Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1466011
MD5:75a2d212a591a83a4d0c88a92b390b88
SHA1:8f69b79a0d6bc6b4def35b38ec46d15e6eb1c1d9
SHA256:cf47a943ec0eb86c16a8d7e6e0ad8c4bfb6063af089e1b3809ed44ac45347e71
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RedLine Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6760 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 75A2D212A591A83A4D0C88A92B390B88)
    • RegAsm.exe (PID: 4832 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 5780 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • WerFault.exe (PID: 2408 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6760 -s 304 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "77.105.135.107:3445", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000002.00000002.2193423222.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Process Memory Space: file.exe PID: 6760JoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 2 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.file.exe.bbab00.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  2.2.RegAsm.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.2.file.exe.bbab00.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      0.2.file.exe.b20000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                        Sigma Signatures

                        No Sigma rule has matched

                        Snort Signatures

                        Timestamp:07/02/24-12:24:00.932845
                        SID:2046045
                        Source Port:49704
                        Destination Port:3445
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:07/02/24-12:24:06.375739
                        SID:2046056
                        Source Port:3445
                        Destination Port:49704
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:07/02/24-12:24:01.127422
                        SID:2043234
                        Source Port:3445
                        Destination Port:49704
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:07/02/24-12:24:13.135257
                        SID:2043231
                        Source Port:49704
                        Destination Port:3445
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Found malware configuration
                        Source: 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "77.105.135.107:3445", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}
                        Multi AV Scanner detection for submitted file
                        Source: file.exeReversingLabs: Detection: 60%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for sample
                        Source: file.exeJoe Sandbox ML: detected
                        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: Binary string: C:\p1cdefvh41vy\output.pdb source: file.exe
                        Source: Binary string: C:\p1cdefvh41vy\output.pdb' source: file.exe
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B92DA6 FindFirstFileExW,0_2_00B92DA6
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B93193 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00B93193

                        Networking

                        barindex
                        Snort IDS alert for network traffic
                        Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.5:49704 -> 77.105.135.107:3445
                        Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.5:49704 -> 77.105.135.107:3445
                        Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 77.105.135.107:3445 -> 192.168.2.5:49704
                        Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 77.105.135.107:3445 -> 192.168.2.5:49704
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: 77.105.135.107:3445
                        Source: global trafficTCP traffic: 192.168.2.5:49704 -> 77.105.135.107:3445
                        Source: Joe Sandbox ViewASN Name: PLUSTELECOM-ASRU PLUSTELECOM-ASRU
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                        Source: RegAsm.exe, 00000002.00000002.2194057425.000000000103E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adob
                        Source: RegAsm.exe, 00000002.00000002.2194057425.000000000103E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://purl.oen
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                        Source: RegAsm.exe, 00000002.00000002.2194705356.000000000304D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                        Source: RegAsm.exe, 00000002.00000002.2194705356.000000000304D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000003097000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                        Source: RegAsm.exe, 00000002.00000002.2194705356.000000000304D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000003097000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000003097000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000003097000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000003097000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000002DF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                        Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
                        Source: RegAsm.exe, 00000002.00000002.2194705356.000000000315E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2197364899.0000000003D5B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000003274000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000003164000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: file.exe, 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000002.00000002.2193423222.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                        Source: RegAsm.exe, 00000002.00000002.2194705356.000000000315E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2197364899.0000000003D5B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000003274000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000003164000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: RegAsm.exe, 00000002.00000002.2194705356.000000000315E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2197364899.0000000003D5B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000003274000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000003164000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                        Source: RegAsm.exe, 00000002.00000002.2194705356.000000000315E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2197364899.0000000003D5B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000003274000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000003164000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: RegAsm.exe, 00000002.00000002.2194705356.000000000315E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2197364899.0000000003D5B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000003274000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000003164000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000003D5B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000003164000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                        Source: RegAsm.exe, 00000002.00000002.2194705356.000000000315E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000003274000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabS
                        Source: RegAsm.exe, 00000002.00000002.2194705356.000000000315E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2197364899.0000000003D5B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000003274000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000003164000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: RegAsm.exe, 00000002.00000002.2194705356.000000000315E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2197364899.0000000003D5B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000003274000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000003164000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                        Source: RegAsm.exe, 00000002.00000002.2194705356.000000000315E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2197364899.0000000003D5B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000003274000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000003164000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B9A02C0_2_00B9A02C
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B6E1A40_2_00B6E1A4
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B6C2C60_2_00B6C2C6
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8C3100_2_00B8C310
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B825A50_2_00B825A5
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B6E5C50_2_00B6E5C5
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B6C60E0_2_00B6C60E
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B7C99E0_2_00B7C99E
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B6E9F50_2_00B6E9F5
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8A9F50_2_00B8A9F5
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B6C9650_2_00B6C965
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B6CCAD0_2_00B6CCAD
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B98CF70_2_00B98CF7
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B4EC300_2_00B4EC30
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B6D03B0_2_00B6D03B
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B6D3D80_2_00B6D3D8
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B7F4F00_2_00B7F4F0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B7D4710_2_00B7D471
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B315600_2_00B31560
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B237800_2_00B23780
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B6D7660_2_00B6D766
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BA78B00_2_00BA78B0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B6DACB0_2_00B6DACB
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B7FA200_2_00B7FA20
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B6DE3F0_2_00B6DE3F
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B7FE600_2_00B7FE60
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B53FF40_2_00B53FF4
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02BADC742_2_02BADC74
                        Source: C:\Users\user\Desktop\file.exeCode function: String function: 00B76D38 appears 32 times
                        Source: C:\Users\user\Desktop\file.exeCode function: String function: 00B4C7AF appears 117 times
                        Source: C:\Users\user\Desktop\file.exeCode function: String function: 00B88C84 appears 33 times
                        Source: C:\Users\user\Desktop\file.exeCode function: String function: 00B4D160 appears 67 times
                        Source: C:\Users\user\Desktop\file.exeCode function: String function: 00B4C7E2 appears 76 times
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6760 -s 304
                        Source: file.exe, 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePunningly.exe8 vs file.exe
                        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/6@0/1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\SystemCacheJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6760
                        Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\51becbbe-f53c-4af6-8535-c80a7a5c29aeJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                        Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: file.exeReversingLabs: Detection: 60%
                        Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6760 -s 304
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32Jump to behavior
                        Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: C:\p1cdefvh41vy\output.pdb source: file.exe
                        Source: Binary string: C:\p1cdefvh41vy\output.pdb' source: file.exe
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B4C77D push ecx; ret 0_2_00B4C790
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B4D1B0 push ecx; ret 0_2_00B4D1C3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2B40000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2D20000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 4D20000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 450Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 3062Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeAPI coverage: 7.4 %
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7408Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4368Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B92DA6 FindFirstFileExW,0_2_00B92DA6
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B93193 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00B93193
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                        Source: Amcache.hve.6.drBinary or memory string: VMware
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                        Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                        Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                        Source: Amcache.hve.6.drBinary or memory string: vmci.sys
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                        Source: Amcache.hve.6.drBinary or memory string: VMware20,1
                        Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
                        Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
                        Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                        Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                        Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                        Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
                        Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                        Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
                        Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                        Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                        Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                        Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
                        Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                        Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
                        Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                        Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                        Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZOSFYEVJOWSCRJNDOYFYNDGPN
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                        Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                        Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                        Source: RegAsm.exe, 00000002.00000002.2194255199.0000000001221000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZOSFYEVJOWSCRJNDOYFYNDGPN
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                        Source: Amcache.hve.6.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                        Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                        Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                        Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                        Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                        Source: RegAsm.exe, 00000002.00000002.2197364899.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                        Source: RegAsm.exe, 00000002.00000002.2194705356.0000000002FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B927AA IsDebuggerPresent,0_2_00B927AA
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8A697 mov eax, dword ptr fs:[00000030h]0_2_00B8A697
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8A4F0 mov eax, dword ptr fs:[00000030h]0_2_00B8A4F0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8A5D1 mov eax, dword ptr fs:[00000030h]0_2_00B8A5D1
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8A533 mov eax, dword ptr fs:[00000030h]0_2_00B8A533
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8A576 mov eax, dword ptr fs:[00000030h]0_2_00B8A576
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8A6DB mov eax, dword ptr fs:[00000030h]0_2_00B8A6DB
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8A71F mov eax, dword ptr fs:[00000030h]0_2_00B8A71F
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8A750 mov eax, dword ptr fs:[00000030h]0_2_00B8A750
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B857E9 mov ecx, dword ptr fs:[00000030h]0_2_00B857E9
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B769E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B769E1
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B4CEFF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B4CEFF
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B4D08F SetUnhandledExceptionFilter,0_2_00B4D08F
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B4D1C4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00B4D1C4
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Allocates memory in foreign processes
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                        Contains functionality to inject code into remote processes
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E018D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_007E018D
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                        Writes to foreign memory regions
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44E000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: DFF008Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B4CBC5 cpuid 0_2_00B4CBC5
                        Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00B88682
                        Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00B88813
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoEx,FormatMessageA,0_2_00B2E9BF
                        Source: C:\Users\user\Desktop\file.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00B96F68
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00B8913F
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00B97163
                        Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00B9720A
                        Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00B97273
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00B97399
                        Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00B9730E
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00B975EC
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00B97715
                        Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00B978EA
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoEx,0_2_00B4B82A
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00B9781B
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B4CDD4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00B4CDD4
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B92078 GetTimeZoneInformation,0_2_00B92078
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                        Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
                        Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                        Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.file.exe.bbab00.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.bbab00.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.b20000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2193423222.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 6760, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5780, type: MEMORYSTR
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                        Tries to steal Crypto Currency Wallets
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                        Source: Yara matchFile source: 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5780, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.file.exe.bbab00.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.bbab00.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.b20000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2193423222.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 6760, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5780, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		411
                        Process Injection                        		1
                        Masquerading                        		1
                        OS Credential Dumping                        		2
                        System Time Discovery                        		Remote Services1
                        Archive Collected Data                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		LSASS Memory241
                        Security Software Discovery                        		Remote Desktop Protocol2
                        Data from Local System                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                        Virtualization/Sandbox Evasion                        		Security Account Manager1
                        Process Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive1
                        Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
                        Process Injection                        		NTDS241
                        Virtualization/Sandbox Evasion                        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Deobfuscate/Decode Files or Information                        		LSA Secrets1
                        Application Window Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                        Obfuscated Files or Information                        		Cached Domain Credentials1
                        File and Directory Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        DLL Side-Loading                        		DCSync134
                        System Information Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        file.exe61%ReversingLabsWin32.Trojan.LummaC
                        file.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://tempuri.org/0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                        https://api.ip.sb/ip0%URL Reputationsafe
                        https://www.ecosia.org/newtab/0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%Avira URL Cloudsafe
                        https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                        https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id14ResponseD0%Avira URL Cloudsafe
                        https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
                        https://duckduckgo.com/ac/?q=0%VirustotalBrowse
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%VirustotalBrowse
                        http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%VirustotalBrowse
                        http://tempuri.org/Entity/Id14ResponseD2%VirustotalBrowse
                        http://tempuri.org/Entity/Id23ResponseD1%VirustotalBrowse
                        http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%VirustotalBrowse
                        77.105.135.107:34450%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%Avira URL Cloudsafe
                        77.105.135.107:34453%VirustotalBrowse
                        http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%VirustotalBrowse
                        http://tempuri.org/Entity/Id21Response4%VirustotalBrowse
                        http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%VirustotalBrowse
                        http://tempuri.org/Entity/Id93%VirustotalBrowse
                        http://tempuri.org/Entity/Id2Response2%VirustotalBrowse
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%VirustotalBrowse
                        http://tempuri.org/Entity/Id12Response2%VirustotalBrowse
                        http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%VirustotalBrowse
                        http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id6ResponseD0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%Avira URL Cloudsafe
                        http://ns.adob0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                        http://purl.oen0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id81%VirustotalBrowse
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%VirustotalBrowse
                        http://tempuri.org/Entity/Id6ResponseD1%VirustotalBrowse
                        http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id51%VirustotalBrowse
                        http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id71%VirustotalBrowse
                        http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id41%VirustotalBrowse
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id13ResponseD0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%VirustotalBrowse
                        http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%VirustotalBrowse
                        http://tempuri.org/Entity/Id61%VirustotalBrowse
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id19Response2%VirustotalBrowse
                        http://schemas.xmlsoap.org/ws/2004/10/wsat0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id13ResponseD1%VirustotalBrowse
                        http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%VirustotalBrowse
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%VirustotalBrowse
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%VirustotalBrowse
                        http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%VirustotalBrowse
                        http://schemas.xmlsoap.org/ws/2004/10/wsat0%VirustotalBrowse
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id15Response2%VirustotalBrowse
                        http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id5ResponseD2%VirustotalBrowse
                        http://schemas.xmlsoap.org/ws/2004/04/sc0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%VirustotalBrowse
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%VirustotalBrowse
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%VirustotalBrowse
                        http://tempuri.org/Entity/Id6Response2%VirustotalBrowse
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id240%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        No contacted domains info

