 90 675940-675968 call 6571c7 93 675981-675985 90->93 94 67596a-67597f 90->94 95 675989-67598c 93->95 94->95 96 6759c0-6759d6 95->96 97 67598e-675991 95->97 99 6759e0-6759f7 96->99 97->96 98 675993-6759a0 97->98 100 6759b6-6759bd call 6571f7 98->100 101 6759a2-6759b0 98->101 102 675a06-675a19 call 651850 99->102 103 6759f9-675a04 99->103 100->96 101->100 104 675bca-675bee call 65bc3f CreateThread WaitForSingleObject 101->104 106 675a1d-675a21 102->106 103->106 106->99 111 675a23-675a38 106->111 112 675aad-675ab8 111->112 113 675a3a-675a40 111->113 115 675b43-675b45 112->115 116 675abe 112->116 117 675a46-675a53 113->117 118 675bc0 call 653700 113->118 123 675b47-675b54 115->123 124 675b72-675b82 call 6571f7 115->124 120 675ac0-675b3d call 651160 call 651e70 call 651160 call 651e70 call 65c7be 116->120 121 675a55-675a5a 117->121 122 675a80-675a82 117->122 125 675bc5 call 6536b0 118->125 163 675b3f 120->163 121->125 127 675a60-675a6b call 6571c7 121->127 129 675a95 122->129 130 675a84-675a93 call 6571c7 122->130 131 675b56-675b64 123->131 132 675b68-675b6f call 6571f7 123->132 144 675b84-675b91 124->144 145 675bad-675bbf call 65720a 124->145 125->104 127->104 149 675a71-675a7e 127->149 140 675a97-675aaa call 658470 129->140 130->140 131->104 133 675b66 131->133 132->124 133->132 140->112 150 675ba3-675baa call 6571f7 144->150 151 675b93-675ba1 144->151 149->140 150->145 151->104 151->150 163->115
                          APIs
                          • CreateThread.KERNELBASE(00000000,00000000,00675BF0,00000000,00000000,00000000), ref: 00675BDF
                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000000,?,?,?,?,?,?,?,?,00675C96), ref: 00675BE8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateObjectSingleThreadWait
                          • String ID: C$Earth$Own head
                          • API String ID: 1891408510-3365287836
                          • Opcode ID: 1fed2da07729174c916fcdcf5bdfc273e3d9645c2db646ae3547f48b4fb01cb4
                          • Instruction ID: 6c25970eb795aa3652870dc016af62d24efe5498512128a62976b43fa0930aaf
                          • Opcode Fuzzy Hash: 1fed2da07729174c916fcdcf5bdfc273e3d9645c2db646ae3547f48b4fb01cb4
                          • Instruction Fuzzy Hash: D2715871904B459FC710EF34CCC1B6FB7DAAF45340F188A6DF89A47282E7A0A6488B55
                          Function 006676EC Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cf5fdfae591733c3582f13f8f85d654677cd7171e315ed3219ee0695846118de
                          • Instruction ID: 5d1ef5c48e1bbd99eeec82018de2ca6e5a46cb69521c91436199f0f2ec4eed50
                          • Opcode Fuzzy Hash: cf5fdfae591733c3582f13f8f85d654677cd7171e315ed3219ee0695846118de
                          • Instruction Fuzzy Hash: 04F0E532614220DFCB12CB4CC805F9873ADEB44B54F12006AF111D7250C2B0DD00C7C0
                          Function 00675D30 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 61libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetModuleHandleA.KERNEL32(user32.dll,ShowWindow,226D7AA9), ref: 00675D65
                          • GetProcAddress.KERNEL32(00000000), ref: 00675D6C
                          • GetConsoleWindow.KERNELBASE(?,00000000), ref: 00675D7B
                          • GetModuleHandleA.KERNEL32(kernel32.dll,FreeConsole), ref: 00675D8F
                          • GetProcAddress.KERNEL32(00000000), ref: 00675D96
                          • FreeConsole.KERNELBASE ref: 00675DA2
                            • Part of subcall function 00675000: GetCurrentThreadId.KERNEL32 ref: 00675079
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressConsoleHandleModuleProc$CurrentFreeThreadWindow
                          • String ID: FreeConsole$ShowWindow$kernel32.dll$user32.dll
                          • API String ID: 245968307-4003964729
                          • Opcode ID: 2d09d4b09a2e3d494013ef521b378ffab5efb47bddc1b4313f16c62aafc52821
                          • Instruction ID: d1ab6ee5c991f22260864c1a2a269a702abb7213696e4ffd6b67854d68267979
                          • Opcode Fuzzy Hash: 2d09d4b09a2e3d494013ef521b378ffab5efb47bddc1b4313f16c62aafc52821
                          • Instruction Fuzzy Hash: D0119871E40B04AFD710EBB4DD09B6EBBFAEF48711F108569F50AD32D0D77599008665
                          Function 00675000 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetCurrentThreadId.KERNEL32 ref: 00675079
                          • std::_Throw_Cpp_error.LIBCPMT ref: 006750B4
                          • std::_Throw_Cpp_error.LIBCPMT ref: 006750BB
                          • std::_Throw_Cpp_error.LIBCPMT ref: 006750C2
                          • std::_Throw_Cpp_error.LIBCPMT ref: 006750C9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: Cpp_errorThrow_std::_$CurrentThread
                          • String ID: Success created.
                          • API String ID: 2261580123-2637490038
                          • Opcode ID: 5cbdc90b74c98710642ed7c4f2017b23d5202d45ac6dbf4036e6af4ce2498cb7
                          • Instruction ID: 4470ef0ddaa07f64956303ceb4507842c2b8992236ea8f4e27344dc16bc69e8b
                          • Opcode Fuzzy Hash: 5cbdc90b74c98710642ed7c4f2017b23d5202d45ac6dbf4036e6af4ce2498cb7
                          • Instruction Fuzzy Hash: 2311EE71741F0067E27037B44C17F5B75879F01B52F15887CBE4EAA1C2EAE1944887E9
                          Function 00665E1C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 33 665e1c-665e28 34 665eba-665ebd 33->34 35 665ec3 34->35 36 665e2d-665e3e 34->36 37 665ec5-665ec9 35->37 38 665e40-665e43 36->38 39 665e4b-665e64 LoadLibraryExW 36->39 42 665ee3-665ee5 38->42 43 665e49 38->43 40 665e66-665e6f GetLastError 39->40 41 665eca-665eda 39->41 45 665e71-665e83 call 664978 40->45 46 665ea8-665eb5 40->46 41->42 47 665edc-665edd FreeLibrary 41->47 42->37 44 665eb7 43->44 44->34 45->46 50 665e85-665e97 call 664978 45->50 46->44 47->42 50->46 53 665e99-665ea6 LoadLibraryExW 50->53 53->41 53->46
                          APIs
                          • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,226D7AA9,?,00665F29,?,?,?,00000000), ref: 00665EDD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: FreeLibrary
                          • String ID: api-ms-$ext-ms-
                          • API String ID: 3664257935-537541572
                          • Opcode ID: 9a043cf116eae74158761ac05f2c2ebd3fd041a55e96df916a14e54d2a63d564
                          • Instruction ID: ac7bfbf3b808ace50b8e7c6881ff516c88f84f5da30876841d1c1a55515fe0b5
                          • Opcode Fuzzy Hash: 9a043cf116eae74158761ac05f2c2ebd3fd041a55e96df916a14e54d2a63d564
                          • Instruction Fuzzy Hash: C821E432A41A11ABCF219B20DC42AAB776BDF41761F251221F91BA73D0D731EE01CAE0
                          Function 0065F06A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetLastError.KERNEL32(00680168,0000000C), ref: 0065F07D
                          • ExitThread.KERNEL32 ref: 0065F084
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorExitLastThread
                          • String ID: `e
                          • API String ID: 1611280651-3155454700
                          • Opcode ID: 420f2d6d59af3edf98b4c74485413874945be44c635c4e73cf9a86334fbf4b85
                          • Instruction ID: 5d1f1e778af18fb6c62537e06295508a8b75f5c020acca2f2d69793bdac875cd
                          • Opcode Fuzzy Hash: 420f2d6d59af3edf98b4c74485413874945be44c635c4e73cf9a86334fbf4b85
                          • Instruction Fuzzy Hash: 46F04971900605AFDB54ABB0D80AA6E3B76FF44712F20025DF806973A2DB749945CBA5
                          Function 0065F1C6 Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 183 65f1c6-65f1d1 184 65f1e7-65f1fa call 65f176 183->184 185 65f1d3-65f1e6 call 6600ae call 65bc2f 183->185 191 65f1fc-65f219 CreateThread 184->191 192 65f228 184->192 195 65f237-65f23c 191->195 196 65f21b-65f227 GetLastError call 660054 191->196 193 65f22a-65f236 call 65f0e8 192->193 198 65f243-65f247 195->198 199 65f23e-65f241 195->199 196->192 198->193 199->198
                          APIs
                          • CreateThread.KERNELBASE(?,?,Function_0000F06A,00000000,?,?), ref: 0065F20F
                          • GetLastError.KERNEL32 ref: 0065F21B
                          • __dosmaperr.LIBCMT ref: 0065F222
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateErrorLastThread__dosmaperr
                          • String ID:
                          • API String ID: 2744730728-0
                          • Opcode ID: 87ae41c189c163532b30d43087c65651f8869f8ee0956bf74f619f88f70b62a3
                          • Instruction ID: d734ebb4a5b82bd121fa304d8edc696999064a06cad9b9e255363f803e0aaee1
                          • Opcode Fuzzy Hash: 87ae41c189c163532b30d43087c65651f8869f8ee0956bf74f619f88f70b62a3
                          • Instruction Fuzzy Hash: F3015EB6910219AFDF259FA0DC05AEF7BA6EF00366F104068FD0596290EB71CE58DB94
                          Function 0065628D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 229 65628d-6562a7 230 6562b0-6562b8 229->230 231 6562a9-6562ab 229->231 233 6562dc-6562e0 230->233 234 6562ba-6562c4 230->234 232 656387-656394 call 65720a 231->232 237 6562e6-6562f7 call 6560f1 233->237 238 656383 233->238 234->233 236 6562c6-6562d7 234->236 242 65637f-656381 236->242 244 6562ff-656333 237->244 245 6562f9-6562fd 237->245 240 656386 238->240 240->232 242->240 252 656335-656338 244->252 253 656356-65635e 244->253 246 656346 call 6559d3 245->246 249 65634b-65634f 246->249 249->242 251 656351-656354 249->251 251->242 252->253 256 65633a-65633e 252->256 254 656360-656371 call 6611e9 253->254 255 656373-65637d 253->255 254->238 254->255 255->238 255->242 256->238 258 656340-656343 256->258 258->246
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: `e
                          • API String ID: 0-3155454700
                          • Opcode ID: 8deee69c71bf476e1d38c56b94c08a10682bbf06ea4ca8a033e5f853f7f524b2
                          • Instruction ID: 614fcc0886a0c460d5d6275e6b1bdd095a6e632f4e1ba70dfb8fd320f91c6c5d
                          • Opcode Fuzzy Hash: 8deee69c71bf476e1d38c56b94c08a10682bbf06ea4ca8a033e5f853f7f524b2
                          • Instruction Fuzzy Hash: 6E31953290011AEFCB15CFA8D5908EDB7BABF19311F54126AF901E3790D731EA48CB90
                          Function 00669572 Relevance: 3.2, APIs: 2, Instructions: 191fileCOMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 260 669572-669591 261 669597-669599 260->261 262 66976b 260->262 263 6695c5-6695eb 261->263 264 66959b-6695ba call 65bbb2 261->264 265 66976d-669771 262->265 267 6695f1-6695f7 263->267 268 6695ed-6695ef 263->268 271 6695bd-6695c0 264->271 267->264 270 6695f9-669603 267->270 268->267 268->270 272 669605-669610 call 66ad50 270->272 273 669613-66961e call 6690f6 270->273 271->265 272->273 278 669660-669672 273->278 279 669620-669625 273->279 282 669674-66967a 278->282 283 6696c3-6696e3 WriteFile 278->283 280 669627-66962b 279->280 281 66964a-66965e call 668cbc 279->281 286 669733-669745 280->286 287 669631-669640 call 66908e 280->287 303 669643-669645 281->303 284 6696b1-6696bc call 669174 282->284 285 66967c-66967f 282->285 289 6696e5-6696eb GetLastError 283->289 290 6696ee 283->290 302 6696c1 284->302 291 669681-669684 285->291 292 66969f-6696af call 669338 285->292 293 669747-66974d 286->293 294 66974f-669761 286->294 287->303 289->290 298 6696f1-6696fc 290->298 291->286 299 66968a-669695 call 66924f 291->299 310 66969a-66969d 292->310 293->262 293->294 294->271 304 669766-669769 298->304 305 6696fe-669703 298->305 299->310 302->310 303->298 304->265 306 669705-66970a 305->306 307 669731 305->307 311 669723-66972c call 660077 306->311 312 66970c-66971e 306->312 307->286 310->303 311->271 312->271