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        77.105.135.107:3445true
                        • 3%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/sc/sctRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://duckduckgo.com/chrome_newtabRegAsm.exe, 00000002.00000002.2197364899.0000000003D5B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000003164000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://duckduckgo.com/ac/?q=RegAsm.exe, 00000002.00000002.2194705356.000000000315E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2197364899.0000000003D5B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000003274000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000003164000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id14ResponseDRegAsm.exe, 00000002.00000002.2194705356.0000000002DFD000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 2%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id23ResponseDRegAsm.exe, 00000002.00000002.2194705356.0000000003097000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id12ResponseRegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 2%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id2ResponseRegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 2%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id21ResponseRegAsm.exe, 00000002.00000002.2194705356.000000000304D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 4%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id9RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 3%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id8RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000002DF5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id6ResponseDRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://ns.adobRegAsm.exe, 00000002.00000002.2194057425.000000000103E000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id5RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id4RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id7RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://purl.oenRegAsm.exe, 00000002.00000002.2194057425.000000000103E000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id6RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id19ResponseRegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 2%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceRegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id13ResponseDRegAsm.exe, 00000002.00000002.2194705356.0000000002DFD000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/faultRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsatRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id15ResponseRegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 2%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id5ResponseDRegAsm.exe, 00000002.00000002.2194705356.0000000002DFD000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 2%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000002.00000002.2194705356.0000000002DFD000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id6ResponseRegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 2%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://api.ip.sb/ipfile.exe, 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000002.00000002.2193423222.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/scRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id1ResponseDRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id9ResponseRegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegAsm.exe, 00000002.00000002.2194705356.000000000315E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2197364899.0000000003D5B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000003274000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000003164000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id20RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id21RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id22RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id23RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000003097000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id24RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id24ResponseRegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.ecosia.org/newtab/RegAsm.exe, 00000002.00000002.2194705356.000000000315E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2197364899.0000000003D5B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000003274000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000003164000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id1ResponseRegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedRegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id21ResponseDRegAsm.exe, 00000002.00000002.2194705356.0000000003097000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/08/addressingRegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/trustRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id10RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id11RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id10ResponseDRegAsm.exe, 00000002.00000002.2194705356.0000000002DFD000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id12RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id16ResponseRegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id13RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id14RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id15RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id16RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/NonceRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id17RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id18RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id5ResponseRegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id19RegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsRegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id15ResponseDRegAsm.exe, 00000002.00000002.2194705356.0000000002DFD000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id10ResponseRegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RenewRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id11ResponseDRegAsm.exe, 00000002.00000002.2194705356.000000000304D000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id8ResponseRegAsm.exe, 00000002.00000002.2194705356.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0RegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2006/02/addressingidentityRegAsm.exe, 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        77.105.135.107
                        		unknownRussian Federation
                        		42031PLUSTELECOM-ASRUtrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1466011
                        Start date and time:2024-07-02 12:23:07 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 5m 30s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:10
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:file.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@6/6@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 99%
                        • Number of executed functions: 26
                        • Number of non-executed functions: 157
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 13.89.179.12
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        06:24:09API Interceptor19x Sleep call for process: RegAsm.exe modified
                        06:24:19API Interceptor1x Sleep call for process: WerFault.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        77.105.135.107setup.exeGet hashmaliciousRedLineBrowse
                          1719859269.0326595_setup.exeGet hashmaliciousLummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, XmrigBrowse

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            PLUSTELECOM-ASRUfile.exeGet hashmaliciousUnknownBrowse
                            • 77.105.133.27
                            setup.exeGet hashmaliciousRedLineBrowse
                            • 77.105.135.107
                            1719859269.0326595_setup.exeGet hashmaliciousLummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, XmrigBrowse
                            • 77.105.135.107
                            zyJWi2vy29.exeGet hashmaliciousLummaC, PureLog Stealer, RisePro Stealer, Vidar, zgRATBrowse
                            • 77.105.132.27
                            1719520929.094843_setup.exeGet hashmaliciousLummaC Stealer, Mars Stealer, PrivateLoader, PureLog Stealer, Socks5Systemz, Stealc, VidarBrowse
                            • 77.105.132.27
                            1Cvd8TyYPm.exeGet hashmaliciousLummaC, Mars Stealer, PureLog Stealer, Stealc, Vidar, Xmrig, zgRATBrowse
                            • 77.105.133.27
                            HXUYIDwIMY.exeGet hashmaliciousMeduza StealerBrowse
                            • 77.105.147.172
                            lhZOo8vhuI.elfGet hashmaliciousUnknownBrowse
                            • 77.105.138.202
                            file.exeGet hashmaliciousPrivateLoader, PureLog StealerBrowse
                            • 77.105.147.130
                            yqeO67O9gY.elfGet hashmaliciousMiraiBrowse
                            • 77.105.140.109

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_bcb8debaf6c6e3eea7b81188b2bf0e7b56e59ac_910c98a4_d3d94960-ed1e-43ed-9c25-2307c05e8a8c\Report.wer

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):0.7035913923344724
                            Encrypted:false
                            SSDEEP:192:l80sL80hvDPlYt10c2i0E3jGGzuiFoZ24IO8ThB:EoYDNuWc2iHjHzuiFoY4IO8r
                            MD5:908D91EAE7667EDEBC4EB1AA3E324706
                            SHA1:8EDFAF356741BFC08B12D201553E100CB4DDE455
                            SHA-256:EFA94F07F7E13B9269EA2F423F9C88E43394DEBC276842CEB144041E476A0FC9
                            SHA-512:57D0D29B27D603E110BDF79DAB6F45A687C80DE97B1C252BD47B73A78BE10ABBDD9638854883C7CCB261B3A13E57F92E09A23E302342EC6259D65BD02C116728
                            Malicious:true
                            Reputation:low
                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.3.8.9.4.3.7.5.3.3.4.8.6.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.3.8.9.4.3.8.0.1.7.8.6.1.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.3.d.9.4.9.6.0.-.e.d.1.e.-.4.3.e.d.-.9.c.2.5.-.2.3.0.7.c.0.5.e.8.a.8.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.4.d.2.3.2.6.3.-.d.4.c.f.-.4.f.9.0.-.b.9.9.b.-.f.8.1.7.4.0.d.b.a.9.f.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.6.8.-.0.0.0.1.-.0.0.1.4.-.6.2.d.1.-.3.d.f.2.6.9.c.c.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.8.f.6.9.b.7.9.a.0.d.6.b.c.6.b.4.d.e.f.3.5.b.3.8.e.c.4.6.d.1.5.e.6.e.b.1.c.1.d.9.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.7.

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D23.tmp.dmp

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:Mini DuMP crash report, 14 streams, Tue Jul 2 10:23:57 2024, 0x1205a4 type
                            Category:dropped
                            Size (bytes):53610
                            Entropy (8bit):1.750063043524919
                            Encrypted:false
                            SSDEEP:192:d7uuxOrtONWclRDScvUTC7hEAIDSgKUrmMk:tOcNdlbumEhDSghu
                            MD5:76B6791DBE9E8A6ACD9F78F7752AF7B5
                            SHA1:ABFEA324F5112634C5670CD19EC3C6D9B54FA25E
                            SHA-256:B2B9BF7959FECBE863737E55FB655E1A5A976A171CC93BD6AB03181A57FAEF51
                            SHA-512:7561B74C39D91F300F7D233288BA61E00E7BD9041E4F44C539F2255F3F36B144538BAD633818C5353D6328EFA4BFFC10848E32C3BDF7184721B71363686D98F4
                            Malicious:false
                            Reputation:low
                            Preview:MDMP..a..... .......=.f........................0...............b$..........T.......8...........T...........@...*...........,...........................................................................................eJ..............GenuineIntel............T.......h...<.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER7DE0.tmp.WERInternalMetadata.xml

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):8260
                            Entropy (8bit):3.6893410183633355
                            Encrypted:false
                            SSDEEP:192:R6l7wVeJ9Cw6gu6YEIQSUuFegmfByXIupDT89bB3sflRrm:R6lXJ/6R6YE/SUQegmfwiB8f2
                            MD5:F5E798B681E4C628181B800FC9704E6D
                            SHA1:BD6571FEDB63ABF72A011E6C7AD0C6A54885DB63
                            SHA-256:1F69C11C9E2778D88DAE207EE7AA245E0DB89D7340CE213704CD2EDB3C5E5F9C
                            SHA-512:3E99B146DDB80BE64167FFD1F55BD1B12C53027D6ED26379ED9C93DFF7E8679CA027FE0E20BD55FF76FEFDEBFA6E214DEF75F7CFE99477FB21AEC6D4EC915A6E
                            Malicious:false
                            Reputation:low
                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.6.0.<./.P.i.

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E1F.tmp.xml

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):4537
                            Entropy (8bit):4.428220343552774
                            Encrypted:false
                            SSDEEP:48:cvIwWl8zstJg77aI9w7WpW8VY/Ym8M4J94FI+q8K5+S8iEd:uIjfHI7eK7VrJvJ+SBEd
                            MD5:567AA4A24C8E70FABCEA5A0CF8DDFF6D
                            SHA1:1622F4F031A90E1D9E733FD8CF51DE53E8A883B5
                            SHA-256:9F44FEC3ED221F218C31988E5DCFD416B8578DF0C4EDD6638E9D4B965C26F78C
                            SHA-512:6BD2FDF10FEA45E9FF6DC69649E2997DC50433F70F947723C76D2DB184C747B675CA89B184C12FA6476208745C8784E13A6F4BDC965C0B7D2C7AB930FE99C5F3
                            Malicious:false
                            Reputation:low
                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="393206" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                            Download File
                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):3094
                            Entropy (8bit):5.33145931749415
                            Encrypted:false
                            SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                            MD5:3FD5C0634443FB2EF2796B9636159CB6
                            SHA1:366DDE94AEFCFFFAB8E03AD8B448E05D7489EB48
                            SHA-256:58307E94C67E2348F5A838DE4FF668983B38B7E9A3B1D61535D3A392814A57D6
                            SHA-512:8535E7C0777C6B0876936D84BDE2BDC59963CF0954D4E50D65808E6E806E8B131DF5DB8FA0E030FAE2702143A7C3A70698A2B9A80519C9E2FFC286A71F0B797C
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                            C:\Windows\appcompat\Programs\Amcache.hve

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:MS Windows registry file, NT/2000 or above
                            Category:dropped
                            Size (bytes):1835008
                            Entropy (8bit):4.421337681964193
                            Encrypted:false
                            SSDEEP:6144:cSvfpi6ceLP/9skLmb0OTSWSPHaJG8nAgeMZMMhA2fX4WABlEnN20uhiTw:HvloTSW+EZMM6DFy403w
                            MD5:9095D7BE8EE38E60A3035D1230F8E7ED
                            SHA1:1002CA5F350D708E58F79C2CF94A554B59CB0A71
                            SHA-256:114F972DC86C3370526EC29284AE50B7A9AEAA76C59867CB3CC603E60433A1C4
                            SHA-512:48A9F8CD5C561A3FDB0A9577182F1E61D0C7065648F9F3BD4521B1916DE199C4845B38CEB4697E1FBAF66CE863C0B40D13E5FAAE1B36616DBBC7F8A1B2D24535
                            Malicious:false
                            Reputation:low
                            Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmN`..i................................................................................................................................................................................................................................................................................................................................................f..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.29740036425901
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:file.exe
                            File size:957'440 bytes
                            MD5:75a2d212a591a83a4d0c88a92b390b88
                            SHA1:8f69b79a0d6bc6b4def35b38ec46d15e6eb1c1d9
                            SHA256:cf47a943ec0eb86c16a8d7e6e0ad8c4bfb6063af089e1b3809ed44ac45347e71
                            SHA512:e7242ef4042f96743a6f999bee1a5ee93a88a6aa83385a28d2b868bd2c2f6734c0bc9192059e5a7862cff747a4dee8a16e9ac10cb659cbd2f05a4a040dd05a47
                            SSDEEP:24576:j+qodQCtw8QEZWBiMUp736I5Zqi7P2XZtXtW/Di:iw8QEZWBTXSZqiz2XvXQm
                            TLSH:D715CE1135C08036D67320320AA9FAB99AFEF4341B2966CF17D85A7E9F346C15B3526F
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........x...+...+...+z..*...+z..*...+z..*...+k\.*...+k\.*...+z..*...+...+)..+k\.*...+Z_.*...+Z_.*...+Z_.*...+Rich...+...............