                          APIs
                            • Part of subcall function 00668CBC: GetConsoleOutputCP.KERNEL32(226D7AA9,00000000,00000000,?), ref: 00668D1F
                          • WriteFile.KERNEL32(?,00000000,?,?,00000000,?,00000000,00000000,?,00000001,?,?,?,?,?,?), ref: 006696DB
                          • GetLastError.KERNEL32 ref: 006696E5
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: ConsoleErrorFileLastOutputWrite
                          • String ID:
                          • API String ID: 2915228174-0
                          • Opcode ID: b66c3c5b8247c339c7bf6c8ae479bf92115cd92896659be53e2d075d0f164979
                          • Instruction ID: 03d8c15e736d81745b1537d885df64e68ec2b70f9f5a13d41963712f3a9d5f79
                          • Opcode Fuzzy Hash: b66c3c5b8247c339c7bf6c8ae479bf92115cd92896659be53e2d075d0f164979
                          • Instruction Fuzzy Hash: 1E618071D04249AEEF119FA8C884EEEBFBEAF09714F144159EC01AB252D371DA46CB74
                          Function 00669174 Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 315 669174-6691c9 call 657f80 318 66923e-66924e call 65720a 315->318 319 6691cb 315->319 321 6691d1 319->321 323 6691d7-6691d9 321->323 324 6691f3-669218 WriteFile 323->324 325 6691db-6691e0 323->325 326 669236-66923c GetLastError 324->326 327 66921a-669225 324->327 328 6691e2-6691e8 325->328 329 6691e9-6691f1 325->329 326->318 327->318 330 669227-669232 327->330 328->329 329->323 329->324 330->321 331 669234 330->331 331->318
                          APIs
                          • WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,006696C1,00000001,00000000,00000000,?,?,00000000), ref: 00669210
                          • GetLastError.KERNEL32(?,006696C1,00000001,00000000,00000000,?,?,00000000,00000000,?,00000001,?,?,?,?,?), ref: 00669236
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorFileLastWrite
                          • String ID:
                          • API String ID: 442123175-0
                          • Opcode ID: 409f106a62036d8efd93a253ee66beb1caa2b4d91d0cb9d7a8cffe25f8293ed5
                          • Instruction ID: ab920b8044191157e625d5076ab0919dea5fc613ad1bcf28f91a33d964f84a35
                          • Opcode Fuzzy Hash: 409f106a62036d8efd93a253ee66beb1caa2b4d91d0cb9d7a8cffe25f8293ed5
                          • Instruction Fuzzy Hash: BD218D35A002199BCB19CF29DC909E9B7BAEB49305F2440AAED06D7311D630DE46CB60
                          Function 0066661A Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 332 66661a-66661f 333 666621-666639 332->333 334 666647-666650 333->334 335 66663b-66663f 333->335 337 666662 334->337 338 666652-666655 334->338 335->334 336 666641-666645 335->336 339 6666bc-6666c0 336->339 342 666664-666671 GetStdHandle 337->342 340 666657-66665c 338->340 341 66665e-666660 338->341 339->333 343 6666c6-6666c9 339->343 340->342 341->342 344 666673-666675 342->344 345 66669e-6666b0 342->345 344->345 346 666677-666680 GetFileType 344->346 345->339 347 6666b2-6666b5 345->347 346->345 348 666682-66668b 346->348 347->339 349 666693-666696 348->349 350 66668d-666691 348->350 349->339 351 666698-66669c 349->351 350->339 351->339
                          APIs
                          • GetStdHandle.KERNEL32(000000F6), ref: 00666666
                          • GetFileType.KERNELBASE(00000000), ref: 00666678
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileHandleType
                          • String ID:
                          • API String ID: 3000768030-0
                          • Opcode ID: 448e192c6c9b88b165bd7845a9c91a86523c9192d59163697e221bd04cc44cc4
                          • Instruction ID: 743696f6668c35173dc22c2b6129ddc29f9a89ed1c6049deff521b210347ab7c
                          • Opcode Fuzzy Hash: 448e192c6c9b88b165bd7845a9c91a86523c9192d59163697e221bd04cc44cc4
                          • Instruction Fuzzy Hash: D111E1712047418AC7304F3EFC88662BA9BAB52334B38072EF4B6C63F1C631D9929647
                          Function 00665A1C Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 352 665a1c-665a25 353 665a27-665a3a RtlFreeHeap 352->353 354 665a54-665a55 352->354 353->354 355 665a3c-665a53 GetLastError call 660011 call 6600ae 353->355 355->354
                          APIs
                          • RtlFreeHeap.NTDLL(00000000,00000000,?,0066D082,?,00000000,?,?,0066D323,?,00000007,?,?,0066D81C,?,?), ref: 00665A32
                          • GetLastError.KERNEL32(?,?,0066D082,?,00000000,?,?,0066D323,?,00000007,?,?,0066D81C,?,?), ref: 00665A3D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 485612231-0
                          • Opcode ID: 8a2d81672ba4e0887b727b65f6ffd7d99feee1326e00cc0642f387816f8cc446
                          • Instruction ID: 6b9bc72f92e5ad4d75f8efd405f190413d101553a20c219601b3dabac2dd8332
                          • Opcode Fuzzy Hash: 8a2d81672ba4e0887b727b65f6ffd7d99feee1326e00cc0642f387816f8cc446
                          • Instruction Fuzzy Hash: FFE08C32100A04ABEB252BE0EC4AFDA3BAA9B40395F115074F60C9A260DB758890CB98
                          Function 00675BF0 Relevance: 2.6, APIs: 2, Instructions: 98sleepmemoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 360 675bf0-675c62 call 6513f0 call 6571c7 365 675c64-675c75 call 6750d0 360->365 366 675c78-675cdc VirtualAlloc call 675940 call 6755f0 Sleep 360->366 365->366 374 675d05-675d15 call 65720a 366->374 375 675cde-675ce9 366->375 376 675cfb-675cfd call 6571f7 375->376 377 675ceb-675cf9 375->377 383 675d02 376->383 377->376 379 675d16-675d1b call 65bc3f 377->379 383->374
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,000004AC,00001000,00000040), ref: 00675C86
                          • Sleep.KERNELBASE(000003E8), ref: 00675CD0
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocSleepVirtual
                          • String ID:
                          • API String ID: 503295252-0
                          • Opcode ID: 0125007b2fe1dd2670e179575cda0a1bf03facff859b62b61ba93d94e399e958
                          • Instruction ID: 3021376caabca60fed7db81fc6c58abbd45c99f13c169fa181aae5a4bdf09a2e
                          • Opcode Fuzzy Hash: 0125007b2fe1dd2670e179575cda0a1bf03facff859b62b61ba93d94e399e958
                          • Instruction Fuzzy Hash: 7631D870E007489BDB44DFA4DC85BED77B6EF09300F105159F909BB282EB749A848768
                          Function 00665EE7 Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f6b2b432f9b627c3c1d8d8031c60d0e6b59b4702c5fd87fc3939e81e229da4f7
                          • Instruction ID: b7caf3ea7c9b8f212c43b4df5c3f58f0a9aab28e9ee59c8fd52a66f5a8a770a2
                          • Opcode Fuzzy Hash: f6b2b432f9b627c3c1d8d8031c60d0e6b59b4702c5fd87fc3939e81e229da4f7
                          • Instruction Fuzzy Hash: 5701D837714A156F9B259F69EC429AB37DBAB85320F185124F906CB155DB30D8018B50

                          Non-executed Functions

                          Function 0066F4EC Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: __floor_pentium4
                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                          • API String ID: 4168288129-2761157908
                          • Opcode ID: 20c50e1c69df1e8e35c2583f1fb4f30d1e654cb1aa7ec64c9dd6b100c1d69f39
                          • Instruction ID: d3f45bb7663de5a031b90280c6b06145ce83e6014e27c69d198f9b4baec7fd2c
                          • Opcode Fuzzy Hash: 20c50e1c69df1e8e35c2583f1fb4f30d1e654cb1aa7ec64c9dd6b100c1d69f39
                          • Instruction Fuzzy Hash: 6BD20771E082298FEB65CF28DD507EAB7B6EB44305F1481EAD40DE7240EB74AE858F51
                          Function 0066E82D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLocaleInfoW.KERNEL32(?,2000000B,0066EB4B,00000002,00000000,?,?,?,0066EB4B,?,00000000), ref: 0066E8C6
                          • GetLocaleInfoW.KERNEL32(?,20001004,0066EB4B,00000002,00000000,?,?,?,0066EB4B,?,00000000), ref: 0066E8EF
                          • GetACP.KERNEL32(?,?,0066EB4B,?,00000000), ref: 0066E904
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: InfoLocale
                          • String ID: ACP$OCP
                          • API String ID: 2299586839-711371036
                          • Opcode ID: 50c8849ab92b888ace26a3a65797f6989510ad5f19471c538a3fadf655e38612
                          • Instruction ID: 87305d886f6ccac0b94d1ffa894c5ab7f3a71227afa1b0924a2dcbbda8017fe9
                          • Opcode Fuzzy Hash: 50c8849ab92b888ace26a3a65797f6989510ad5f19471c538a3fadf655e38612
                          • Instruction Fuzzy Hash: 2A21AF3AB00104AAEB348F18C904BDB73A7EF50B61B56812CE90EDB214E733DD41C390
                          Function 0066EA02 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00664CF0: GetLastError.KERNEL32(?,00000008,00667C7C), ref: 00664CF4
                            • Part of subcall function 00664CF0: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 00664D96
                          • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0066EB0E
                          • IsValidCodePage.KERNEL32(00000000), ref: 0066EB57
                          • IsValidLocale.KERNEL32(?,00000001), ref: 0066EB66
                          • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0066EBAE
                          • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0066EBCD
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                          • String ID:
                          • API String ID: 415426439-0
                          • Opcode ID: 90b466a00594e2f26cd81fc3abf938ede25696af03dc303f6e48e11a476c6ea3
                          • Instruction ID: fdf5d4f5deb48526640201c44b7ad4583b2db1599aa17268ea48e37b6a0a487f
                          • Opcode Fuzzy Hash: 90b466a00594e2f26cd81fc3abf938ede25696af03dc303f6e48e11a476c6ea3
                          • Instruction Fuzzy Hash: 1951AE75A00205AFDF20DFA5DC45AFA73BAFF58700F044029F905E7290E772AA44CB61
                          Function 0066E09E Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00664CF0: GetLastError.KERNEL32(?,00000008,00667C7C), ref: 00664CF4
                            • Part of subcall function 00664CF0: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 00664D96
                          • GetACP.KERNEL32(?,?,?,?,?,?,00663413,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0066E15F
                          • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00663413,?,?,?,00000055,?,-00000050,?,?), ref: 0066E18A
                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0066E2ED
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$CodeInfoLocalePageValid
                          • String ID: utf8
                          • API String ID: 607553120-905460609
                          • Opcode ID: 563a107cb8eaa1eb9015e57b323dae345d4c266e16e8ad005aadd6f9d987f4cf
                          • Instruction ID: e41d1e8ff00ef2e21708f32cd2504f6deb888be6b0d664c31c880c9d9649a6f2
                          • Opcode Fuzzy Hash: 563a107cb8eaa1eb9015e57b323dae345d4c266e16e8ad005aadd6f9d987f4cf
                          • Instruction Fuzzy Hash: 70712775A00202AAEB64AB75CC56BB773AFEF45700F14402EF905D7281FB72EE458794
                          Function 006668A9 Relevance: 6.3, APIs: 4, Instructions: 337COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: _strrchr
                          • String ID:
                          • API String ID: 3213747228-0
                          • Opcode ID: bd2da47a312efedecd144210908754662d1f4f2356db7d473d454eab076e7448
                          • Instruction ID: 07f72ce07133cb925f2b97e1bec7e2e127c46e91145f715b860455dacb3809fd
                          • Opcode Fuzzy Hash: bd2da47a312efedecd144210908754662d1f4f2356db7d473d454eab076e7448
                          • Instruction Fuzzy Hash: BFB12572904296DFDB15CF68D881BFEBBA6EF55310F14826AF845EB341D2359D01CBA0
                          Function 00657CF9 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                          Download Yara Rule
                          APIs
                          • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00657D05
                          • IsDebuggerPresent.KERNEL32 ref: 00657DD1
                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00657DEA
                          • UnhandledExceptionFilter.KERNEL32(?), ref: 00657DF4
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                          • String ID:
                          • API String ID: 254469556-0
                          • Opcode ID: 7e27b2662fc767402c49c31f315510f9019aa356b236e5426459b729e9ae17a9
                          • Instruction ID: 21e671499ab8102815886f22b1c2bdc092aa648de8f1b9f968385359feea6e05
                          • Opcode Fuzzy Hash: 7e27b2662fc767402c49c31f315510f9019aa356b236e5426459b729e9ae17a9
                          • Instruction Fuzzy Hash: A431F4B5D053199BDF21DFA4D9497CDBBB8BF08301F1041EAE80DAB250EB719A888F45
                          Function 0066E4B1 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00664CF0: GetLastError.KERNEL32(?,00000008,00667C7C), ref: 00664CF4
                            • Part of subcall function 00664CF0: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 00664D96
                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0066E505
                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0066E54F
                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0066E615
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: InfoLocale$ErrorLast
                          • String ID:
                          • API String ID: 661929714-0
                          • Opcode ID: 2b553e2c87efd7b273c96149dbcc3416274dc6b62c2926314f0bd898f9963f34
                          • Instruction ID: afda1db84c3fb6bc78cf9a33c69bd4e03062704be8773dedcd750ec027d83e62
                          • Opcode Fuzzy Hash: 2b553e2c87efd7b273c96149dbcc3416274dc6b62c2926314f0bd898f9963f34
                          • Instruction Fuzzy Hash: 3D61C0759146079FEB689F28CD82BBA77AAFF14304F14417AF906C6281FB36D981CB50
                          Function 0065BA33 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000001), ref: 0065BB2B
                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000001), ref: 0065BB35
                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000001), ref: 0065BB42
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                          • String ID:
                          • API String ID: 3906539128-0
                          • Opcode ID: 54fd3e70f3504766c82372593caa8483cd14c64941b424af58bc3f45549856ab
                          • Instruction ID: dd5987bc7a6e59f172aaa4035d8787deb0da1e7ab6c2d2592238fd74cc37b2ca
                          • Opcode Fuzzy Hash: 54fd3e70f3504766c82372593caa8483cd14c64941b424af58bc3f45549856ab
                          • Instruction Fuzzy Hash: FE31F4709012189BCB21DF28D989BCCBBB9BF08311F5051DAE81CA7290EB709F858F49
                          Function 006661B9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00663F79,?,20001004,00000000,00000002,?,?,0066357B), ref: 006661ED
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: InfoLocale
                          • String ID: `e
                          • API String ID: 2299586839-3155454700
                          • Opcode ID: 0d735395fc299196246d7745ce985846090e83edb44ff1ca26b49f5fa63eb5fe
                          • Instruction ID: e06fd9ec0d35ef0b2cf0a6c3f1a5fb2d65931a738daa8571a55c3dc3fb9767e3
                          • Opcode Fuzzy Hash: 0d735395fc299196246d7745ce985846090e83edb44ff1ca26b49f5fa63eb5fe
                          • Instruction Fuzzy Hash: 4AE04F36500618BBCF122F65EC09A9E7F17EF45750F044024FD0566262CB318E62AAD5
                          Function 00661610 Relevance: 3.4, APIs: 2, Instructions: 449COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7e77ca6b40ea3d647f5f3c1f769e10ded7ec5cf0c925bf278261e39e08d96d96
                          • Instruction ID: daaf4cc949c014f818f96f8c2675d61e7a2273dc833f871fef9c247ac8a87c41
                          • Opcode Fuzzy Hash: 7e77ca6b40ea3d647f5f3c1f769e10ded7ec5cf0c925bf278261e39e08d96d96
                          • Instruction Fuzzy Hash: 8CF13D75E012199FDF14CFA9C8906EDB7B2FF89314F198269E819AB381D7309E05CB94
                          Function 00665379 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00665374,?,?,00000008,?,?,00672CF2,00000000), ref: 006655A6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExceptionRaise
                          • String ID:
                          • API String ID: 3997070919-0
                          • Opcode ID: c94143eb21b1da95d88d9347ee8a3045d47ac81bf341b2f61c333dbaa749a6f6
                          • Instruction ID: 8a074d1aa3a9ca02897382ab0a0c1fef95d60d9445ca44f994db9033d3fe8f1c
                          • Opcode Fuzzy Hash: c94143eb21b1da95d88d9347ee8a3045d47ac81bf341b2f61c333dbaa749a6f6
                          • Instruction Fuzzy Hash: 80B14E31610A05DFD714CF28C48ABA57BE2FF45365F658698E89ACF3A1C735E982CB40
                          Function 006577CC Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                          Download Yara Rule
                          APIs
                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 006577E2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: FeaturePresentProcessor
                          • String ID:
                          • API String ID: 2325560087-0
                          • Opcode ID: 616acd295656652ff676d7fe509f57111115180b16144e4b3303db227ebd3004
                          • Instruction ID: 9f7921fab7be61f3f86af4fb8e28983bc58745eb506a788471b7d3743baa9dbb
                          • Opcode Fuzzy Hash: 616acd295656652ff676d7fe509f57111115180b16144e4b3303db227ebd3004
                          • Instruction Fuzzy Hash: 245184B190421A8FEB14CF54E985BAABBF6FB44311F14953AD906EB350D375DE04CBA0
                          Function 00653D50 Relevance: 1.6, Strings: 1, Instructions: 379COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: ddg
                          • API String ID: 0-1658380470
                          • Opcode ID: be2a48b1db288d49fe1c08414fd3a78b4bf14ac2908d1b6c36fb6952353ec9c9
                          • Instruction ID: f52442fb987181edcf96afa6e43104e71616a86a4966cd7c5af30b68f5d11a9d
                          • Opcode Fuzzy Hash: be2a48b1db288d49fe1c08414fd3a78b4bf14ac2908d1b6c36fb6952353ec9c9
                          • Instruction Fuzzy Hash: 0FD1BC729087509FC715DF28C841A6FBBF6BFC8745F044A1DF989A7211E730EA488B92
                          Function 0065E4FA Relevance: 1.6, Strings: 1, Instructions: 344COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 0
                          • API String ID: 0-4108050209
                          • Opcode ID: 524f2e42b8964f15a8f6d0ef55bc93c579cbd825beb4abc80a2c0f2abb25b09b
                          • Instruction ID: 2869ef85be4b69e5b9b3878f9e62e443582914c1e7e4a0e13d79aafa773ec2eb
                          • Opcode Fuzzy Hash: 524f2e42b8964f15a8f6d0ef55bc93c579cbd825beb4abc80a2c0f2abb25b09b
                          • Instruction Fuzzy Hash: 1FC1AF70A006468FCF2CCF68C494AAAB7B3AF15306F24461DDC9697391E723AE4DCB51
                          Function 0066E704 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00664CF0: GetLastError.KERNEL32(?,00000008,00667C7C), ref: 00664CF4
                            • Part of subcall function 00664CF0: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 00664D96
                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0066E758
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$InfoLocale
                          • String ID:
                          • API String ID: 3736152602-0
                          • Opcode ID: d2c533d2bedbd60a7c9400c7674030c780dc6b36300398e5a2110c009d25e195
                          • Instruction ID: 5930e12c25ab27bffd5f681fc328ca4a0b3398003dd093dda0292b727a274308
                          • Opcode Fuzzy Hash: d2c533d2bedbd60a7c9400c7674030c780dc6b36300398e5a2110c009d25e195
                          • Instruction Fuzzy Hash: E321A476A1520AABEB289F25DC42EBA77AEEF44714F10007EFD05D6281EB35ED40CB54
                          Function 0066E38B Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00664CF0: GetLastError.KERNEL32(?,00000008,00667C7C), ref: 00664CF4
                            • Part of subcall function 00664CF0: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 00664D96
                          • EnumSystemLocalesW.KERNEL32(0066E4B1,00000001,00000000,?,-00000050,?,0066EAE2,00000000,?,?,?,00000055,?), ref: 0066E3FD
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$EnumLocalesSystem
                          • String ID:
                          • API String ID: 2417226690-0
                          • Opcode ID: a784912a67231f208df3562ff9d64dcb2bdf9c75a8847f5c49f2d440ba6a7a3a
                          • Instruction ID: 2448d0d0e3408c936356b9fd278fed9362cfb0028d690001fbb99f52b5077d0d
                          • Opcode Fuzzy Hash: a784912a67231f208df3562ff9d64dcb2bdf9c75a8847f5c49f2d440ba6a7a3a
                          • Instruction Fuzzy Hash: B911E53A6007015FDB189F39D8915BAB792FF80759B15442CE98687B40DB76B942C740
                          Function 0066E933 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00664CF0: GetLastError.KERNEL32(?,00000008,00667C7C), ref: 00664CF4
                            • Part of subcall function 00664CF0: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 00664D96
                          • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0066E7AE,00000000,00000000,?), ref: 0066E95F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$InfoLocale
                          • String ID:
                          • API String ID: 3736152602-0
                          • Opcode ID: 42db8f513bb03c218d8773010e91a24207ea986a394b9c21be43075561e7c915
                          • Instruction ID: 6d2ac373bdb1864ec770ccd39696293cb7adbf146e822c5f2081aa6072d7b34d
                          • Opcode Fuzzy Hash: 42db8f513bb03c218d8773010e91a24207ea986a394b9c21be43075561e7c915
                          • Instruction Fuzzy Hash: 36F0A93A610111BFDF685B25C8457FA7B6AEF40754F194528EC06A3244EA75FD41C5D0
                          Function 0066E299 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00664CF0: GetLastError.KERNEL32(?,00000008,00667C7C), ref: 00664CF4