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x42c381
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Time Stamp:0x66826F1E [Mon Jul 1 08:55:58 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:6
                            OS Version Minor:0
                            File Version Major:6
                            File Version Minor:0
                            Subsystem Version Major:6
                            Subsystem Version Minor:0
                            Import Hash:56baef533a2c1ed14f3f4ef31918aea1

                            Entrypoint Preview

                            Instruction
                            call 00007F05A4B2DA00h
                            jmp 00007F05A4B2CD7Ch
                            cmp ecx, dword ptr [0049A040h]
                            jne 00007F05A4B2CF63h
                            ret
                            jmp 00007F05A4B2DDB8h
                            jmp 00007F05A4B2E09Dh
                            push ebp
                            mov ebp, esp
                            jmp 00007F05A4B2CF6Fh
                            push dword ptr [ebp+08h]
                            call 00007F05A4B6879Eh
                            pop ecx
                            test eax, eax
                            je 00007F05A4B2CF71h
                            push dword ptr [ebp+08h]
                            call 00007F05A4B5948Eh
                            pop ecx
                            test eax, eax
                            je 00007F05A4B2CF48h
                            pop ebp
                            ret
                            cmp dword ptr [ebp+08h], FFFFFFFFh
                            je 00007F05A4B2E095h
                            jmp 00007F05A4B2E072h
                            push ebp
                            mov ebp, esp
                            push dword ptr [ebp+08h]
                            call 00007F05A4B2E062h
                            pop ecx
                            pop ebp
                            ret
                            mov dword ptr [ecx], 0048A520h
                            ret
                            push ebp
                            mov ebp, esp
                            test byte ptr [ebp+08h], 00000001h
                            push esi
                            mov esi, ecx
                            mov dword ptr [esi], 0048A520h
                            je 00007F05A4B2CF6Ch
                            push 0000000Ch
                            push esi
                            call 00007F05A4B2CF36h
                            pop ecx
                            pop ecx
                            mov eax, esi
                            pop esi
                            pop ebp
                            retn 0004h
                            push ebp
                            mov ebp, esp
                            mov eax, dword ptr [ebp+08h]
                            push esi
                            mov ecx, dword ptr [eax+3Ch]
                            add ecx, eax
                            movzx eax, word ptr [ecx+14h]
                            lea edx, dword ptr [ecx+18h]
                            add edx, eax
                            movzx eax, word ptr [ecx+06h]
                            imul esi, eax, 28h
                            add esi, edx
                            cmp edx, esi
                            je 00007F05A4B2CF7Bh
                            mov ecx, dword ptr [ebp+0Ch]
                            cmp ecx, dword ptr [edx+0Ch]
                            jc 00007F05A4B2CF6Ch
                            mov eax, dword ptr [edx+08h]
                            add eax, dword ptr [edx+0Ch]
                            cmp ecx, eax
                            jc 00007F05A4B2CF6Eh
                            add edx, 28h
                            cmp edx, esi
                            jne 00007F05A4B2CF4Ch
                            xor eax, eax
                            pop esi
                            pop ebp
                            ret
                            mov eax, edx

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x98d800x48.rdata
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x98dc80x50.rdata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xe90000x4ac8.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x929a00x54.rdata
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x928e00x40.rdata
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x880000x20c.rdata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x856070x85800d4a3e4e2547dac4975d39086e7139986False0.4124166081460674data6.668988034436214IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .bss0x870000xf7d0x1000878c09940a226a834c3659a4a01175c6False0.63134765625data6.367281353368697IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rdata0x880000x11a340x11c008d317fc0445d9e97e892000dec205388False0.375426386443662data4.84980486267065IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .data0x9a0000x4e0800x4c8000e891f069ac6bc33dc2180dbb40af6b5False0.9814006331699346data7.987547215279856IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .reloc0xe90000x4ac80x4c0025fdceee7c26fa23b595325521337834False0.7338096217105263data6.612335437064259IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Imports

                            DLLImport
                            GDI32.dllSetPixel
                            USER32.dllOffsetRect, ReleaseDC, GetDC
                            KERNEL32.dllCreateFileW, HeapSize, GetProcessHeap, SetStdHandle, VirtualAlloc, WaitForSingleObject, GetModuleHandleA, CreateThread, GetProcAddress, FormatMessageA, WideCharToMultiByte, GetCurrentThreadId, CloseHandle, WaitForSingleObjectEx, Sleep, SwitchToThread, GetExitCodeThread, GetNativeSystemInfo, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LocalFree, GetLocaleInfoEx, MultiByteToWideChar, LCMapStringEx, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, WakeConditionVariable, WakeAllConditionVariable, SleepConditionVariableSRW, QueryPerformanceCounter, QueryPerformanceFrequency, SetFileInformationByHandle, GetTempPathW, InitOnceExecuteOnce, CreateEventExW, CreateSemaphoreExW, FlushProcessWriteBuffers, GetCurrentProcessorNumber, GetSystemTimeAsFileTime, GetTickCount64, FreeLibraryWhenCallbackReturns, CreateThreadpoolTimer, SetThreadpoolTimer, WaitForThreadpoolTimerCallbacks, CloseThreadpoolTimer, CreateThreadpoolWait, SetThreadpoolWait, CloseThreadpoolWait, GetModuleHandleW, GetFileInformationByHandleEx, CreateSymbolicLinkW, GetStringTypeW, CompareStringEx, GetCPInfo, IsProcessorFeaturePresent, GetCurrentProcessId, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, SetEnvironmentVariableW, RaiseException, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetModuleHandleExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, GetCurrentThread, SetConsoleCtrlHandler, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, GetTimeZoneInformation, OutputDebugStringW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW

                            Exports

                            NameOrdinalAddress
                            AwakeSound10x487d10

                            Network Behavior

                            Snort IDS Alerts

                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                            07/02/24-12:24:00.932845TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)497043445192.168.2.577.105.135.107
                            07/02/24-12:24:06.375739TCP2046056ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)34454970477.105.135.107192.168.2.5
                            07/02/24-12:24:01.127422TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response34454970477.105.135.107192.168.2.5
                            07/02/24-12:24:13.135257TCP2043231ET TROJAN Redline Stealer TCP CnC Activity497043445192.168.2.577.105.135.107

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jul 2, 2024 12:24:00.230401039 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:00.235276937 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:00.235403061 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:00.255548954 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:00.260399103 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:00.894330978 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:00.932845116 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:00.938674927 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:01.127422094 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:01.171791077 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:06.175950050 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:06.180783033 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:06.375739098 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:06.375751972 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:06.375766039 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:06.375832081 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:06.375852108 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:06.375860929 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:06.375907898 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:06.421789885 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:06.510586023 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:06.515475988 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:06.940747023 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:06.941606998 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:06.941693068 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:07.050059080 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:07.055459023 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:07.243783951 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:07.296848059 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:07.338819981 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:07.343744040 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:07.343756914 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:07.343820095 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:07.343830109 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:07.343859911 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:07.343900919 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:07.343924999 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:07.343933105 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:07.343944073 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:07.343972921 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:07.343982935 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:07.343991995 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:07.344090939 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:07.344099998 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:07.348745108 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:07.348792076 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:07.350586891 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:07.350596905 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:07.350605965 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:07.350615025 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:07.638511896 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:07.648298025 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:07.653187990 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:07.841630936 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:07.890568972 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:07.979860067 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:07.984679937 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:08.174869061 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:08.207503080 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:08.216063023 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:08.409914970 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:08.415105104 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:08.422775984 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:08.611979008 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:08.619383097 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:08.624397993 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:08.624409914 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:08.624417067 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:08.624497890 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:08.624501944 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:08.624536991 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:08.911303043 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:08.913100958 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:08.918390989 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:09.107553005 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:09.110565901 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:09.116857052 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:09.307045937 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:09.308224916 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:09.313081026 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:09.506139040 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:09.516491890 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:09.521431923 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:09.930443048 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:09.931735039 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:09.932106018 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:09.934547901 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:09.939281940 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.128108978 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.171808958 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.217324018 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.222785950 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.222795963 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.222820997 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.222825050 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.222836018 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.222839117 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.222923040 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.222928047 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.222968102 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.222971916 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.223073959 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.227544069 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.227586031 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.227685928 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.227760077 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.227767944 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.227822065 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.227824926 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.227857113 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.227941990 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.227950096 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.228024960 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.228029013 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.228091955 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.228142977 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.228245974 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.228288889 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.228293896 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.228302956 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.228307009 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.228365898 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.232022047 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232064962 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232069969 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232074022 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232135057 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.232227087 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232346058 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232355118 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232362032 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232399940 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.232400894 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232404947 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232441902 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.232455969 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232460022 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232516050 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232521057 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232593060 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232598066 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232703924 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232707977 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232724905 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232728958 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232759953 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232764006 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232811928 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232815981 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232855082 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232858896 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232914925 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232918978 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232928991 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232933044 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232986927 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232990980 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.232997894 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.233045101 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.233050108 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.233072042 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.233102083 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.233107090 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.233114004 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.233155966 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.233160019 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.233164072 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.233197927 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.233222008 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.233258009 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.233262062 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.237812042 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.237818003 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.237827063 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.237831116 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.237834930 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.237852097 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.237855911 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.237864971 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.237869024 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.237878084 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.237881899 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.237890005 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.237894058 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.237901926 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.237905979 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.237914085 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.237917900 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.237926960 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.237930059 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.237934113 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.237936974 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.237941027 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.237951040 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.237955093 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.237962961 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.237977028 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.237981081 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.237989902 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.237993956 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.238002062 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.238055944 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.238059998 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.238069057 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.238101959 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.238143921 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.238207102 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.238210917 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.238357067 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.238418102 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.238423109 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.238434076 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.238439083 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.238444090 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.238456964 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.238461018 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.238465071 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.238468885 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.238477945 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.238497972 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.238576889 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.238580942 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.238641977 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.238646984 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.238722086 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.238725901 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.238761902 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.238765955 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.238800049 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.238802910 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.239357948 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.239362001 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.239483118 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.239622116 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.239625931 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.239634991 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.239639044 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.239751101 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.239754915 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.239758968 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.239763021 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.239773035 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.239892960 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.239897013 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.239906073 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.239908934 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.239917994 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.240020037 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.240029097 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.240032911 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.240041018 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.240045071 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.240143061 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.240147114 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.240155935 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.240159988 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.240164042 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.242957115 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.242961884 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.243181944 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.243251085 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.244580984 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.244930983 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.244935989 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.244945049 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.245064020 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.245073080 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.245076895 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.245079994 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.245084047 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.245208025 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.245213032 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.245223999 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.245354891 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.245363951 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.245368004 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.245493889 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.245497942 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.245507002 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.245511055 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.245670080 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.245673895 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.245682001 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.245687008 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.245790005 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.245794058 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.245803118 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.245806932 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.245939970 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.245943069 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.246078014 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.246082067 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.246089935 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.246093988 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.246129036 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.246133089 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.246141911 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.246145964 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.246160984 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.246165037 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.246228933 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.246232986 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.246522903 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.246527910 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.246675968 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.246680021 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.246687889 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.246834040 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.246838093 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.246983051 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.246987104 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.246990919 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.246994019 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.247148037 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.247152090 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.247348070 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.247419119 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.248188019 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.248286963 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.248291016 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.248295069 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.248439074 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.248444080 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.248451948 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.248563051 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.248567104 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.248575926 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.248725891 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.248729944 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.248883963 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.248888016 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.248927116 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.248930931 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.248939991 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.249316931 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.249320984 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.249330044 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.249439955 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.249444008 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.249452114 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.249455929 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.249464035 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.249593019 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.249597073 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.249605894 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.249732971 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.249737024 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.249747038 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.249749899 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.249869108 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.249874115 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.249882936 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.249886990 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.249969959 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.249974012 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.249983072 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.249986887 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.249994993 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.250004053 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.250006914 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.250019073 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.250022888 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.250030994 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.250072956 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.250076056 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.250117064 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.250121117 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.250226974 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.250231028 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.250262022 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.251317024 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.251605988 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.251682043 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.252346039 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.252351046 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.252471924 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.252476931 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.252490044 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.252495050 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.252572060 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.252576113 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.252588034 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.252592087 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.252731085 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.252734900 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.252818108 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.252821922 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.252830982 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.252835035 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.252839088 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.252850056 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.252859116 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.252861977 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.252866030 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.252873898 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.252906084 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.252908945 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.253006935 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.253010988 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.253087997 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.253092051 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.253370047 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.253374100 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.253448963 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.253453016 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.253462076 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.253465891 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.253736973 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.253741026 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.253748894 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.253894091 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.253897905 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.254066944 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.254070997 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.254192114 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.254195929 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.254204035 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.254208088 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.254216909 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.254324913 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.254328966 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.254337072 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.254340887 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.254481077 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.254484892 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.254492998 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.254497051 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.254697084 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.254786968 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.256694078 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.256697893 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.256823063 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.256975889 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.257112026 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.257117033 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.257126093 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.257128954 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.257232904 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.257236958 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.257350922 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.257354975 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.257364988 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.257368088 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.257376909 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.257381916 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.257446051 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.257450104 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.257453918 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.257457018 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.257466078 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.257469893 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.257477999 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.257482052 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.257492065 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.257496119 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.257577896 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.257616043 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.257687092 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.257692099 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.257826090 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.257868052 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.258363962 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.258649111 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.258773088 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.258776903 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.258785963 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.258789062 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.258793116 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.258796930 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.258894920 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.258899927 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.258908987 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.258912086 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.258915901 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.258924007 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.259048939 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.259052992 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.259057045 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.259191990 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.259196043 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.259203911 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.259207964 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.259959936 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260122061 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260126114 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260247946 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260256052 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260260105 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260262966 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260267019 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260376930 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.260382891 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260394096 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260397911 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260401011 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260405064 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260447025 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.260490894 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260500908 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260504961 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260602951 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260607958 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260616064 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260620117 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260623932 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260627985 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260636091 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260639906 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260648966 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260652065 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260656118 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260658979 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260669947 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260679007 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260683060 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260687113 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260694981 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260698080 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260708094 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260760069 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260762930 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.260970116 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.261040926 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.261044025 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.261053085 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.261199951 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.261204004 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.261212111 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.261363029 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.261367083 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.261375904 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.261507034 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.261511087 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.261646986 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.261651039 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.261660099 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.261662960 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.261811972 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.261815071 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.262017965 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.262093067 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.265429974 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.265588045 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.265732050 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.265873909 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.265878916 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.265882969 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.266026020 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.266030073 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.266181946 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.266185999 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.266304016 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.266308069 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.266393900 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.266397953 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.266407013 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.266411066 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.266415119 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.266427994 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.266432047 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.266436100 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.266438961 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.266448021 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.266499996 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.266503096 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.266954899 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.266958952 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.266968012 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.266972065 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.267102003 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.267106056 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.267195940 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.267199993 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.267208099 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.267211914 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.267345905 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.267349958 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.267473936 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.267477989 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.267487049 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.267616987 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.267620087 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.267752886 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.267756939 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.267765999 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.267770052 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.267779112 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.267894030 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.267898083 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.268034935 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.268039942 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.268043041 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.268047094 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.268203974 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.268213987 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.268362999 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.268364906 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.268369913 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.268369913 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.268395901 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.268496990 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.268501043 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.312429905 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:10.315623999 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:10.317266941 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:11.046212912 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:11.093744040 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:11.686405897 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:11.766676903 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:11.955912113 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:11.958069086 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:11.962913036 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:12.151259899 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:12.203001022 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:12.254447937 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:12.259414911 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:12.741806030 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:12.742546082 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:12.742749929 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:12.744905949 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:12.751638889 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:12.940397024 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:12.940872908 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:12.945643902 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:13.134162903 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:13.135257006 CEST497043445192.168.2.577.105.135.107
                            Jul 2, 2024 12:24:13.140166044 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:13.343828917 CEST34454970477.105.135.107192.168.2.5
                            Jul 2, 2024 12:24:13.376147032 CEST497043445192.168.2.577.105.135.107

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:06:23:56
                            Start date:02/07/2024
                            Path:C:\Users\user\Desktop\file.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\file.exe"
                            Imagebase:0xb20000
                            File size:957'440 bytes
                            MD5 hash:75A2D212A591A83A4D0C88A92B390B88
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:1
                            Start time:06:23:57
                            Start date:02/07/2024
                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                            Imagebase:0x280000
                            File size:65'440 bytes
                            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:2
                            Start time:06:23:57
                            Start date:02/07/2024
                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                            Imagebase:0xa00000
                            File size:65'440 bytes
                            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.2193423222.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.2194705356.0000000002DB5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:6
                            Start time:06:23:57
                            Start date:02/07/2024
                            Path:C:\Windows\SysWOW64\WerFault.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6760 -s 304
                            Imagebase:0x340000
                            File size:483'680 bytes
                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:0.7%
                              Dynamic/Decrypted Code Coverage:2.5%
                              Signature Coverage:17.5%
                              Total number of Nodes:325
                              Total number of Limit Nodes:6
                              execution_graph 61518 7e018d 61521 7e01c5 61518->61521 61519 7e02d3 CreateProcessA VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 61520 7e03a2 WriteProcessMemory 61519->61520 61519->61521 61522 7e03e7 61520->61522 61521->61519 61523 7e0392 TerminateProcess 61521->61523 61524 7e03ec WriteProcessMemory 61522->61524 61525 7e0429 WriteProcessMemory Wow64SetThreadContext ResumeThread 61522->61525 61523->61519 61524->61522 61526 ba7af0 61542 b283a0 61526->61542 61528 ba7b30 61556 b4c39e 61528->61556 61530 ba7b6c 61531 ba7b7a VirtualAlloc 61530->61531 61565 ba78b0 61531->61565 61533 ba7b98 61534 ba7be5 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 61533->61534 61537 ba7c02 61533->61537 61606 b4c38b 5 API calls ___raise_securityfailure 61534->61606 61536 ba7bfb 61607 b76c11 61537->61607 61543 b283d3 61542->61543 61544 b283b0 61542->61544 61547 b283e4 61543->61547 61550 b4c39e codecvt 3 API calls 61543->61550 61545 b283b7 61544->61545 61546 b283ea 61544->61546 61549 b4c39e codecvt 3 API calls 61545->61549 61612 b21520 77 API calls 3 library calls 61546->61612 61547->61528 61552 b283bd 61549->61552 61551 b283dd 61550->61551 61551->61528 61553 b76c11 std::locale::_Locimp::_Locimp_ctor 76 API calls 61552->61553 61554 b283c6 61552->61554 61555 b283f4 61553->61555 61554->61528 61555->61528 61557 b4c3a3 std::locale::_Locimp::_Locimp_ctor 61556->61557 61558 b4c3bd 61557->61558 61561 b4c3bf Concurrency::cancel_current_task 61557->61561 61613 b87be4 EnterCriticalSection LeaveCriticalSection codecvt 61557->61613 61558->61530 61560 b4d4f7 codecvt 61615 b4d807 RaiseException 61560->61615 61561->61560 61614 b4d807 RaiseException 61561->61614 61563 b4d514 61566 b4c39e codecvt 3 API calls 61565->61566 61568 ba78c9 61566->61568 61569 ba7943 61568->61569 61616 b28170 77 API calls 5 library calls 61568->61616 61570 ba7ada 61569->61570 61571 ba7968 61569->61571 61589 ba7988 __InternalCxxFrameHandler 61569->61589 61619 b279e0 77 API calls 2 library calls 61570->61619 61573 ba79a2 61571->61573 61574 ba7977 61571->61574 61580 b4c39e codecvt 3 API calls 61573->61580 61573->61589 61575 ba7adf 61574->61575 61577 ba7982 61574->61577 61620 b21520 77 API calls 3 library calls 61575->61620 61576 b25ba0 77 API calls 61576->61589 61579 b4c39e codecvt 3 API calls 61577->61579 61578 ba7a5b std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 61581 ba7ae4 61578->61581 61583 ba7abd std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 61578->61583 61579->61589 61580->61589 61584 b76c11 std::locale::_Locimp::_Locimp_ctor 76 API calls 61581->61584 61618 b4c38b 5 API calls ___raise_securityfailure 61583->61618 61586 ba7ae9 61584->61586 61588 b283a0 std::locale::_Locimp::_Locimp_ctor 77 API calls 61586->61588 61587 ba7ad6 61587->61533 61590 ba7b30 61588->61590 61589->61576 61589->61578 61589->61581 61591 b25db0 103 API calls 61589->61591 61617 b7676a 77 API calls 2 library calls 61589->61617 61592 b4c39e codecvt 3 API calls 61590->61592 61591->61589 61593 ba7b6c 61592->61593 61595 ba7b7a VirtualAlloc 61593->61595 61596 ba78b0 103 API calls 61595->61596 61599 ba7b98 61596->61599 61597 ba7be5 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 61621 b4c38b 5 API calls ___raise_securityfailure 61597->61621 61599->61597 61601 ba7c02 61599->61601 61600 ba7bfb 61600->61533 61602 b76c11 std::locale::_Locimp::_Locimp_ctor 76 API calls 61601->61602 61604 ba7c07 61602->61604 61603 ba7c4b 61603->61533 61604->61603 61622 b22b40 77 API calls 61604->61622 61606->61536 61623 b76b4d 76 API calls 2 library calls 61607->61623 61609 b76c20 61624 b76c2e 11 API calls std::locale::_Setgloballocale 61609->61624 61611 b76c2d 61612->61552 61613->61557 61614->61560 61615->61563 61616->61568 61617->61589 61618->61587 61619->61575 61620->61581 61621->61600 61622->61604 61623->61609 61624->61611 61625 b4c198 61652 b4ce21 61625->61652 61627 b4c19d ___unDNameEx 61656 b4c57f 61627->61656 61629 b4c1b5 61630 b4c30e 61629->61630 61640 b4c1df ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock std::locale::_Setgloballocale 61629->61640 61682 b4ceff 4 API calls 2 library calls 61630->61682 61632 b4c315 61683 b85913 23 API calls std::locale::_Setgloballocale 61632->61683 61634 b4c31b 61684 b858d0 23 API calls std::locale::_Setgloballocale 61634->61684 61636 b4c1fe 61637 b4c323 61638 b4c27f 61664 b853a8 61638->61664 61640->61636 61640->61638 61678 b74f76 76 API calls 3 library calls 61640->61678 61642 b4c285 61668 ba7e40 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 61642->61668 61646 b4c2a6 61646->61632 61647 b4c2aa 61646->61647 61648 b4c2b3 61647->61648 61680 b858c1 23 API calls std::locale::_Setgloballocale 61647->61680 61681 b4c6f0 85 API calls ___scrt_uninitialize_crt 61648->61681 61651 b4c2bc 61651->61636 61653 b4ce37 61652->61653 61655 b4ce40 61653->61655 61685 b4cdd4 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 61653->61685 61655->61627 61657 b4c588 61656->61657 61686 b4cbc5 IsProcessorFeaturePresent 61657->61686 61659 b4c594 61687 b51bfe 10 API calls 2 library calls 61659->61687 61661 b4c599 61662 b4c59d 61661->61662 61688 b51c30 7 API calls 2 library calls 61661->61688 61662->61629 61665 b853b6 61664->61665 61666 b853b1 61664->61666 61665->61642 61689 b84bba 87 API calls 61666->61689 61669 ba7ea6 GetModuleHandleA GetProcAddress 61668->61669 61671 ba7ec1 61669->61671 61672 b4c39e codecvt 3 API calls 61671->61672 61673 ba7ecf 61672->61673 61690 ba7d20 61673->61690 61675 ba7ed9 61676 b4c29c 61675->61676 61727 ba7f20 106 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 61675->61727 61679 b4d04d GetModuleHandleW 61676->61679 61678->61638 61679->61646 61680->61648 61681->61651 61682->61632 61683->61634 61684->61637 61685->61655 61686->61659 61687->61661 61688->61662 