                            • Part of subcall function 00664CF0: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 00664D96
                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0066E2ED
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$InfoLocale
                          • String ID: utf8
                          • API String ID: 3736152602-905460609
                          • Opcode ID: 15871a54e9a1290223f98e1737a6e975721f0f6336295a83ba45566fdac4bd4a
                          • Instruction ID: 4483a83a6a2298656b38971477175b931deab20d075ae58d06e6826ede4e56ec
                          • Opcode Fuzzy Hash: 15871a54e9a1290223f98e1737a6e975721f0f6336295a83ba45566fdac4bd4a
                          • Instruction Fuzzy Hash: 52F0C836651105ABC714AB38EC56EBA33AEDF59710F10007DBA06D7241EE78AD058794
                          Function 0066E426 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00664CF0: GetLastError.KERNEL32(?,00000008,00667C7C), ref: 00664CF4
                            • Part of subcall function 00664CF0: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 00664D96
                          • EnumSystemLocalesW.KERNEL32(0066E704,00000001,?,?,-00000050,?,0066EAA6,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0066E470
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$EnumLocalesSystem
                          • String ID:
                          • API String ID: 2417226690-0
                          • Opcode ID: a92f0f00dd3651971a58466246e1f60ccb54e0923215fcc75265d844ba4c88b3
                          • Instruction ID: 40e8198db56d532ccc1e124368a5d5fea0930ce92c0e37781b6f1e204ae0d495
                          • Opcode Fuzzy Hash: a92f0f00dd3651971a58466246e1f60ccb54e0923215fcc75265d844ba4c88b3
                          • Instruction Fuzzy Hash: DCF0F67A3003046FDB249F39D885ABB7BD6EF80768F15842DF9054B680DA729C42C690
                          Function 00665C53 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0065F659: EnterCriticalSection.KERNEL32(?,?,00662041,00000000,00680308,0000000C,00662008,?,?,006659F2,?,?,00664E8E,00000001,00000364,?), ref: 0065F668
                          • EnumSystemLocalesW.KERNEL32(00665C46,00000001,006804D8,0000000C,006660B5,00000000), ref: 00665C8B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalEnterEnumLocalesSectionSystem
                          • String ID:
                          • API String ID: 1272433827-0
                          • Opcode ID: 61e132c5d671d824e9820beb11676206945b7a8e4f4ecda2ea43bdaebffadf7e
                          • Instruction ID: ef27f170836e320d8a91a356d553cb06cc9eae1bcad8efeffe092d3c98b0e1dc
                          • Opcode Fuzzy Hash: 61e132c5d671d824e9820beb11676206945b7a8e4f4ecda2ea43bdaebffadf7e
                          • Instruction Fuzzy Hash: 1AF03776A04704EFD744EF98E842BA877A2FB05721F10412AF915AB2A1CB7559048F54
                          Function 0066E340 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00664CF0: GetLastError.KERNEL32(?,00000008,00667C7C), ref: 00664CF4
                            • Part of subcall function 00664CF0: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 00664D96
                          • EnumSystemLocalesW.KERNEL32(0066E299,00000001,?,?,?,0066EB04,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0066E377
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$EnumLocalesSystem
                          • String ID:
                          • API String ID: 2417226690-0
                          • Opcode ID: 05c8fe6d7749093dfbb9a8e994768124617da43e511f15b33b272fa541bb8bf3
                          • Instruction ID: b726b6c203c3f93c16103e55c632fcbf8725c8b699bdcef3771ee0e6582d03ce
                          • Opcode Fuzzy Hash: 05c8fe6d7749093dfbb9a8e994768124617da43e511f15b33b272fa541bb8bf3
                          • Instruction Fuzzy Hash: 01F0AB3A30020597CB089F3AD809AABBF96EFC1720B0B005CFE09CB781C632D942C790
                          Function 00657E55 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                          Download Yara Rule
                          APIs
                          • SetUnhandledExceptionFilter.KERNEL32(Function_00007E61,006572F3), ref: 00657E5A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExceptionFilterUnhandled
                          • String ID:
                          • API String ID: 3192549508-0
                          • Opcode ID: a3669498a42d9e5220e0fe876274c9a079c96da65c89ff277f2e5e43477907be
                          • Instruction ID: e3b75703fbb10fbcf104bbdd9cd6d6a4545b7c3cdf7b4114b7e389422049cede
                          • Opcode Fuzzy Hash: a3669498a42d9e5220e0fe876274c9a079c96da65c89ff277f2e5e43477907be
                          • Instruction Fuzzy Hash:
                          Function 0066EC64 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: HeapProcess
                          • String ID:
                          • API String ID: 54951025-0
                          • Opcode ID: 5828ec36e9214e36f27fa254036199b57c7d97c63a6e233f8dcaa7ecf572ebf4
                          • Instruction ID: 8a1496450b31a9e0a2c16abb6f179e342600f7743c34e85be07327f2890259f2
                          • Opcode Fuzzy Hash: 5828ec36e9214e36f27fa254036199b57c7d97c63a6e233f8dcaa7ecf572ebf4
                          • Instruction Fuzzy Hash: BDA011302022008B8B008F30AB08A083AAABA80280308A0A8A008C02A0EA288080AA00
                          Function 0065E1B2 Relevance: .3, Instructions: 314COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 708ba0e2f93da3dc06af356410f57d6997c240582a00b32ccae21ce1edf30f5c
                          • Instruction ID: 634147693ce616871421398df136e08bd5df89a5734cb3f5d280916ddcfdb538
                          • Opcode Fuzzy Hash: 708ba0e2f93da3dc06af356410f57d6997c240582a00b32ccae21ce1edf30f5c
                          • Instruction Fuzzy Hash: 6FB19E7090060A8BCF2CCFA8C5556FEB7EBAB05302F14461EEC52D7395D622AB4ACB55
                          Function 00667730 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 731efcd965afb7d31dce2c77440add49c71747e3569c2edbd24de8de140de030
                          • Instruction ID: 655de6fd7d1b6bd6d220f74c76ea9edc318424b649a4518c386a7012eecad820
                          • Opcode Fuzzy Hash: 731efcd965afb7d31dce2c77440add49c71747e3569c2edbd24de8de140de030
                          • Instruction Fuzzy Hash: D9E08C72A15238EBCB24DB88D904A8AF7EDEB44B04F15009AB501D3201C670EE00CBD0
                          Function 00662AD4 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: add6a00aa613c972d8003628ebf23b8b2d772b70a53c982e1f0facc8b7adb8b4
                          • Instruction ID: 77458e0e22a1184803233930f417ebc8b1fa91bf7359da6f536973d6f697ed39
                          • Opcode Fuzzy Hash: add6a00aa613c972d8003628ebf23b8b2d772b70a53c982e1f0facc8b7adb8b4
                          • Instruction Fuzzy Hash: A8C08C34415DC086CF39892882B13E63357B3D2782F80048CC4820B742C5DE9C82E782
                          Function 00651EE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 144COMMON
                          Download Yara Rule
                          APIs
                          • std::_Lockit::_Lockit.LIBCPMT ref: 00651EF5
                          • std::_Lockit::_Lockit.LIBCPMT ref: 00651F0F
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00651F30
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00651F88
                          • std::_Lockit::_Lockit.LIBCPMT ref: 00651FCD
                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0065201E
                          • __Getctype.LIBCPMT ref: 00652035
                          • std::_Facet_Register.LIBCPMT ref: 0065205F
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00652078
                            • Part of subcall function 006550DA: std::invalid_argument::invalid_argument.LIBCONCRT ref: 006550E6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeLocinfo::_Locinfo_ctorRegisterstd::invalid_argument::invalid_argument
                          • String ID: bad locale name
                          • API String ID: 2137871723-1405518554
                          • Opcode ID: 7d450c6d958953dc8e59ec8dd347e38fcb66ffdaa8969227193c0fa2876ac4a6
                          • Instruction ID: f09ae62f4668ee2c6fcd11ad1ec56c9b034c970918f4b1d32946fa0db3cea33c
                          • Opcode Fuzzy Hash: 7d450c6d958953dc8e59ec8dd347e38fcb66ffdaa8969227193c0fa2876ac4a6
                          • Instruction Fuzzy Hash: 6641EF315083408FC360DF18D890BAABBE2AF92725F14455DFC999B352DB31E84ECB92
                          Function 006520A0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON
                          Download Yara Rule
                          APIs
                          • std::_Lockit::_Lockit.LIBCPMT ref: 006520B2
                          • std::_Lockit::_Lockit.LIBCPMT ref: 006520CF
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 006520F0
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0065214B
                          • std::_Lockit::_Lockit.LIBCPMT ref: 0065218C
                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 006521CF
                          • std::_Facet_Register.LIBCPMT ref: 006521F8
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00652211
                            • Part of subcall function 006550DA: std::invalid_argument::invalid_argument.LIBCONCRT ref: 006550E6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Locinfo::_Locinfo_ctorRegisterstd::invalid_argument::invalid_argument
                          • String ID: bad locale name
                          • API String ID: 3096327801-1405518554
                          • Opcode ID: 3fde9a182ce82c0bd810540d6449788bfa34015a95815ad3703a124e48ee0b77
                          • Instruction ID: 54f8be7899c44998491f485f85121c0e02a1d6fa1e8e6ee85cbd0ca2f7aa4aad
                          • Opcode Fuzzy Hash: 3fde9a182ce82c0bd810540d6449788bfa34015a95815ad3703a124e48ee0b77
                          • Instruction Fuzzy Hash: 2A41D0719043428FC360DF18D8A0A9BBBE2BF95721F04445DED8997351DB30E94ECB96
                          Function 00652FB0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 128COMMON
                          Download Yara Rule
                          APIs
                          • std::_Lockit::_Lockit.LIBCPMT ref: 00653011
                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00653058
                          • Concurrency::cancel_current_task.LIBCPMT ref: 0065311A
                          • Concurrency::cancel_current_task.LIBCPMT ref: 0065311F
                          • Concurrency::cancel_current_task.LIBCPMT ref: 00653124
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: Concurrency::cancel_current_task$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                          • String ID: bad locale name$false$true
                          • API String ID: 164343898-1062449267
                          • Opcode ID: 15a02b0ab0b3d366a59ef46d9f6db4e0a799d1544d788fa5dc898e74898009df
                          • Instruction ID: 373a1068fb8ea2435a86be7ba9b97c2fa05d003f81be7e5ba8004a766bbb7d96
                          • Opcode Fuzzy Hash: 15a02b0ab0b3d366a59ef46d9f6db4e0a799d1544d788fa5dc898e74898009df
                          • Instruction Fuzzy Hash: 4141D031505B409FC360EF64888179ABBE2AF54B02F44582DFC8987392E771DA4DCB96
                          Function 00657182 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00657188
                          • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00657196
                          • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 006571A7
                          • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 006571B8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$HandleModule
                          • String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
                          • API String ID: 667068680-1247241052
                          • Opcode ID: 4649156a776ec253f4fdc61f8e5a783f7b17795af1a563f44c0bbd98e522228a
                          • Instruction ID: 5f4995b31e9a15f18fc795d4332213c09af1537f7897ba140006a9d99f3bfc54
                          • Opcode Fuzzy Hash: 4649156a776ec253f4fdc61f8e5a783f7b17795af1a563f44c0bbd98e522228a
                          • Instruction Fuzzy Hash: DDE08C71944B10AFC300AF70FE0CC5A3EE7EE093013026521F519C2561D6704181CF90
                          Function 0065A948 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • type_info::operator==.LIBVCRUNTIME ref: 0065AA67
                          • ___TypeMatch.LIBVCRUNTIME ref: 0065AB75
                          • _UnwindNestedFrames.LIBCMT ref: 0065ACC7
                          • CallUnexpected.LIBVCRUNTIME ref: 0065ACE2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                          • String ID: csm$csm$csm
                          • API String ID: 2751267872-393685449
                          • Opcode ID: 3a9ad7f7599f7876b2bf692ec32975db21f308a4fab5abaf8768daed656c4588
                          • Instruction ID: d1633a4fc4f17a851dab237f668f11a5e51d21e1301761cff90c780a3ff39d75
                          • Opcode Fuzzy Hash: 3a9ad7f7599f7876b2bf692ec32975db21f308a4fab5abaf8768daed656c4588
                          • Instruction Fuzzy Hash: 20B1487180020AEFCF25DFE4C9819AEBBB6FF04312F14465AEC156B212D731DA59CB96
                          Function 0066A76A Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID: 0-3907804496
                          • Opcode ID: 219d8bbcfb1cf8f177198f9a44aba936c4bc10d324b7104ef1a68f1796210548
                          • Instruction ID: 265eb3ba71d0f09f745dd0569f3e7bcffda55fbc374346f93422bdcb379fb7d7
                          • Opcode Fuzzy Hash: 219d8bbcfb1cf8f177198f9a44aba936c4bc10d324b7104ef1a68f1796210548
                          • Instruction Fuzzy Hash: A2B1CF74A00249AFDB15DFE9C980BBEBBB3AF49310F144169E445AB392C7719D42CF62
                          Function 00673004 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: __freea$__alloca_probe_16$Info
                          • String ID:
                          • API String ID: 127012223-0
                          • Opcode ID: 44acd867636759317240caf3a428e530ebd0888fe4ded679ee79459a0d30c5f5
                          • Instruction ID: 7942d96346f48d87c7a6708026ccff54b75ce60b1fc0f2a3903221541b991895
                          • Opcode Fuzzy Hash: 44acd867636759317240caf3a428e530ebd0888fe4ded679ee79459a0d30c5f5
                          • Instruction Fuzzy Hash: F671F572A042296BDF209EA4DC41BEE77BB9F45310F188059E85CB7392E735DF00A764
                          Function 00656E58 Relevance: 12.2, APIs: 8, Instructions: 175COMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00656EA1
                          • __alloca_probe_16.LIBCMT ref: 00656ECD
                          • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00656F0C
                          • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00656F29
                          • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00656F68
                          • __alloca_probe_16.LIBCMT ref: 00656F85
                          • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00656FC7
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00656FEA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharMultiStringWide$__alloca_probe_16
                          • String ID:
                          • API String ID: 2040435927-0
                          • Opcode ID: f81eadfc8fdb5226f57ce123d228eb2ce6d67be9a3473ac7f89e01abd64a4780
                          • Instruction ID: de8ef28d3a56e22ee77ac95c3000c888a4dc3a5a78071861089b04f76ffe57f0
                          • Opcode Fuzzy Hash: f81eadfc8fdb5226f57ce123d228eb2ce6d67be9a3473ac7f89e01abd64a4780
                          • Instruction Fuzzy Hash: 1551B07290420AABEF214F54EC45FAB7BBBEB44752F544428FD1597290E730DC58CB60
                          Function 006559ED Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65COMMON
                          Download Yara Rule
                          APIs
                          • __EH_prolog3.LIBCMT ref: 006559F4
                          • std::_Lockit::_Lockit.LIBCPMT ref: 006559FE
                            • Part of subcall function 00652CF0: std::_Lockit::_Lockit.LIBCPMT ref: 00652CFF
                            • Part of subcall function 00652CF0: std::_Lockit::~_Lockit.LIBCPMT ref: 00652D1A
                          • codecvt.LIBCPMT ref: 00655A38
                          • std::_Facet_Register.LIBCPMT ref: 00655A4F
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00655A6F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                          • String ID: `e
                          • API String ID: 712880209-3155454700
                          • Opcode ID: a8c9bf2b17ebf8839c99ff4b448dd98a537f28b28c886b8eeb3ef3f8877c3aa3
                          • Instruction ID: df16d0a1e246b7c7cfa368982ba6be8f86fbe8781a5e85c4c1b5e2cc06cace43
                          • Opcode Fuzzy Hash: a8c9bf2b17ebf8839c99ff4b448dd98a537f28b28c886b8eeb3ef3f8877c3aa3
                          • Instruction Fuzzy Hash: 9711E4719006249FCB50EF68D8596AEBBA6AF44711F14451DEC06A7382DF70AE09CB98
                          Function 006554AA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __EH_prolog3.LIBCMT ref: 006554B1
                          • std::_Lockit::_Lockit.LIBCPMT ref: 006554BC
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0065552A
                            • Part of subcall function 0065560D: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00655625
                          • std::locale::_Setgloballocale.LIBCPMT ref: 006554D7
                          • _Yarn.LIBCPMT ref: 006554ED
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                          • String ID: `e
                          • API String ID: 1088826258-3155454700
                          • Opcode ID: cfdb15055efa06a1e094fdb781943373432047ca013f92e9b3f81cbaf93ef6cf
                          • Instruction ID: 2d07f0ac75d7c8453a973daa88a6fb9855f778461ca5354a346b1ce322988270
                          • Opcode Fuzzy Hash: cfdb15055efa06a1e094fdb781943373432047ca013f92e9b3f81cbaf93ef6cf
                          • Instruction Fuzzy Hash: F6018475A00A209BCB45EF24D85997D7B63BF84311F54404DEC1657391DF346E4ACB89
                          Function 00662AF6 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,226D7AA9,?,?,00000000,006747C0,000000FF,?,00662A86,?,?,00662A5A,00000016), ref: 00662B2B
                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00662B3D
                          • FreeLibrary.KERNEL32(00000000,?,00000000,006747C0,000000FF,?,00662A86,?,?,00662A5A,00000016), ref: 00662B5F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressFreeHandleLibraryModuleProc
                          • String ID: CorExitProcess$mscoree.dll$`e
                          • API String ID: 4061214504-3383481718
                          • Opcode ID: ae310759e8752527101bc83c1c1e7122fa9479694642c0f430f1871937f694f7
                          • Instruction ID: 76780d826306ecb7885022943c00d26041834e648be49110eb22936ca68ea950
                          • Opcode Fuzzy Hash: ae310759e8752527101bc83c1c1e7122fa9479694642c0f430f1871937f694f7
                          • Instruction Fuzzy Hash: 2A018631940A5AEFDB158F54DC09FEEBBFAFB04B15F004625F815A22D0DB749944CBA4
                          Function 00652230 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                          Download Yara Rule
                          APIs
                          • std::_Lockit::_Lockit.LIBCPMT ref: 0065223D
                          • std::_Lockit::_Lockit.LIBCPMT ref: 0065225B
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0065227C
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 006522CC
                          • std::_Facet_Register.LIBCPMT ref: 006522F6
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0065230F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::_$Lockit$Lockit::~_$Lockit::_$Facet_Register
                          • String ID:
                          • API String ID: 1858714459-0
                          • Opcode ID: cfc6f9b9dd96275cb885e1aad4146b7b9a63aa21721cc0dbe61a421cecb5e63f
                          • Instruction ID: 09099ffc790d7ed39e95fbf05ff6bce63cd464035d5c52b020c571fa9b0e4f12
                          • Opcode Fuzzy Hash: cfc6f9b9dd96275cb885e1aad4146b7b9a63aa21721cc0dbe61a421cecb5e63f
                          • Instruction Fuzzy Hash: 702104369042128BC710EF18E8609AAB3A3FF81332F14055DEC4957361DB35AE4ECBD2
                          Function 0065A5DA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(?,?,0065A5D1,00658D0A,00657EA5), ref: 0065A5E8
                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0065A5F6
                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0065A60F
                          • SetLastError.KERNEL32(00000000,0065A5D1,00658D0A,00657EA5), ref: 0065A661
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLastValue___vcrt_
                          • String ID:
                          • API String ID: 3852720340-0
                          • Opcode ID: 862f77878c11239966222ce7484d565a2b3e1d8a364170158c9adde0214c1d05
                          • Instruction ID: 350a1f79103f14f482952b338642c833129839ca06c3d0ae3243d0df91ef9ff6
                          • Opcode Fuzzy Hash: 862f77878c11239966222ce7484d565a2b3e1d8a364170158c9adde0214c1d05
                          • Instruction Fuzzy Hash: 3A0128322097159E975427B47C86DB62A5BEF01773F24733EFC10522E0EF915C0A5149
                          Function 0065A6F1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: AdjustPointer
                          • String ID: `e
                          • API String ID: 1740715915-3155454700
                          • Opcode ID: f0b2bbd1e6c34365a126457071400ccb077eb59af86761ca5b5000674373a072
                          • Instruction ID: b7e6d38efa1c2a4773a429dc3383fea55a997a0a4946e20b1ef88eed83f2bbec
                          • Opcode Fuzzy Hash: f0b2bbd1e6c34365a126457071400ccb077eb59af86761ca5b5000674373a072
                          • Instruction Fuzzy Hash: 4251C376A01206AFDB288F94D841BBA77A6FF04312F14462DEC1557791E731AC4ACB92
                          Function 006686F3 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                          Download Yara Rule
                          APIs
                          • __alloca_probe_16.LIBCMT ref: 0066877A
                          • __alloca_probe_16.LIBCMT ref: 0066883B