61689->61665 61728 b21280 61690->61728 61697 b4c39e codecvt 3 API calls 61698 ba7d4b 61697->61698 61699 b4c39e codecvt 3 API calls 61698->61699 61700 ba7d54 61699->61700 61748 b5aeda 61700->61748 61702 ba7d6f 61703 ba7d78 61702->61703 61704 ba7db3 61702->61704 61706 ba7d7d GetCurrentThreadId 61703->61706 61707 ba7dc0 61703->61707 61764 b296c3 77 API calls CallUnexpected 61704->61764 61709 ba7d86 61706->61709 61710 ba7dc7 61706->61710 61765 b296c3 77 API calls CallUnexpected 61707->61765 61763 b2c052 WaitForSingleObjectEx GetExitCodeThread CloseHandle 61709->61763 61766 b296c3 77 API calls CallUnexpected 61710->61766 61713 ba7dce 61767 b296c3 77 API calls CallUnexpected 61713->61767 61714 ba7d92 61714->61713 61716 ba7d99 61714->61716 61717 ba7dd5 61716->61717 61718 ba7da2 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 61716->61718 61768 b74f76 76 API calls 3 library calls 61717->61768 61718->61675 61727->61676 61729 b2128c _vsnprintf std::_Rng_abort 61728->61729 61769 b748fb 61729->61769 61732 b25ba0 61734 b25be1 61732->61734 61788 b241b0 61734->61788 61736 b25d82 61740 b25db0 61736->61740 61737 b25d6f 61737->61736 61801 b25170 77 API calls 61737->61801 61739 b25c36 61793 b22840 61739->61793 61741 b25dd5 61740->61741 61814 b259f0 61741->61814 61744 b25ddf 61847 b27570 61744->61847 61746 b25070 77 API calls 61747 b25e1a 61746->61747 61747->61697 61749 b5aee7 61748->61749 61750 b5aefb 61748->61750 61874 b7a7f9 14 API calls __dosmaperr 61749->61874 61865 b5ad9d 61750->61865 61753 b5aeec 61875 b76c01 76 API calls __get_errno 61753->61875 61756 b5af10 CreateThread 61758 b5af2f GetLastError 61756->61758 61762 b5af3b 61756->61762 61903 b5ac21 61756->61903 61757 b5aef7 61757->61702 61876 b7a79f 14 API calls 2 library calls 61758->61876 61877 b5acd1 61762->61877 61763->61714 61764->61707 61765->61710 61766->61713 61767->61717 61770 b7490f _Fputc 61769->61770 61771 b74931 61770->61771 61773 b74958 61770->61773 61784 b76b84 76 API calls 3 library calls 61771->61784 61785 b5b34f 79 API calls 2 library calls 61773->61785 61774 b7494c 61778 b65f60 61774->61778 61779 b65f6c 61778->61779 61780 b65f83 61779->61780 61786 b66c60 76 API calls 2 library calls 61779->61786 61783 b212a7 61780->61783 61787 b66c60 76 API calls 2 library calls 61780->61787 61783->61732 61784->61774 61785->61774 61786->61780 61787->61783 61789 b241cc 61788->61789 61790 b241e0 61789->61790 61802 b25070 61789->61802 61790->61739 61794 b2285a 61793->61794 61794->61737 61796 b22872 61794->61796 61811 b4d807 RaiseException 61794->61811 61812 b22770 77 API calls 4 library calls 61796->61812 61798 b228a8 61813 b4d807 RaiseException 61798->61813 61800 b228b7 61800->61737 61801->61736 61803 b241ff 61802->61803 61804 b250b1 61802->61804 61803->61739 61805 b241b0 77 API calls 61804->61805 61806 b250ba 61805->61806 61807 b2512d 61806->61807 61809 b22840 77 API calls 61806->61809 61807->61803 61810 b25170 77 API calls 61807->61810 61809->61807 61810->61803 61811->61796 61812->61798 61813->61800 61854 b29290 7 API calls std::_Lockit::_Lockit 61814->61854 61816 b25a02 61826 b25a3d std::locale::_Locimp::_Locimp_ctor 61816->61826 61855 b29290 7 API calls std::_Lockit::_Lockit 61816->61855 61818 b25a60 61857 b292f7 LeaveCriticalSection LeaveCriticalSection std::_Lockit::~_Lockit 61818->61857 61820 b25a1c 61856 b292f7 LeaveCriticalSection LeaveCriticalSection std::_Lockit::~_Lockit 61820->61856 61821 b25a69 61821->61744 61822 b25a8f 61824 b25a93 61822->61824 61825 b25aa8 61822->61825 61858 b292f7 LeaveCriticalSection LeaveCriticalSection std::_Lockit::~_Lockit 61824->61858 61828 b4c39e codecvt 3 API calls 61825->61828 61826->61818 61826->61822 61829 b25aaf 61828->61829 61859 b29290 7 API calls std::_Lockit::_Lockit 61829->61859 61830 b25a9e 61830->61744 61832 b25adb 61833 b25b21 61832->61833 61834 b25b7f 61832->61834 61860 b2b734 100 API calls 2 library calls 61833->61860 61863 b29c67 77 API calls 2 library calls 61834->61863 61837 b25b89 61837->61744 61838 b25b2c 61861 b2ba58 76 API calls 2 library calls 61838->61861 61840 b25b43 61862 b220e0 100 API calls 2 library calls 61840->61862 61848 b241b0 77 API calls 61847->61848 61849 b275ae 61848->61849 61850 b22840 77 API calls 61849->61850 61852 b27633 61850->61852 61851 b25e13 61851->61746 61852->61851 61864 b25170 77 API calls 61852->61864 61854->61816 61855->61820 61856->61826 61857->61821 61858->61830 61859->61832 61860->61838 61861->61840 61863->61837 61864->61851 61885 b885d2 61865->61885 61870 b5adc2 GetModuleHandleExW 61871 b5addf 61870->61871 61872 b5acd1 __Thrd_start 16 API calls 61871->61872 61873 b5ade7 61872->61873 61873->61756 61873->61762 61874->61753 61875->61757 61876->61762 61878 b5acdd 61877->61878 61884 b5ad01 61877->61884 61879 b5ace3 CloseHandle 61878->61879 61880 b5acec 61878->61880 61879->61880 61881 b5acf2 FreeLibrary 61880->61881 61882 b5acfb 61880->61882 61881->61882 61883 b88635 ___free_lconv_mon 14 API calls 61882->61883 61883->61884 61884->61702 61886 b885df 61885->61886 61887 b8861f 61886->61887 61888 b8860a HeapAlloc 61886->61888 61892 b885f3 __strftime_l 61886->61892 61901 b7a7f9 14 API calls __dosmaperr 61887->61901 61889 b8861d 61888->61889 61888->61892 61891 b5adae 61889->61891 61894 b88635 61891->61894 61892->61887 61892->61888 61900 b87be4 EnterCriticalSection LeaveCriticalSection codecvt 61892->61900 61895 b5adbb 61894->61895 61896 b88640 HeapFree 61894->61896 61895->61870 61895->61871 61896->61895 61897 b88655 GetLastError 61896->61897 61898 b88662 __dosmaperr 61897->61898 61902 b7a7f9 14 API calls __dosmaperr 61898->61902 61900->61892 61901->61891 61902->61895 61904 b5ac2d ___unDNameEx 61903->61904 61905 b5ac34 GetLastError ExitThread 61904->61905 61906 b5ac41 61904->61906 61917 b8a1f9 GetLastError 61906->61917 61911 b5ac5d 61950 b5af65 17 API calls 61911->61950 61918 b8a215 61917->61918 61919 b8a20f 61917->61919 61923 b8a219 SetLastError 61918->61923 61952 b89072 6 API calls std::_Locinfo::_Locinfo_dtor 61918->61952 61951 b89033 6 API calls std::_Locinfo::_Locinfo_dtor 61919->61951 61922 b8a231 61922->61923 61925 b885d2 __Getctype 14 API calls 61922->61925 61927 b5ac46 61923->61927 61928 b8a2ae 61923->61928 61926 b8a246 61925->61926 61929 b8a24e 61926->61929 61930 b8a25f 61926->61930 61944 b8a697 61927->61944 61957 b76d87 76 API calls 3 library calls 61928->61957 61953 b89072 6 API calls std::_Locinfo::_Locinfo_dtor 61929->61953 61954 b89072 6 API calls std::_Locinfo::_Locinfo_dtor 61930->61954 61934 b8a2b3 61935 b8a26b 61936 b8a26f 61935->61936 61937 b8a286 61935->61937 61955 b89072 6 API calls std::_Locinfo::_Locinfo_dtor 61936->61955 61956 b89dc2 14 API calls __Getctype 61937->61956 61940 b88635 ___free_lconv_mon 14 API calls 61940->61923 61941 b8a291 61943 b88635 ___free_lconv_mon 14 API calls 61941->61943 61942 b8a25c 61942->61940 61943->61923 61945 b8a6a9 GetPEB 61944->61945 61948 b5ac51 61944->61948 61946 b8a6bc 61945->61946 61945->61948 61958 b88e64 61946->61958 61948->61911 61949 b89461 5 API calls std::_Locinfo::_Locinfo_dtor 61948->61949 61949->61911 61951->61918 61952->61922 61953->61942 61954->61935 61955->61942 61956->61941 61957->61934 61961 b88c84 61958->61961 61962 b88cb2 61961->61962 61963 b88cae 61961->61963 61962->61963 61968 b88bb9 61962->61968 61963->61948 61966 b88ccc GetProcAddress 61966->61963 61967 b88cdc std::_Locinfo::_Locinfo_dtor 61966->61967 61967->61963 61974 b88bca ___vcrt_FlsFree 61968->61974 61969 b88c60 61969->61963 61969->61966 61970 b88be8 LoadLibraryExW 61971 b88c03 GetLastError 61970->61971 61972 b88c67 61970->61972 61971->61974 61972->61969 61973 b88c79 FreeLibrary 61972->61973 61973->61969 61974->61969 61974->61970 61975 b88c36 LoadLibraryExW 61974->61975 61975->61972 61975->61974