                          • __freea.LIBCMT ref: 006688A2
                            • Part of subcall function 00666756: HeapAlloc.KERNEL32(00000000,?,?,?,006571E1,?,?,0065142D,?,?,00675C1E,?,?), ref: 00666788
                          • __freea.LIBCMT ref: 006688B7
                          • __freea.LIBCMT ref: 006688C7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: __freea$__alloca_probe_16$AllocHeap
                          • String ID:
                          • API String ID: 1096550386-0
                          • Opcode ID: bbf9339359732202b5d81dfea1f0df5e3aefafd6253f0888a936626557f61b04
                          • Instruction ID: 8cbf7f397b7b751e89792bf5926f83123a0183022c28b357de56cbc343835288
                          • Opcode Fuzzy Hash: bbf9339359732202b5d81dfea1f0df5e3aefafd6253f0888a936626557f61b04
                          • Instruction Fuzzy Hash: 8C518F72600206AFEB219FB5DC81EFB3AABEF44350B55022DFD04E7251EE35CD5096A4
                          Function 0065A3E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                          Download Yara Rule
                          APIs
                          • ___except_validate_context_record.LIBVCRUNTIME ref: 0065A41F
                          • __IsNonwritableInCurrentImage.LIBCMT ref: 0065A4D3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: CurrentImageNonwritable___except_validate_context_record
                          • String ID: csm$`e
                          • API String ID: 3480331319-707837221
                          • Opcode ID: 6f52682abf0db7a06e32806a6f21e5a5365de21fff6317767bf28ef421cfc487
                          • Instruction ID: 96cceb7c0b3e7f2656d9ae0eaca30ff9999946ed4b894c3fcd1e3fca5efda92d
                          • Opcode Fuzzy Hash: 6f52682abf0db7a06e32806a6f21e5a5365de21fff6317767bf28ef421cfc487
                          • Instruction Fuzzy Hash: 6141D634A002089FCF10DFA8C845A9EBBE7EF45325F148259EC199B352D771A949CB92
                          Function 0065B722 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNEL32(0067FDAC,00000000,00000800,?,0065B6D3,00000000,?,?,?,?,?,0065B7FD,00000002,FlsGetValue,00677E78,FlsGetValue), ref: 0065B72F
                          • GetLastError.KERNEL32(?,0065B6D3,00000000,?,?,?,?,?,0065B7FD,00000002,FlsGetValue,00677E78,FlsGetValue,00000000,?,0065A68D), ref: 0065B739
                          • LoadLibraryExW.KERNEL32(0067FDAC,00000000,00000000,?,0067FDAC,?,?,?,?,?,?,0067FC80,string too long,0067FC80,0067FC80), ref: 0065B761
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: LibraryLoad$ErrorLast
                          • String ID: api-ms-
                          • API String ID: 3177248105-2084034818
                          • Opcode ID: f11122d260deb7111f126ff625c3623f691db8d494f0a24f5fd29ae2b0241ef3
                          • Instruction ID: 38314b019c62166ea08c328687fc88a82c7f273adb37e21e68e5188e9f98daac
                          • Opcode Fuzzy Hash: f11122d260deb7111f126ff625c3623f691db8d494f0a24f5fd29ae2b0241ef3
                          • Instruction Fuzzy Hash: 7DE04F30684605FBEF102F61ED06B993B67AB45B41F10A020FD0DE82F1DB62E8549BA4
                          Function 00668CBC Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetConsoleOutputCP.KERNEL32(226D7AA9,00000000,00000000,?), ref: 00668D1F
                            • Part of subcall function 0066AEBC: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00668898,?,00000000,-00000008), ref: 0066AF68
                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00668F7A
                          • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00668FC2
                          • GetLastError.KERNEL32 ref: 00669065
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                          • String ID:
                          • API String ID: 2112829910-0
                          • Opcode ID: 3e2941ce6485f76388b11edeeed8e39137c5eb6a9b59b90d9cf6d79baef3cfc9
                          • Instruction ID: 01d2e5add3c093fbcff62ab0e9c1a567fbc887f658c01d22dfdcbfa7a9e48967
                          • Opcode Fuzzy Hash: 3e2941ce6485f76388b11edeeed8e39137c5eb6a9b59b90d9cf6d79baef3cfc9
                          • Instruction Fuzzy Hash: 68D16A75D042589FCF15CFA8D8809EDBBBAFF49314F28416AE856E7351DB30A942CB60
                          Function 0066B2D8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0066AEBC: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00668898,?,00000000,-00000008), ref: 0066AF68
                          • GetLastError.KERNEL32 ref: 0066B33C
                          • __dosmaperr.LIBCMT ref: 0066B343
                          • GetLastError.KERNEL32(?,?,?,?), ref: 0066B37D
                          • __dosmaperr.LIBCMT ref: 0066B384
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                          • String ID:
                          • API String ID: 1913693674-0
                          • Opcode ID: b327d36807fa8252490c9e7e927f1bdd665017cadeae6aa5d71586e7694e40a9
                          • Instruction ID: 8b45b1ece33d496c3f89bec724d9318d55a683ab8fa4f81d03d4e300b14ff5ad
                          • Opcode Fuzzy Hash: b327d36807fa8252490c9e7e927f1bdd665017cadeae6aa5d71586e7694e40a9
                          • Instruction Fuzzy Hash: BC218E71700605EFDB20AF66C8819ABB7AFEF44364714952CF959E7351EB31EC908BA0
                          Function 00661B66 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a02677cf44ad8c280345f36ff5f10dab5676d930166c80cd86640f52b32ca429
                          • Instruction ID: 7ad96369509d64e6a74b7b34247529952cb7c88b44932f5f348fabce9620b69c
                          • Opcode Fuzzy Hash: a02677cf44ad8c280345f36ff5f10dab5676d930166c80cd86640f52b32ca429
                          • Instruction Fuzzy Hash: BF21CD31600605BFDB60AF61DC819AFB7ABEF463647185928F819DB250EB35EC408BA0
                          Function 0066C26E Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                          Download Yara Rule
                          APIs
                          • GetEnvironmentStringsW.KERNEL32 ref: 0066C276
                            • Part of subcall function 0066AEBC: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00668898,?,00000000,-00000008), ref: 0066AF68
                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0066C2AE
                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0066C2CE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                          • String ID:
                          • API String ID: 158306478-0
                          • Opcode ID: e462f952d68928431dc001e1737e3eb7c4be2929ac93f3f77fe6e00acd2980ac
                          • Instruction ID: 34efedd3fc5bc348df3f530f4c986a0b1c9a48bd5e26796309959420deca4ab7
                          • Opcode Fuzzy Hash: e462f952d68928431dc001e1737e3eb7c4be2929ac93f3f77fe6e00acd2980ac
                          • Instruction Fuzzy Hash: 691104B2601E097EE72127F59D8ECBF6A6EDE843A87100128F806E1202FA349E4581B5
                          Function 00672E39 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,00671BF4,00000000,00000001,00000000,?,?,006690B9,?,00000000,00000000), ref: 00672E50
                          • GetLastError.KERNEL32(?,00671BF4,00000000,00000001,00000000,?,?,006690B9,?,00000000,00000000,?,?,?,00669640,00000001), ref: 00672E5C
                            • Part of subcall function 00672E22: CloseHandle.KERNEL32(FFFFFFFE,00672E6C,?,00671BF4,00000000,00000001,00000000,?,?,006690B9,?,00000000,00000000,?,?), ref: 00672E32
                          • ___initconout.LIBCMT ref: 00672E6C
                            • Part of subcall function 00672DE4: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00672E13,00671BE1,?,?,006690B9,?,00000000,00000000,?), ref: 00672DF7
                          • WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,00671BF4,00000000,00000001,00000000,?,?,006690B9,?,00000000,00000000,?), ref: 00672E81
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                          • String ID:
                          • API String ID: 2744216297-0
                          • Opcode ID: d9b8ae22a9cec35e3f0111a6732546c4b76f54988a1b4175cd74e990af8d1333
                          • Instruction ID: bb001199445531c3968f759aaeb8fada429b1449cc2269e1fee6d5a0aa6013a8
                          • Opcode Fuzzy Hash: d9b8ae22a9cec35e3f0111a6732546c4b76f54988a1b4175cd74e990af8d1333
                          • Instruction Fuzzy Hash: 1BF0153680052ABBCF622FD5DC0C99A7F27EB083B0B049014FA0C85221C73289A09BA0
                          Function 006755F0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 238COMMON
                          Download Yara Rule
                          APIs
                          • OffsetRect.USER32(00000000,00000000,00000000), ref: 00675716
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: OffsetRect
                          • String ID: 0$Zatlat
                          • API String ID: 177026234-1547964091
                          • Opcode ID: b26ce1d2425874173c8f3718448d860953e416c08159bf82b781951f48e0a4e2
                          • Instruction ID: 3bab531afd7504f970d5fcaf537f8f9be47a2b3294dded006a53d278d477c7c9
                          • Opcode Fuzzy Hash: b26ce1d2425874173c8f3718448d860953e416c08159bf82b781951f48e0a4e2
                          • Instruction Fuzzy Hash: 0D910F315087808FD310DF28C895B6FBBE2AFC5318F584A6DF8C98B292C3B5D5488B56
                          Function 0065ACED Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • EncodePointer.KERNEL32(00000000,?), ref: 0065AD12
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: EncodePointer
                          • String ID: MOC$RCC
                          • API String ID: 2118026453-2084237596
                          • Opcode ID: 73ee98f6389a3fad698b97f5926271e85ba06418da60ce2f13c11857a653497c
                          • Instruction ID: e0041dd6c25f361a89006d7d8c3ba6458d4dcbb1d6d6e466e80b97ff23332d8a
                          • Opcode Fuzzy Hash: 73ee98f6389a3fad698b97f5926271e85ba06418da60ce2f13c11857a653497c
                          • Instruction Fuzzy Hash: AC414971900209AFCF15DF94C982AEEBBB6FF48302F184299FD0467261D7359954DF92
                          Function 00655537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • std::_Lockit::_Lockit.LIBCPMT ref: 00655543
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0065559F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: Lockitstd::_$Lockit::_Lockit::~_
                          • String ID: `e
                          • API String ID: 593203224-3155454700
                          • Opcode ID: 1b83a074cfee4bc2880ebed0ab8e3de08d404cea7cc38e065dbe731d97a43839
                          • Instruction ID: 5a48bc90dbb9018e4c1aa6373352f5f95bf93c22edcb3622fb94ef9243ea7a5d
                          • Opcode Fuzzy Hash: 1b83a074cfee4bc2880ebed0ab8e3de08d404cea7cc38e065dbe731d97a43839
                          • Instruction Fuzzy Hash: D101B535600614EFCB05DB18C899E9D77B7EF84355F140099E8069B361EF70EE48CB50
                          Function 00652420 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • std::_Lockit::_Lockit.LIBCPMT ref: 00652425
                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0065246A
                            • Part of subcall function 006555A8: _Yarn.LIBCPMT ref: 006555C7