                              Executed Functions

                              Function 007E018D Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 282threadinjectionmemoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,007E00FF,007E00EF), ref: 007E02FC
                              • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 007E030F
                              • Wow64GetThreadContext.KERNEL32(00000120,00000000), ref: 007E032D
                              • ReadProcessMemory.KERNELBASE(0000011C,?,007E0143,00000004,00000000), ref: 007E0351
                              • VirtualAllocEx.KERNELBASE(0000011C,?,?,00003000,00000040), ref: 007E037C
                              • TerminateProcess.KERNELBASE(0000011C,00000000), ref: 007E039B
                              • WriteProcessMemory.KERNELBASE(0000011C,00000000,?,?,00000000,?), ref: 007E03D4
                              • WriteProcessMemory.KERNELBASE(0000011C,00400000,?,?,00000000,?,00000028), ref: 007E041F
                              • WriteProcessMemory.KERNELBASE(0000011C,00AFFFC0,?,00000004,00000000), ref: 007E045D
                              • Wow64SetThreadContext.KERNEL32(00000120,00B00000), ref: 007E0499
                              • ResumeThread.KERNELBASE(00000120), ref: 007E04A8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271322291.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                              Similarity
                              • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
                              • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                              • API String ID: 2440066154-1257834847
                              • Opcode ID: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
                              • Instruction ID: 67ccb405d9e6cee09489deb7a8c381f4a2b8c98a811e5a879affbc6bdd16b8eb
                              • Opcode Fuzzy Hash: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
                              • Instruction Fuzzy Hash: 7FB1E57260128AAFDB60CF69CC80BDA77A5FF8C714F158524EA0CAB341D774FA418B94
                              Function 00BA78B0 Relevance: 4.8, APIs: 1, Strings: 2, Instructions: 311memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 161 ba78b0-ba78fd call b4c39e 164 ba7900-ba7917 161->164 165 ba7919-ba7924 164->165 166 ba7926-ba7939 call b28170 164->166 167 ba793d-ba7941 165->167 166->167 167->164 170 ba7943-ba795a 167->170 171 ba795c-ba7962 170->171 172 ba79cd-ba79d4 170->172 175 ba7ada call b279e0 171->175 176 ba7968-ba7975 171->176 173 ba79da-ba79dc 172->173 174 ba7a5b-ba7a5d 172->174 180 ba79e0-ba7a59 call b25ba0 call b25db0 call b25ba0 call b25db0 call b7676a 173->180 177 ba7a88-ba7a9c call b4c3ce 174->177 178 ba7a5f-ba7a6c 174->178 187 ba7adf call b21520 175->187 181 ba79a2-ba79a4 176->181 182 ba7977-ba797c 176->182 200 ba7a9e-ba7aab 177->200 201 ba7ac7-ba7ad9 call b4c38b 177->201 185 ba7a7e-ba7a85 call b4c3ce 178->185 186 ba7a6e-ba7a7c 178->186 180->174 183 ba79a6-ba79b5 call b4c39e 181->183 184 ba79b7 181->184 182->187 190 ba7982-ba798d call b4c39e 182->190 194 ba79b9-ba79ca call b4e280 183->194 184->194 185->177 186->185 195 ba7ae4-ba7b93 call b76c11 call b283a0 call b4c39e call ba7500 VirtualAlloc call ba78b0 186->195 187->195 190->195 210 ba7993-ba79a0 190->210 194->172 231 ba7b98-ba7bc5 call ba71f0 195->231 208 ba7abd-ba7ac4 call b4c3ce 200->208 209 ba7aad-ba7abb 200->209 208->201 209->195 209->208 210->194 235 ba7bef-ba7c01 call b4c38b 231->235 236 ba7bc7-ba7bd3 231->236 238 ba7be5-ba7bec call b4c3ce 236->238 239 ba7bd5-ba7be3 236->239 238->235 239->238 242 ba7c02-ba7c23 call b76c11 239->242 246 ba7c4d-ba7c4f 242->246 247 ba7c25-ba7c2c 242->247 248 ba7c30 247->248 249 ba7c35-ba7c44 call b22b40 248->249 252 ba7c46-ba7c49 249->252 252->248 253 ba7c4b-ba7c4c 252->253 253->246
                              APIs
                                • Part of subcall function 00B21520: ___std_exception_copy.LIBVCRUNTIME ref: 00B2155C
                              • VirtualAlloc.KERNELBASE(00000000,000004AC,00001000,00000040,?), ref: 00BA7B88
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocVirtual___std_exception_copy
                              • String ID: Earth$Own head
                              • API String ID: 1139562770-4036566267
                              • Opcode ID: 4646957b3992167b509b26e55a370befc9c30be056d59d49aa243ba52d129c61
                              • Instruction ID: 89e5002f29c13e168d1d0b3e4224e0a776fd745db2ff91c2258d3de724c37bd9
                              • Opcode Fuzzy Hash: 4646957b3992167b509b26e55a370befc9c30be056d59d49aa243ba52d129c61
                              • Instruction Fuzzy Hash: 36A17A7290D3006BC714EF38EC85AAFB7E4EF86300F5446A9F84997242EF74AA44C795
                              Function 00B8A697 Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 346 b8a697-b8a6a7 347 b8a6a9-b8a6ba GetPEB 346->347 348 b8a6d6-b8a6da 346->348 349 b8a6bc-b8a6c0 call b88e64 347->349 350 b8a6cd-b8a6d4 347->350 352 b8a6c5-b8a6c8 349->352 350->348 352->350 353 b8a6ca-b8a6cc 352->353 353->350
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9b648215b642596574fba81a53f3868e904589de32089efc76a2176381690929
                              • Instruction ID: 9eab911155aaff7adad389f23ac98c81ced73f7bdf1b26a7620588c06dacb8a6
                              • Opcode Fuzzy Hash: 9b648215b642596574fba81a53f3868e904589de32089efc76a2176381690929
                              • Instruction Fuzzy Hash: 0EF01C31A15324DFDB26EA48C805A59B2ECEB45B55F154096E5019B160D6B0AD00C7D1
                              Function 00BA7E40 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 68libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetModuleHandleA.KERNEL32(user32.dll,ShowWindow,5838D13B), ref: 00BA7E7B
                              • GetProcAddress.KERNEL32(00000000), ref: 00BA7E84
                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetConsoleWindow), ref: 00BA7E93
                              • GetProcAddress.KERNEL32(00000000), ref: 00BA7E96
                              • GetModuleHandleA.KERNEL32(kernel32.dll,FreeConsole), ref: 00BA7EB4
                              • GetProcAddress.KERNEL32(00000000), ref: 00BA7EB7
                                • Part of subcall function 00BA7D20: GetCurrentThreadId.KERNEL32 ref: 00BA7D7D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressHandleModuleProc$CurrentThread
                              • String ID: FreeConsole$GetConsoleWindow$ShowWindow$kernel32.dll$user32.dll
                              • API String ID: 4239977575-3695373866
                              • Opcode ID: d59bfc33d11def52d640c550a224fb8beb9a69ad05157f48ef12e159e808b038
                              • Instruction ID: 63821a72b743e178ea0f1e47048d61913b154691a85f264b8cf4f1d021700a94
                              • Opcode Fuzzy Hash: d59bfc33d11def52d640c550a224fb8beb9a69ad05157f48ef12e159e808b038
                              • Instruction Fuzzy Hash: 8C116671E442486FCB10EBB9DC06FAFBBF8EB85710F104976F504E3290EAB459008AD0
                              Function 00B88BB9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 33 b88bb9-b88bc5 34 b88c57-b88c5a 33->34 35 b88bca-b88bdb 34->35 36 b88c60 34->36 38 b88be8-b88c01 LoadLibraryExW 35->38 39 b88bdd-b88be0 35->39 37 b88c62-b88c66 36->37 42 b88c03-b88c0c GetLastError 38->42 43 b88c67-b88c77 38->43 40 b88c80-b88c82 39->40 41 b88be6 39->41 40->37 45 b88c54 41->45 46 b88c0e-b88c20 call b88598 42->46 47 b88c45-b88c52 42->47 43->40 44 b88c79-b88c7a FreeLibrary 43->44 44->40 45->34 46->47 50 b88c22-b88c34 call b88598 46->50 47->45 50->47 53 b88c36-b88c43 LoadLibraryExW 50->53 53->43 53->47
                              APIs
                              • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,5838D13B,?,00B88CC6,?,?,?,00000000), ref: 00B88C7A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: FreeLibrary
                              • String ID: api-ms-$ext-ms-
                              • API String ID: 3664257935-537541572
                              • Opcode ID: 5515c2e6ee4b5b2de4dfb925113c0eff8307c4c704256723adacff6e131f5369
                              • Instruction ID: 82295e0369562674d54f4bb35acded495d53fdf0e12474dfb78a5f20c928e05b
                              • Opcode Fuzzy Hash: 5515c2e6ee4b5b2de4dfb925113c0eff8307c4c704256723adacff6e131f5369
                              • Instruction Fuzzy Hash: A821E071A02111ABDB21BB64DC85B5A37D8DB46760F5502A4E916B72B4EF30ED01CBE0
                              Function 00B4C198 Relevance: 7.6, APIs: 5, Instructions: 119COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • ___security_init_cookie.LIBCMT ref: 00B4C198
                                • Part of subcall function 00B4CE21: ___get_entropy.LIBCMT ref: 00B4CE3B
                              • ___scrt_release_startup_lock.LIBCMT ref: 00B4C234
                              • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 00B4C248
                              • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 00B4C26E
                              • ___scrt_uninitialize_crt.LIBCMT ref: 00B4C2B7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ___scrt_is_nonwritable_in_current_image$___get_entropy___scrt_release_startup_lock___scrt_uninitialize_crt___security_init_cookie
                              • String ID:
                              • API String ID: 2539496024-0
                              • Opcode ID: fbe6ff3190bedd2031cbc52042ac689eb9a88d814f66a4bb83548f812fc82eb8
                              • Instruction ID: 86dda4906bf06772f9bf4973dd62b44e0c1e181a02337189e3d735b24d8fabb9
                              • Opcode Fuzzy Hash: fbe6ff3190bedd2031cbc52042ac689eb9a88d814f66a4bb83548f812fc82eb8
                              • Instruction Fuzzy Hash: BA31E9316867519ADBA47BB4980376D7BE19F42F20F2000E9F4807B1E2DEA55B00F769
                              Function 00BA7D20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetCurrentThreadId.KERNEL32 ref: 00BA7D7D
                                • Part of subcall function 00B2C052: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000), ref: 00B2C05E
                                • Part of subcall function 00B2C052: GetExitCodeThread.KERNEL32(?,?), ref: 00B2C077
                                • Part of subcall function 00B2C052: CloseHandle.KERNEL32(?), ref: 00B2C089
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Thread$CloseCodeCurrentExitHandleObjectSingleWait
                              • String ID: Success created.$Success destroyed.$jjj
                              • API String ID: 3356992203-3362827742
                              • Opcode ID: 1f358fddd03b0ed414c2dbc411b45a212c44c83e695923150b46af1314b75b94
                              • Instruction ID: b948bc6c9695074c5bed1542c6ed85d6f396b7ad9b576cd1bb601c0744feaeef
                              • Opcode Fuzzy Hash: 1f358fddd03b0ed414c2dbc411b45a212c44c83e695923150b46af1314b75b94
                              • Instruction Fuzzy Hash: 3911E2B1689711ABE7203BB46C1BF6B36D4DF50B41FA048F4F58CAA0C2EEB195008379
                              Function 00B5AEDA Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 254 b5aeda-b5aee5 255 b5aee7-b5aefa call b7a7f9 call b76c01 254->255 256 b5aefb-b5af0e call b5ad9d 254->256 262 b5af10-b5af2d CreateThread 256->262 263 b5af3c 256->263 266 b5af2f-b5af3b GetLastError call b7a79f 262->266 267 b5af4b-b5af50 262->267 264 b5af3e-b5af4a call b5acd1 263->264 266->263 269 b5af57-b5af5b 267->269 270 b5af52-b5af55 267->270 269->264 270->269
                              APIs
                              • CreateThread.KERNELBASE(?,00000001,Function_0003AC21,00000000,?,?), ref: 00B5AF23
                              • GetLastError.KERNEL32(?,?,?,00B2C127,00000000,00000000,00000001,?,00000000,?,?,?,00B2BFBD,00000000,Function_0000BF0E,?), ref: 00B5AF2F
                              • __dosmaperr.LIBCMT ref: 00B5AF36
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateErrorLastThread__dosmaperr
                              • String ID:
                              • API String ID: 2744730728-0
                              • Opcode ID: bdfd8afeffadbf64e4a3b363fa278fa2ca683e0aebbd26c65e30e94e10bc7d6b
                              • Instruction ID: c139e03785f6ad1daf9b08c7f308daa3ada6e11b27c8d593c5f57267ccfd1629
                              • Opcode Fuzzy Hash: bdfd8afeffadbf64e4a3b363fa278fa2ca683e0aebbd26c65e30e94e10bc7d6b
                              • Instruction Fuzzy Hash: 97018072500209AFDF15AFA0DC46A9E7BE4EF04312F1041D4BD01A6190EB71DE54EB91
                              Function 00B5AC21 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetLastError.KERNEL32(00BB8130,0000000C), ref: 00B5AC34
                              • ExitThread.KERNEL32 ref: 00B5AC3B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorExitLastThread
                              • String ID:
                              • API String ID: 1611280651-0
                              • Opcode ID: 282cb1146cd045c1ad2d4a4be6416cc674fb3a7b3ca5e2acf43d64cada178302
                              • Instruction ID: 1d4a16b222b65575b385f17dd2cbf7571b40dd27444baa4e3eec5a1bc9217627
                              • Opcode Fuzzy Hash: 282cb1146cd045c1ad2d4a4be6416cc674fb3a7b3ca5e2acf43d64cada178302
                              • Instruction Fuzzy Hash: 92F08CB0A00204AFEB15BFB0C84AA6E3BA4EF49711F1441C9F501AB262CF305902DB92
                              Function 00B88C84 Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 293 b88c84-b88cac 294 b88cae-b88cb0 293->294 295 b88cb2-b88cb4 293->295 296 b88d03-b88d06 294->296 297 b88cba-b88cc1 call b88bb9 295->297 298 b88cb6-b88cb8 295->298 300 b88cc6-b88cca 297->300 298->296 301 b88ce9-b88d00 300->301 302 b88ccc-b88cda GetProcAddress 300->302 304 b88d02 301->304 302->301 303 b88cdc-b88ce7 call b88302 302->303 303->304 304->296
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3377cc1d8cfd693c52ade984e0789822f4f9640cc4ae11490757cc94f93ea2e0
                              • Instruction ID: a7f7210f49178a6335b1ea75442f9d8b7b5f875d15c44071a8025dedf7f71ff7
                              • Opcode Fuzzy Hash: 3377cc1d8cfd693c52ade984e0789822f4f9640cc4ae11490757cc94f93ea2e0
                              • Instruction Fuzzy Hash: 7E01D837B01215AF9B16AF69EC41A5A33EAFBC53307948164F904DB1B8DE35DC41CB91
                              Function 00BA7AF0 Relevance: 1.3, APIs: 1, Instructions: 89memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 307 ba7af0-ba7b93 call b283a0 call b4c39e call ba7500 VirtualAlloc call ba78b0 315 ba7b98-ba7bc5 call ba71f0 307->315 319 ba7bef-ba7c01 call b4c38b 315->319 320 ba7bc7-ba7bd3 315->320 322 ba7be5-ba7bec call b4c3ce 320->322 323 ba7bd5-ba7be3 320->323 322->319 323->322 326 ba7c02-ba7c23 call b76c11 323->326 330 ba7c4d-ba7c4f 326->330 331 ba7c25-ba7c2c 326->331 332 ba7c30 331->332 333 ba7c35-ba7c44 call b22b40 332->333 336 ba7c46-ba7c49 333->336 336->332 337 ba7c4b-ba7c4c 336->337 337->330
                              APIs
                              • VirtualAlloc.KERNELBASE(00000000,000004AC,00001000,00000040,?), ref: 00BA7B88
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: dce4b957ed22ca4d6565f963895222c0f6ff5ec4e619e6854e03972561cbe6bb
                              • Instruction ID: 88c48d564003a4f183a187a1961d74ebea05c9046ec5974b63c4fb4423db9b71
                              • Opcode Fuzzy Hash: dce4b957ed22ca4d6565f963895222c0f6ff5ec4e619e6854e03972561cbe6bb
                              • Instruction Fuzzy Hash: 6E31F871D09208ABD705EF68EC92BADB7F1FF45310F504269F80567382EF70AA458795

                              Non-executed Functions

                              Function 00B53FF4 Relevance: 46.7, APIs: 25, Strings: 1, Instructions: 1201COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • DName::DName.LIBVCRUNTIME ref: 00B54042
                              • operator+.LIBVCRUNTIME ref: 00B5405C
                              • DName::operator+.LIBCMT ref: 00B5418A
                              • DName::operator+.LIBCMT ref: 00B541A7
                                • Part of subcall function 00B553C0: DName::DName.LIBVCRUNTIME ref: 00B55403
                              • DName::operator+.LIBCMT ref: 00B5425B
                              • DName::operator+.LIBCMT ref: 00B5426A
                                • Part of subcall function 00B59B40: DName::operator+.LIBCMT ref: 00B59B84
                                • Part of subcall function 00B59B40: DName::operator+.LIBCMT ref: 00B59B90
                                • Part of subcall function 00B59B40: DName::operator+.LIBCMT ref: 00B59C0B
                                • Part of subcall function 00B59B40: DName::operator+=.LIBCMT ref: 00B59C4E
                              • DName::operator+.LIBCMT ref: 00B541F6
                                • Part of subcall function 00B53DB2: DName::operator=.LIBVCRUNTIME ref: 00B53DD3
                                • Part of subcall function 00B53D5A: shared_ptr.LIBCMT ref: 00B53D76
                                • Part of subcall function 00B55ABC: shared_ptr.LIBCMT ref: 00B55B62
                              • DName::operator+.LIBCMT ref: 00B547D4
                              • DName::operator+.LIBCMT ref: 00B547F0
                              • DName::operator+.LIBCMT ref: 00B54A8F
                                • Part of subcall function 00B53C49: DName::operator+.LIBCMT ref: 00B53C6A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Name::operator+$NameName::shared_ptr$Name::operator+=Name::operator=operator+
                              • String ID: /
                              • API String ID: 848932493-2043925204
                              • Opcode ID: b1689662b24f9223c70c93d01434e623e9c5cd0c6e5d9e5d20f09866a3f1a97e
                              • Instruction ID: 916c9bc44a4a44587ea85d5a3fa951c64a9ab3836f499be19c684e64425f0fe2
                              • Opcode Fuzzy Hash: b1689662b24f9223c70c93d01434e623e9c5cd0c6e5d9e5d20f09866a3f1a97e
                              • Instruction Fuzzy Hash: 5D926F72E146199ADB18DFA8CC95BEE77F4EB18346F0401F9E912E7280DB68D94CCB50
                              Function 00B9A02C Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __floor_pentium4
                              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                              • API String ID: 4168288129-2761157908
                              • Opcode ID: 6da79cb4448a04d0e64c0b22ca9e46e64e33d95065d2590c73d61e180b10ea1a
                              • Instruction ID: d455b891f10e63e2e0611d924230f29c3b1be37d026d55efb3adb150927dcd1d
                              • Opcode Fuzzy Hash: 6da79cb4448a04d0e64c0b22ca9e46e64e33d95065d2590c73d61e180b10ea1a
                              • Instruction Fuzzy Hash: 1DD2F771E082288BDF65CE28DD85BEAB7F5EB55304F1541EAD40DE7240E778AE818F81
                              Function 00B97715 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLocaleInfoW.KERNEL32(?,2000000B,00B97A33,00000002,00000000,?,?,?,00B97A33,?,00000000), ref: 00B977AE
                              • GetLocaleInfoW.KERNEL32(?,20001004,00B97A33,00000002,00000000,?,?,?,00B97A33,?,00000000), ref: 00B977D7
                              • GetACP.KERNEL32(?,?,00B97A33,?,00000000), ref: 00B977EC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: InfoLocale
                              • String ID: ACP$OCP
                              • API String ID: 2299586839-711371036
                              • Opcode ID: 319448f2f1b8599fabed033fda1efc0ffba2d32541585bf8ceb5bbfd637f7340
                              • Instruction ID: f43a2ccea35c2cea515366f120b13f93ddca85cd4d600f496502f5330b2ab05c
                              • Opcode Fuzzy Hash: 319448f2f1b8599fabed033fda1efc0ffba2d32541585bf8ceb5bbfd637f7340
                              • Instruction Fuzzy Hash: 5F21C4327A8101AAEF208BA4CA45A9B73E6EB54B10B5684F4E90AD7201FF36DD40C390
                              Function 00B978EA Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00B8A1F9: GetLastError.KERNEL32(?,?,00B5AC46,00BB8130,0000000C), ref: 00B8A1FD
                                • Part of subcall function 00B8A1F9: SetLastError.KERNEL32(00000000), ref: 00B8A29F
                              • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00B979F6
                              • IsValidCodePage.KERNEL32(00000000), ref: 00B97A3F
                              • IsValidLocale.KERNEL32(?,00000001), ref: 00B97A4E
                              • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00B97A96
                              • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00B97AB5
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                              • String ID:
                              • API String ID: 415426439-0
                              • Opcode ID: cc030555668e414aa57a371717e0ed06f412b389a38e53f8ded08adcc1ef4b7e
                              • Instruction ID: 7c39e268114d0933def55e55207b77144835accc90b904c5bdff5d7ca37ded7b
                              • Opcode Fuzzy Hash: cc030555668e414aa57a371717e0ed06f412b389a38e53f8ded08adcc1ef4b7e
                              • Instruction Fuzzy Hash: CC514F71A64205AEEF11EFA5CC85ABE77F8FF0A700F1444B5E915E7190EF709A408B61
                              Function 00B96F68 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00B8A1F9: GetLastError.KERNEL32(?,?,00B5AC46,00BB8130,0000000C), ref: 00B8A1FD
                                • Part of subcall function 00B8A1F9: SetLastError.KERNEL32(00000000), ref: 00B8A29F
                              • GetACP.KERNEL32(?,?,?,?,?,?,00B868DB,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00B97029
                              • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00B868DB,?,?,?,00000055,?,-00000050,?,?), ref: 00B97054
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00B971B7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$CodeInfoLocalePageValid
                              • String ID: utf8
                              • API String ID: 607553120-905460609
                              • Opcode ID: 324657d6fd307fd6dedab7efbeef5ccbf1591f184f5f10a6427976d9e80492dc
                              • Instruction ID: c97dab212199ef1075503d1e54e1addcf40856dc98dfad22dcbfa47592246c75
                              • Opcode Fuzzy Hash: 324657d6fd307fd6dedab7efbeef5ccbf1591f184f5f10a6427976d9e80492dc
                              • Instruction Fuzzy Hash: 9971F371658612ABEF24BB74CC86BAA77E8EF05710F1440BAF505E7181EE74ED4087A0
                              Function 00B8A9F5 Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: _strrchr
                              • String ID:
                              • API String ID: 3213747228-0
                              • Opcode ID: 59a49a276b1fdaf459c1fac0e65c6a6e2ad76d512d72c795e1df6e05635919b3
                              • Instruction ID: 02164772ff847f34c3bbe7e8bd0415abbdf0b9aa4c289f3fa50fe7c7e037f8d6
                              • Opcode Fuzzy Hash: 59a49a276b1fdaf459c1fac0e65c6a6e2ad76d512d72c795e1df6e05635919b3
                              • Instruction Fuzzy Hash: C7B117329042469FEB15AF68C8917EEBBE5EF55310F1481EBE805AB251D235DD01CBA2
                              Function 00B93193 Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,00000000,?,00000000), ref: 00B9322E
                              • FindNextFileW.KERNEL32(00000000,?), ref: 00B932A9
                              • FindClose.KERNEL32(00000000), ref: 00B932CB
                              • FindClose.KERNEL32(00000000), ref: 00B932EE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$CloseFile$FirstNext
                              • String ID:
                              • API String ID: 1164774033-0
                              • Opcode ID: 821a19e92e726fed42b872932b15fb18f690998215f04ab94f681fa2bb70f937
                              • Instruction ID: 47257cf918004085793d91199414007b14263539a7fb247b5233257bd5f1e3a3
                              • Opcode Fuzzy Hash: 821a19e92e726fed42b872932b15fb18f690998215f04ab94f681fa2bb70f937
                              • Instruction Fuzzy Hash: A541A471A00129AFDF20DF68CC89AAAB7F9EB85715F1441E5E405E7184EA309F84CB64
                              Function 00B4CEFF Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00B4CF0B
                              • IsDebuggerPresent.KERNEL32 ref: 00B4CFD7
                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B4CFF0
                              • UnhandledExceptionFilter.KERNEL32(?), ref: 00B4CFFA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                              • String ID:
                              • API String ID: 254469556-0
                              • Opcode ID: c7764d65c01426f58a34342d0ce4832a88e1078a45239e02f84426e1f2cbcaea
                              • Instruction ID: 94d32f129ea5212a24d8bf77514a5b4b0d2f13229f0289784d4bd9d8882ce3dd
                              • Opcode Fuzzy Hash: c7764d65c01426f58a34342d0ce4832a88e1078a45239e02f84426e1f2cbcaea
                              • Instruction Fuzzy Hash: 8E31E375D052189ADB20DFA4DD8ABCDBBF8BF08300F1041EAE50DAB250EB719B859F45
                              Function 00B2E9BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetLocaleInfoEx.KERNEL32(!x-sys-default-locale,20000001,?,00000002), ref: 00B2E9D3
                              • FormatMessageA.KERNEL32(00001300,00000000,?,?,?,00000000,00000000), ref: 00B2E9FA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: FormatInfoLocaleMessage
                              • String ID: !x-sys-default-locale
                              • API String ID: 4235545615-2729719199
                              • Opcode ID: fb6641130c55f3cd7fce179d11b1d9188bb1cddcd37b4785681747069bc7dcd7
                              • Instruction ID: 6226e40fee9aa303852e0928466658fc87d1a86ae1e8d850318981d64a6bfa3d
                              • Opcode Fuzzy Hash: fb6641130c55f3cd7fce179d11b1d9188bb1cddcd37b4785681747069bc7dcd7
                              • Instruction Fuzzy Hash: F3F03075514114FFEB149B95DC0BDAA7BECEB09750F004056B605D6050E6B0AE40D770
                              Function 00B97399 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00B8A1F9: GetLastError.KERNEL32(?,?,00B5AC46,00BB8130,0000000C), ref: 00B8A1FD
                                • Part of subcall function 00B8A1F9: SetLastError.KERNEL32(00000000), ref: 00B8A29F
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B973ED
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B97437
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B974FD
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: InfoLocale$ErrorLast
                              • String ID:
                              • API String ID: 661929714-0
                              • Opcode ID: f66b479fc9dcc70500b740ce1e5019f17d736b77bbf2208d64b604ebdadecc0a
                              • Instruction ID: 648f723298d9ed18aea3790a19df8341b10678e5d9a132ab103eac7803a5298a
                              • Opcode Fuzzy Hash: f66b479fc9dcc70500b740ce1e5019f17d736b77bbf2208d64b604ebdadecc0a
                              • Instruction Fuzzy Hash: E6617C719A41079BEF68AF28CC86BAA7BE8EF14300F1441F9E905C6695FF34D981DB50
                              Function 00B769E1 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000010), ref: 00B76AD9
                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000010), ref: 00B76AE3
                              • UnhandledExceptionFilter.KERNEL32(00BB7F08,?,?,?,?,?,00000010), ref: 00B76AF0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                              • String ID:
                              • API String ID: 3906539128-0
                              • Opcode ID: bc4d4f3582e277b52250e753ff45d34ed6e2643be28cdbf59521a901bce6f678
                              • Instruction ID: d54e93778f466f731ac0e549098ca1e58b3e62d7d120437e65198e7b1b58d9e8
                              • Opcode Fuzzy Hash: bc4d4f3582e277b52250e753ff45d34ed6e2643be28cdbf59521a901bce6f678
                              • Instruction Fuzzy Hash: 5F319274901218ABCB21DF68DD89B8DBBF8BF18310F5041EAE41DA7291EB749B858F45
                              Function 00B7F4F0 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 84c59fd22c50fec11d713d5ba0d7b4fe03e09ca87038cfd7edf77aaf576bae43
                              • Instruction ID: 0edd2696fd9c74ae9c809d1dbec6353ec8fac3b7f59ab87b0542f9b6a19721c6
                              • Opcode Fuzzy Hash: 84c59fd22c50fec11d713d5ba0d7b4fe03e09ca87038cfd7edf77aaf576bae43
                              • Instruction Fuzzy Hash: 2DF14171E0121A9FDF14CFA8D8806ADB7F1FF88324F1582A9E929A7394D7309D45CB94