                            • Part of subcall function 006555A8: _Yarn.LIBCPMT ref: 006555EB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                          • String ID: bad locale name
                          • API String ID: 1908188788-1405518554
                          • Opcode ID: 1cf4976e2f997223a487336168ff1a725515796dd9c51b78386c634d16a2fa97
                          • Instruction ID: c987a8c60132547469ca8b891b52b8de7a04a33fb48d0089927983367a6e3194
                          • Opcode Fuzzy Hash: 1cf4976e2f997223a487336168ff1a725515796dd9c51b78386c634d16a2fa97
                          • Instruction Fuzzy Hash: 64F01770101B408ED3B0DF39C415743BEE0AF29315F048A5DE8DAC7A42E375E548CBAA
                          Function 00666234 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON
                          Download Yara Rule
                          APIs
                          • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 00666274
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: CountCriticalInitializeSectionSpin
                          • String ID: InitializeCriticalSectionEx$`e
                          • API String ID: 2593887523-1225887122
                          • Opcode ID: 6a39e89ba973099bf33b89171225a1bc68e8e6dfd47bfe64c09533c4f4627ed1
                          • Instruction ID: 1a401b6f9238a69108d3697926154cebbb17c71db16c2e13cda6b4777d690dd2
                          • Opcode Fuzzy Hash: 6a39e89ba973099bf33b89171225a1bc68e8e6dfd47bfe64c09533c4f4627ed1
                          • Instruction Fuzzy Hash: A5E09232180258B7CF112F91DC09D9E7F27EB54761F01C010FD0D25160C6B28A61DB91
                          Function 006660BA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: Alloc
                          • String ID: FlsAlloc$`e
                          • API String ID: 2773662609-2626264062
                          • Opcode ID: 6511020889e5315f406a22e3f878ff8d14aa90dc9a0f204449ca9a71a9cdb9cb
                          • Instruction ID: 108806486a9bbeb506b9497777dabd5c9d48fa016e0da567329e9f2b6b381c36
                          • Opcode Fuzzy Hash: 6511020889e5315f406a22e3f878ff8d14aa90dc9a0f204449ca9a71a9cdb9cb
                          • Instruction Fuzzy Hash: A4E0C2316807A8B3C71037A0ED0AC9F7E07CB80B61B018030FE0D51292D9A149D1C6E7
                          Function 00652CF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                          Download Yara Rule
                          APIs
                          • std::_Lockit::_Lockit.LIBCPMT ref: 00652CFF
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00652D1A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1761104122.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                          • Associated: 00000000.00000002.1761087802.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761308959.0000000000676000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761326554.0000000000681000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1761449438.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_650000_setup.jbxd
                          Yara matches
                          Similarity
                          • API ID: Lockitstd::_$Lockit::_Lockit::~_
                          • String ID: ios_base::badbit set
                          • API String ID: 593203224-3882152299
                          • Opcode ID: de2d671080a7fc240998f32aa51542fe3ba30e485b4f8f0fc3ab2ec687952814
                          • Instruction ID: a4998278354bf1a3f61e2522a69c2df159637af8efc93f6f758a385088e82496
                          • Opcode Fuzzy Hash: de2d671080a7fc240998f32aa51542fe3ba30e485b4f8f0fc3ab2ec687952814
                          • Instruction Fuzzy Hash: 20E08C71400202DFC324DF18E855BE1B3E2EF14322F20052EE4D983290EFB058C4CB80

                          Execution Graph

                          Execution Coverage:7.5%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:45
                          Total number of Limit Nodes:6
                          execution_graph 15453 d94668 15454 d94684 15453->15454 15455 d94696 15454->15455 15457 d947a0 15454->15457 15458 d947a4 15457->15458 15462 d948a1 15458->15462 15466 d948b0 15458->15466 15463 d948a4 15462->15463 15464 d949b4 15463->15464 15470 d94248 15463->15470 15468 d948d7 15466->15468 15467 d949b4 15467->15467 15468->15467 15469 d94248 CreateActCtxA 15468->15469 15469->15467 15471 d95940 CreateActCtxA 15470->15471 15473 d95a03 15471->15473 15474 d9d0b8 15475 d9d0fe GetCurrentProcess 15474->15475 15477 d9d149 15475->15477 15478 d9d150 GetCurrentThread 15475->15478 15477->15478 15479 d9d18d GetCurrentProcess 15478->15479 15480 d9d186 15478->15480 15481 d9d1c3 15479->15481 15480->15479 15482 d9d1eb GetCurrentThreadId 15481->15482 15483 d9d21c 15482->15483 15484 d9ad38 15487 d9ae30 15484->15487 15485 d9ad47 15488 d9ae41 15487->15488 15489 d9ae64 15487->15489 15488->15489 15495 d9b0c8 15488->15495 15499 d9b0b8 15488->15499 15489->15485 15490 d9ae5c 15490->15489 15491 d9b068 GetModuleHandleW 15490->15491 15492 d9b095 15491->15492 15492->15485 15496 d9b0dc 15495->15496 15498 d9b101 15496->15498 15503 d9a870 15496->15503 15498->15490 15500 d9b0bc 15499->15500 15501 d9a870 LoadLibraryExW 15500->15501 15502 d9b101 15500->15502 15501->15502 15502->15490 15504 d9b2a8 LoadLibraryExW 15503->15504 15506 d9b321 15504->15506 15506->15498 15507 d9d300 15508 d9d302 DuplicateHandle 15507->15508 15509 d9d396 15508->15509

                          Executed Functions

                          Function 00D9D0A8 Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 263 d9d0a8-d9d147 GetCurrentProcess 268 d9d149-d9d14f 263->268 269 d9d150-d9d184 GetCurrentThread 263->269 268->269 270 d9d18d-d9d1c1 GetCurrentProcess 269->270 271 d9d186-d9d18c 269->271 273 d9d1ca-d9d1e5 call d9d289 270->273 274 d9d1c3-d9d1c9 270->274 271->270 276 d9d1eb-d9d21a GetCurrentThreadId 273->276 274->273 278 d9d21c-d9d222 276->278 279 d9d223-d9d285 276->279 278->279
                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 00D9D136
                          • GetCurrentThread.KERNEL32 ref: 00D9D173
                          • GetCurrentProcess.KERNEL32 ref: 00D9D1B0
                          • GetCurrentThreadId.KERNEL32 ref: 00D9D209
                          Memory Dump Source
                          • Source File: 00000002.00000002.1827132726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_d90000_RegAsm.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: 636b3ec42e69c77afb77798e37d796d62399bbd3127de892428b99d3a39f8005
                          • Instruction ID: 35b3ed81ea8a7eab77e248c8463a2f1839776da2b62d5a5dd5794b3d9b37c6c4
                          • Opcode Fuzzy Hash: 636b3ec42e69c77afb77798e37d796d62399bbd3127de892428b99d3a39f8005
                          • Instruction Fuzzy Hash: B65137B0900349CFDB54CFAAD948BAEBBF2EF88314F24845DE419A73A0D7749944CB65
                          Function 00D9D0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 286 d9d0b8-d9d147 GetCurrentProcess 290 d9d149-d9d14f 286->290 291 d9d150-d9d184 GetCurrentThread 286->291 290->291 292 d9d18d-d9d1c1 GetCurrentProcess 291->292 293 d9d186-d9d18c 291->293 295 d9d1ca-d9d1e5 call d9d289 292->295 296 d9d1c3-d9d1c9 292->296 293->292 298 d9d1eb-d9d21a GetCurrentThreadId 295->298 296->295 300 d9d21c-d9d222 298->300 301 d9d223-d9d285 298->301 300->301
                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 00D9D136
                          • GetCurrentThread.KERNEL32 ref: 00D9D173
                          • GetCurrentProcess.KERNEL32 ref: 00D9D1B0
                          • GetCurrentThreadId.KERNEL32 ref: 00D9D209
                          Memory Dump Source
                          • Source File: 00000002.00000002.1827132726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_d90000_RegAsm.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: 072158f05dba3223fb8bf004684526398157094b4624f3010bea19569c25b1ab
                          • Instruction ID: c5fc3c34d1b16ebe563d500296ebcc85421605c64c930b7f14f10c11167885e4
                          • Opcode Fuzzy Hash: 072158f05dba3223fb8bf004684526398157094b4624f3010bea19569c25b1ab
                          • Instruction Fuzzy Hash: 3C5137B0900349CFDB54CFAAD948B9EBBF2EF88314F24845DE419A73A0D7749984CB65
                          Function 00D9AE30 Relevance: 1.7, APIs: 1, Instructions: 210COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 348 d9ae30-d9ae3f 349 d9ae6b-d9ae6f 348->349 350 d9ae41-d9ae4e call d99838 348->350 352 d9ae71-d9ae7b 349->352 353 d9ae83-d9aec4 349->353 356 d9ae50 350->356 357 d9ae64 350->357 352->353 359 d9aed1-d9aedf 353->359 360 d9aec6-d9aece 353->360 410 d9ae56 call d9b0c8 356->410 411 d9ae56 call d9b0b8 356->411 357->349 361 d9aee1-d9aee6 359->361 362 d9af03-d9af05 359->362 360->359 364 d9aee8-d9aeef call d9a814 361->364 365 d9aef1 361->365 367 d9af08-d9af0f 362->367 363 d9ae5c-d9ae5e 363->357 366 d9afa0-d9afb7 363->366 369 d9aef3-d9af01 364->369 365->369 381 d9afb9-d9b018 366->381 370 d9af1c-d9af23 367->370 371 d9af11-d9af19 367->371 369->367 372 d9af30-d9af39 call d9a824 370->372 373 d9af25-d9af2d 370->373 371->370 379 d9af3b-d9af43 372->379 380 d9af46-d9af4b 372->380 373->372 379->380 382 d9af69-d9af76 380->382 383 d9af4d-d9af54 380->383 399 d9b01a 381->399 390 d9af99-d9af9f 382->390 391 d9af78-d9af96 382->391 383->382 384 d9af56-d9af66 call d9a834 call d9a844 383->384 384->382 391->390 400 d9b01c 399->400 401 d9b01e 399->401 400->401 402 d9b048-d9b060 400->402 403 d9b020-d9b021 401->403 404 d9b022-d9b046 401->404 405 d9b068-d9b093 GetModuleHandleW 402->405 406 d9b062-d9b065 402->406 403->404 404->402 407 d9b09c-d9b0b0 405->407 408 d9b095-d9b09b 405->408 406->405 408->407 410->363 411->363
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000), ref: 00D9B086
                          Memory Dump Source
                          • Source File: 00000002.00000002.1827132726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_d90000_RegAsm.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: 00133621c44e467151a474ae4fbd9b10019d61757175db24ba755e75f9bde4ae
                          • Instruction ID: 514126c16023a87b6dc23c043fa3dc72e05063219365e197038418de231fc60e
                          • Opcode Fuzzy Hash: 00133621c44e467151a474ae4fbd9b10019d61757175db24ba755e75f9bde4ae
                          • Instruction Fuzzy Hash: E7816AB1A00B058FDB24DF29D14176ABBF1FF88304F14892EE08AD7A51D775E846CBA1
                          Function 00D95935 Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 412 d95935-d95936 413 d95938-d95939 412->413 414 d9593a 412->414 413->414 415 d9593c 414->415 416 d9593e 414->416 415->416 417 d95940-d95a01 CreateActCtxA 416->417 419 d95a0a-d95a64 417->419 420 d95a03-d95a09 417->420 427 d95a73-d95a77 419->427 428 d95a66-d95a69 419->428 420->419 429 d95a79-d95a85 427->429 430 d95a88 427->430 428->427 429->430 432 d95a89 430->432 432->432
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 00D959F1
                          Memory Dump Source
                          • Source File: 00000002.00000002.1827132726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_d90000_RegAsm.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: 97bb3878e29e328c9a5d99974acd8bf34ee07c0d66f31c4d84ae9e69502f753f
                          • Instruction ID: babfef6074e1a5cecdf115fd56efb134aeca5fbd69356b323f15406f29211549
                          • Opcode Fuzzy Hash: 97bb3878e29e328c9a5d99974acd8bf34ee07c0d66f31c4d84ae9e69502f753f
                          • Instruction Fuzzy Hash: 094113B0C00719CEDF25CFA9D984B9EBBB5FF84304F20816AD408AB255DB756946CFA0
                          Function 00D94248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 433 d94248-d95a01 CreateActCtxA 436 d95a0a-d95a64 433->436 437 d95a03-d95a09 433->437 444 d95a73-d95a77 436->444 445 d95a66-d95a69 436->445 437->436 446 d95a79-d95a85 444->446 447 d95a88 444->447 445->444 446->447 449 d95a89 447->449 449->449
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 00D959F1
                          Memory Dump Source
                          • Source File: 00000002.00000002.1827132726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_d90000_RegAsm.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: 5bc7e8d662363539f9ea18e39f64893ea678f92283b6aa86185122e871e46fdb
                          • Instruction ID: 20313364027dffad0cd03889ce082bb564f98e3970fdd61f7dc096a429c916d6
                          • Opcode Fuzzy Hash: 5bc7e8d662363539f9ea18e39f64893ea678f92283b6aa86185122e871e46fdb
                          • Instruction Fuzzy Hash: 6541DFB0D00619CFDB25CFA9C984B9EBBB5FF48304F20816AD408AB255DBB56945CFA0
                          Function 00D9D2F9 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 450 d9d2f9-d9d2fe 451 d9d300-d9d301 450->451 452 d9d302-d9d394 DuplicateHandle 450->452 451->452 453 d9d39d-d9d3ba 452->453 454 d9d396-d9d39c 452->454 454->453
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D9D387
                          Memory Dump Source
                          • Source File: 00000002.00000002.1827132726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_d90000_RegAsm.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 53b6b0f5d83535150d0a7a828bcc13cff15d638a5b7c2b78c9f558a29aa6f1b0
                          • Instruction ID: 4ad8a91620a9a5f7ac7e9d04c6c4132bb85f9835ce7fd95bd3ed9431f217b338
                          • Opcode Fuzzy Hash: 53b6b0f5d83535150d0a7a828bcc13cff15d638a5b7c2b78c9f558a29aa6f1b0
                          • Instruction Fuzzy Hash: DD21E3B59002099FDB10CF9AD985AEEBBF5EB48310F24801AE918A3310D374A944CFA1
                          Function 00D9D300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 457 d9d300-d9d394 DuplicateHandle 459 d9d39d-d9d3ba 457->459 460 d9d396-d9d39c 457->460 460->459
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D9D387
                          Memory Dump Source
                          • Source File: 00000002.00000002.1827132726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_d90000_RegAsm.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 25eb0e7a28910246ca8e4da26e244c08418ad39b6e7645139ba0203d2459d3cc
                          • Instruction ID: 5f44373ea28584c9829f78b2e2a9bfcd8b7658fa08d372364be3d61fcb195620
                          • Opcode Fuzzy Hash: 25eb0e7a28910246ca8e4da26e244c08418ad39b6e7645139ba0203d2459d3cc
                          • Instruction Fuzzy Hash: BB21C4B5900249DFDB10CF9AD984ADEBFF5EB48320F14841AE918A7310D374A954DFA5
                          Function 00D9B2A0 Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 463 d9b2a0-d9b2a2 464 d9b2a4 463->464 465 d9b2a6-d9b2e8 463->465 464->465 467 d9b2ea-d9b2ed 465->467 468 d9b2f0-d9b31f LoadLibraryExW 465->468 467->468 469 d9b328-d9b345 468->469 470 d9b321-d9b327 468->470 470->469
                          APIs
                          • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00D9B101,00000800,00000000,00000000), ref: 00D9B312
                          Memory Dump Source
                          • Source File: 00000002.00000002.1827132726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_d90000_RegAsm.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: abf3016b3e079cde1b6a940dbc22c8eb7fcfc8d3640c5dbccb62901eed89fc9a
                          • Instruction ID: c9ca0580533f724a6e25f185dca6cb57b1991273b1430604fa1599f99482c5c8
                          • Opcode Fuzzy Hash: abf3016b3e079cde1b6a940dbc22c8eb7fcfc8d3640c5dbccb62901eed89fc9a
                          • Instruction Fuzzy Hash: E42117B69002499FCF10CF9AD544AEEFBF5EB98320F15842ED419A7300C775A945CFA5
                          Function 00D9A870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 473 d9a870-d9b2e8 475 d9b2ea-d9b2ed 473->475 476 d9b2f0-d9b31f LoadLibraryExW 473->476 475->476 477 d9b328-d9b345 476->477 478 d9b321-d9b327 476->478 478->477
                          APIs
                          • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00D9B101,00000800,00000000,00000000), ref: 00D9B312
                          Memory Dump Source
                          • Source File: 00000002.00000002.1827132726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_d90000_RegAsm.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 44f19fd068cfcd182ed67e08fc1b6bf776f029bfda0ce82b4a245f202d4c872e
                          • Instruction ID: 7ec6c55692c45a5933d21f2bf3db5bfe9ef9497c3264119e3a3ebb6d0ae87815
                          • Opcode Fuzzy Hash: 44f19fd068cfcd182ed67e08fc1b6bf776f029bfda0ce82b4a245f202d4c872e
                          • Instruction Fuzzy Hash: 391114B6D003499FCB10CF9AD544A9EFBF5EB48320F15842EE819A7300C375A945CFA5
                          Function 00D9B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 481 d9b020-d9b060 484 d9b068-d9b093 GetModuleHandleW 481->484 485 d9b062-d9b065 481->485 486 d9b09c-d9b0b0 484->486 487 d9b095-d9b09b 484->487 485->484 487->486
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000), ref: 00D9B086
                          Memory Dump Source
                          • Source File: 00000002.00000002.1827132726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_d90000_RegAsm.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: 49c8b5b582cb9a7e2fda1798f796acf0cee02d99dafe0c56214d554138718b72
                          • Instruction ID: d0ed35f658f14d9eec2169bf6fe7fbeed819937f95a3b6e7fc67063c6b254c84
                          • Opcode Fuzzy Hash: 49c8b5b582cb9a7e2fda1798f796acf0cee02d99dafe0c56214d554138718b72
                          • Instruction Fuzzy Hash: 33110FB5C003498FCB20CF9AD544A9EFBF5AB89324F14841AD428A7210C379A545CFA1
                          Function 00D3D774 Relevance: .1, Instructions: 77COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1826915050.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_d3d000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1917c32ef1cb376a8cf97f4d91231fc40a39e736ee99fd25ebe9605845849ba1
                          • Instruction ID: bb5d4977bc4365ca4a72ea254d64da4f6b7491c476b19b02eedf8c36d5be205e
                          • Opcode Fuzzy Hash: 1917c32ef1cb376a8cf97f4d91231fc40a39e736ee99fd25ebe9605845849ba1
                          • Instruction Fuzzy Hash: 212106B1504240EFCB15CF14E9C0B26BFA6FB88314F24C569E9494B245C336E816DFB1
                          Function 00D3D3D8 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1826915050.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_d3d000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 05dab6f924b7a2352b3b90b2aaafa4a7d682696b194cad7c03cd6a70b8b491a4
                          • Instruction ID: 9191b37d52e458d4fb53ec509275491ce68adf248e2606d4d14eb8e2f5d76933
                          • Opcode Fuzzy Hash: 05dab6f924b7a2352b3b90b2aaafa4a7d682696b194cad7c03cd6a70b8b491a4
                          • Instruction Fuzzy Hash: 0D2125B1504204DFDB05DF14E9C0B26BF66FB94324F24C569E94A0B256C336E856DFB2
                          Function 00D3D4C4 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1826915050.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_d3d000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9e535ca251eee153cadaf195a074bca614fe4d96152942a528c2ce2f0762e442
                          • Instruction ID: 8373b969b1198394c7ec16aeac0ed4f076fdfbe454e3168a6c2cb3a1c8c2fc00
                          • Opcode Fuzzy Hash: 9e535ca251eee153cadaf195a074bca614fe4d96152942a528c2ce2f0762e442
                          • Instruction Fuzzy Hash: C82125B2504240DFCB15DF14E9C0B26BF66FB94318F24C569E9490B256C336D856DFB1
                          Function 00D4D01C Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1826949629.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_d4d000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a89a7e54ef74224c050f4d323441ad351093b149dc6f5e67f0c52228e0d86363
                          • Instruction ID: 21d02550d04332ad164192c58b868947fd8f9de5481c81e4c11975ac31648087
                          • Opcode Fuzzy Hash: a89a7e54ef74224c050f4d323441ad351093b149dc6f5e67f0c52228e0d86363
                          • Instruction Fuzzy Hash: 942104B5604240DFCB14DF14D9C4B26BB66FB84314F24C96DE94A4B286C73AD847CB71
                          Function 00D4D005 Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1826949629.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_d4d000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9e9024de70a485db2970b75393ec887b8c46bd6a135c5a4ea766f77dac84b926
                          • Instruction ID: 8f8f0979a87b40c3daa06af802e13f147e22ea1ad7bfe5f5b2def5311429237a
                          • Opcode Fuzzy Hash: 9e9024de70a485db2970b75393ec887b8c46bd6a135c5a4ea766f77dac84b926
                          • Instruction Fuzzy Hash: 842180755093C08FCB12CF24D994715BF72EB46314F28C5EAD8498B6A7C33AD84ACB62
                          Function 00D3D76F Relevance: .1, Instructions: 58COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1826915050.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_d3d000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 390633afb84827573b5761d9362e8787b9a5bcb2a7aa5b15411ec10cb4b37b7d
                          • Instruction ID: d06a5a7979e23c9ac482b68c710bceca88340e76191678af0ec26b26113719d8
                          • Opcode Fuzzy Hash: 390633afb84827573b5761d9362e8787b9a5bcb2a7aa5b15411ec10cb4b37b7d
                          • Instruction Fuzzy Hash: 6021D276404280DFCB16CF10E9C0B16BF72FB88314F28C6A9D9480B216C33AD826CFA1
                          Function 00D3D3D3 Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1826915050.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_d3d000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cc07a575d8e399a32a752274fa621ccc9f9672b2c77dae55393772abe3e3f78f
                          • Instruction ID: e2eec2bd48552e5949ab9c09f15ba45b6ca32c317fc94d6e9429d1feaed6b3f6
                          • Opcode Fuzzy Hash: cc07a575d8e399a32a752274fa621ccc9f9672b2c77dae55393772abe3e3f78f
                          • Instruction Fuzzy Hash: FF110372404240CFCB12CF10E9C0B16BF72FB94324F28C2A9D8090B616C33AE85ACFA1
                          Function 00D3D4BF Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1826915050.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_d3d000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cc07a575d8e399a32a752274fa621ccc9f9672b2c77dae55393772abe3e3f78f
                          • Instruction ID: be2bf35d522fdc1684ca2241e461eb175a9effbcccc2c81a680799ccfe535530
                          • Opcode Fuzzy Hash: cc07a575d8e399a32a752274fa621ccc9f9672b2c77dae55393772abe3e3f78f
                          • Instruction Fuzzy Hash: 0411E676504280CFCB16CF14D9C4B16BF72FB94318F28C6A9D8494B656C33AD85ACFA1