                              Function 00B23780 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: %$+
                              • API String ID: 0-2626897407
                              • Opcode ID: 8f770cd50f74966f152b013a75875b2c74fc1b2f2f937f17ffbe6b7532f331e1
                              • Instruction ID: 1bea21ebc3e451edb789a9fa172123c5f719006cf5b0d61c970e1d6378b093df
                              • Opcode Fuzzy Hash: 8f770cd50f74966f152b013a75875b2c74fc1b2f2f937f17ffbe6b7532f331e1
                              • Instruction Fuzzy Hash: 43F115729083509FC715DF28DC41A6FBBE5FF89B00F044A6DF989AB251D738DA448792
                              Function 00B98CF7 Relevance: 2.8, APIs: 1, Instructions: 1260COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __floor_pentium4
                              • String ID:
                              • API String ID: 4168288129-0
                              • Opcode ID: 1c835cc6bf41a3fb4e2e1dcdf5afe7973190037c91319aff8e54f1d0c0000c69
                              • Instruction ID: b4205cc4d1d9c72d20287539cada205447b35b2f2dec08bdd23bd1fa5a923fb7
                              • Opcode Fuzzy Hash: 1c835cc6bf41a3fb4e2e1dcdf5afe7973190037c91319aff8e54f1d0c0000c69
                              • Instruction Fuzzy Hash: 07B21671E086298BDFA5CE28DD807AAB7F5EB49305F1541EAD80DE7240E735AE818F41
                              Function 00B92078 Relevance: 1.9, APIs: 1, Instructions: 408timeCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00B924BD,00000000,00000000,00000000), ref: 00B9237C
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: InformationTimeZone
                              • String ID:
                              • API String ID: 565725191-0
                              • Opcode ID: 08e2254feef82545d1b3c25de29c3e175cb1c7e97d0486a2ba7490b6c46b100d
                              • Instruction ID: 0b475b2d4dab81ebf33318b9d234fec8792a0d260e5042e64f9c0bb3d877e902
                              • Opcode Fuzzy Hash: 08e2254feef82545d1b3c25de29c3e175cb1c7e97d0486a2ba7490b6c46b100d
                              • Instruction Fuzzy Hash: 84C10572D00126BBDF14ABA8DC42ABE7BF9EF04750F1540B6F911A7291EB309E41D794
                              Function 00B8C310 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000000), ref: 00B8C53D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExceptionRaise
                              • String ID:
                              • API String ID: 3997070919-0
                              • Opcode ID: 79a0fdfa2b49a5994a881e53bfa1ac7014197b61fb52a5f42594431f9585d5e9
                              • Instruction ID: 04ff045a2f720ceb66d01d7220b6662b0d4f5278b4421bc67d465748b79d531d
                              • Opcode Fuzzy Hash: 79a0fdfa2b49a5994a881e53bfa1ac7014197b61fb52a5f42594431f9585d5e9
                              • Instruction Fuzzy Hash: A1B14C71210608CFDB15DF28C496AA57FE0FF45364F298699E89ACF2B1C735E982CB50
                              Function 00B92DA6 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 96447b736052a82d38e8bf9c4e95c5385b76195f84cae98045c66ebaee88ca6f
                              • Instruction ID: c68ea9f006dbe9c7e39432cd1a17a0ee7e629a18416fdb8b0d14a0b8edda4df1
                              • Opcode Fuzzy Hash: 96447b736052a82d38e8bf9c4e95c5385b76195f84cae98045c66ebaee88ca6f
                              • Instruction Fuzzy Hash: 1951C4B5C04219AFDF24DFB8CC85AAABBF9EF45300F1445E9E819D3201EA359E458B50
                              Function 00B4CBC5 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                              Download Yara Rule
                              APIs
                              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00B4CBDB
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: FeaturePresentProcessor
                              • String ID:
                              • API String ID: 2325560087-0
                              • Opcode ID: 7fcd3d48abc32012ffc47faa4e3ef1b0f71bebbbf45c58dddba12dba7f18608d
                              • Instruction ID: d358db806e1318d6a357f1fe8bf5544a3171a40718477c569b91daabf5b7495e
                              • Opcode Fuzzy Hash: 7fcd3d48abc32012ffc47faa4e3ef1b0f71bebbbf45c58dddba12dba7f18608d
                              • Instruction Fuzzy Hash: 3C518BB1E022059FEB55CF68D8C27AEBFF0FB48710F2585AAD409EB251D7749A40DB90
                              Function 00B6E5C5 Relevance: 1.6, Strings: 1, Instructions: 392COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 0
                              • API String ID: 0-4108050209
                              • Opcode ID: b459bf15404a0ecd74235168e707963e6d124d6dda87fbc759c3353832982863
                              • Instruction ID: 2101abb22c4963b707e62461bc6e0d01fa3464ceb4d5be6f8f8f909fef9821d0
                              • Opcode Fuzzy Hash: b459bf15404a0ecd74235168e707963e6d124d6dda87fbc759c3353832982863
                              • Instruction Fuzzy Hash: 9FE1BD78A006058FCB24CF68C580ABEB7F1FF59314F248A9DE4669B291D738ED46CB51
                              Function 00B6E1A4 Relevance: 1.6, Strings: 1, Instructions: 388COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 0
                              • API String ID: 0-4108050209
                              • Opcode ID: bdfb6e6506f9cef5be2d23da1f925be1f39285e349fb543958e9ecb3f847647d
                              • Instruction ID: 764ffdc5188315bd3b54b4cd152afc79dc49350458777ed39d8c88d479e28128
                              • Opcode Fuzzy Hash: bdfb6e6506f9cef5be2d23da1f925be1f39285e349fb543958e9ecb3f847647d
                              • Instruction Fuzzy Hash: 7BE1DD786006058FCB24CF68C494AAEB7F2FF55314B244A9DE4769B390E738ED46CB51
                              Function 00B6E9F5 Relevance: 1.6, Strings: 1, Instructions: 388COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 0
                              • API String ID: 0-4108050209
                              • Opcode ID: 9a808d0e291209b75ffb30f8295a97a92b4f7cb04bb406ff8a51ce22d9495500
                              • Instruction ID: 2267b303db6bc2bd2657630a121eb728a243ec6affd8ae713a5ad23f7ac80f17
                              • Opcode Fuzzy Hash: 9a808d0e291209b75ffb30f8295a97a92b4f7cb04bb406ff8a51ce22d9495500
                              • Instruction Fuzzy Hash: AAE19E786006058FCB24CF68C5C0AAEB7F1FF49314B2486ADD47A9B291D739ED46CB61
                              Function 00B6D03B Relevance: 1.6, Strings: 1, Instructions: 348COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 0
                              • API String ID: 0-4108050209
                              • Opcode ID: f1e1d709ca5c98b61822bfbec9f9ec010798e8b5152ebdef49621f9d33aa0176
                              • Instruction ID: 4e7e79aaf2221096f726a77ed9658068f11bbcd8aa16fdecf09857f218962599
                              • Opcode Fuzzy Hash: f1e1d709ca5c98b61822bfbec9f9ec010798e8b5152ebdef49621f9d33aa0176
                              • Instruction Fuzzy Hash: D2C19C70F006468FCB24CF68C4A0A7ABBF1EF46304F644A99D456AB391C779ED46CB91
                              Function 00B6CCAD Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 0
                              • API String ID: 0-4108050209
                              • Opcode ID: 0f7beeca2686a97c6b62efb7c9992ad35cf3a01aa1fd21e5ef74d0205c40bd38
                              • Instruction ID: 44eaad1b7118ff5135f532844eee9da24641f747d07fa10b16d64a5bc1b499bd
                              • Opcode Fuzzy Hash: 0f7beeca2686a97c6b62efb7c9992ad35cf3a01aa1fd21e5ef74d0205c40bd38
                              • Instruction Fuzzy Hash: ADC1AF70A0064A8FCB24CF68C494A7EBFF2FF05314F2446AAD5D697291C739AD46CB91
                              Function 00B6D3D8 Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 0
                              • API String ID: 0-4108050209
                              • Opcode ID: 320c7ddaa484a9d933c376214f4ad1b1c42928c7f966c9f1655dfe830a101e72
                              • Instruction ID: 68aa4ee2b3ab47f6f754f56979e6bcc20394a638216502b2f4280b9df579f401
                              • Opcode Fuzzy Hash: 320c7ddaa484a9d933c376214f4ad1b1c42928c7f966c9f1655dfe830a101e72
                              • Instruction Fuzzy Hash: CAC1BB70F006068FCB28CF28C494A7ABBF1EF55314F644699D46A9B791CB38ED45CB91
                              Function 00B975EC Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00B8A1F9: GetLastError.KERNEL32(?,?,00B5AC46,00BB8130,0000000C), ref: 00B8A1FD
                                • Part of subcall function 00B8A1F9: SetLastError.KERNEL32(00000000), ref: 00B8A29F
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B97640
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$InfoLocale
                              • String ID:
                              • API String ID: 3736152602-0
                              • Opcode ID: c104d5cee1e07a11eb407f3379dbd3c22b9e8d8159aa9d5f05365ec8f4746453
                              • Instruction ID: 3a116b779ec4ef52afe8e78719afc2e513e630bdd509cf16b5ad5c36a1cc72ac
                              • Opcode Fuzzy Hash: c104d5cee1e07a11eb407f3379dbd3c22b9e8d8159aa9d5f05365ec8f4746453
                              • Instruction Fuzzy Hash: 03218072668606ABDF28AE69DC86EBA77E8EF45310F1040BAF901D6141EF34ED419B50
                              Function 00B6DACB Relevance: 1.6, Strings: 1, Instructions: 326COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 0
                              • API String ID: 0-4108050209
                              • Opcode ID: 672925174d0e2811ded76a8af114a4ad619fab9ed659ba1bd9145827dbc884b3
                              • Instruction ID: 03df09087336aea3ec6cc98dd9045a4f7d4d3a54619f963855b203eaef5c9794
                              • Opcode Fuzzy Hash: 672925174d0e2811ded76a8af114a4ad619fab9ed659ba1bd9145827dbc884b3
                              • Instruction Fuzzy Hash: BFB1BD70F0060A8BCB24DF68C580ABEB7F1FF49700F1949ADD456AB294DB39AD46CB51
                              Function 00B6D766 Relevance: 1.6, Strings: 1, Instructions: 322COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 0
                              • API String ID: 0-4108050209
                              • Opcode ID: 731ba233ed7e9dd2fa03d51d949f887ff47102b7c7d5d9b487b873f095eac097
                              • Instruction ID: 1e5d65a7b13a5abf2b62d9cc6b3824803a1b58bb77adf46d75c4f2e4352a923a
                              • Opcode Fuzzy Hash: 731ba233ed7e9dd2fa03d51d949f887ff47102b7c7d5d9b487b873f095eac097
                              • Instruction Fuzzy Hash: 86B1AC70F0060A8FCB24DFA8C595ABEB7F1EF44700B548A9DE45AE7290D738AD46CB51
                              Function 00B6DE3F Relevance: 1.6, Strings: 1, Instructions: 322COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 0
                              • API String ID: 0-4108050209
                              • Opcode ID: 1cb93c83c28df15f078a9467681606cccfdc3c4b0a315268c6aea0e4b7e328df
                              • Instruction ID: 864e237565d5c59901a0c73cc02804fd6f328ab58f02ec242e2c02b481b0fc41
                              • Opcode Fuzzy Hash: 1cb93c83c28df15f078a9467681606cccfdc3c4b0a315268c6aea0e4b7e328df
                              • Instruction Fuzzy Hash: A6B1CF74E0060A8BCF24DF68C981ABEB7F1EF45300F14499DE56AAB290D739ED46CB51
                              Function 00B6C60E Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 0
                              • API String ID: 0-4108050209
                              • Opcode ID: fbc8cb572a693741c73c0c34d34bf905a05ccc77ae38e44e8671429eb1c54094
                              • Instruction ID: 5c7ad4813159f912876d5b7bfab54b32c38477f22351e0b0d1ad0749ba3a4200
                              • Opcode Fuzzy Hash: fbc8cb572a693741c73c0c34d34bf905a05ccc77ae38e44e8671429eb1c54094
                              • Instruction Fuzzy Hash: 2EB1D23090060A8BCB34CE68C895ABEBFE5EB05700F14069AD5E6D7291DB38EE41CF95
                              Function 00B6C2C6 Relevance: 1.6, Strings: 1, Instructions: 314COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 0
                              • API String ID: 0-4108050209
                              • Opcode ID: d1242401bcfe4f16a8a5ee75cd98f7302be97461983d9a285fc17fd23d6f0803
                              • Instruction ID: 7f6dc51425d43d254fb8849797c323cfb8e7e195a34501ea5c824d5c71372279
                              • Opcode Fuzzy Hash: d1242401bcfe4f16a8a5ee75cd98f7302be97461983d9a285fc17fd23d6f0803
                              • Instruction Fuzzy Hash: DAB1C37090064A8BCB24CF68C9A56BEBFF1EF04300F14869AD4D7E7791DB39A941CB95
                              Function 00B6C965 Relevance: 1.6, Strings: 1, Instructions: 314COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 0
                              • API String ID: 0-4108050209
                              • Opcode ID: bb1f00442f35c872477f9f82fa85b40d3506aef4f499233daec496ee425de096
                              • Instruction ID: c437e0aa717c4e368b9613a55711ba18141e32819cb685341cdf2c69a880c5a7
                              • Opcode Fuzzy Hash: bb1f00442f35c872477f9f82fa85b40d3506aef4f499233daec496ee425de096
                              • Instruction Fuzzy Hash: 3CB1B37090060E8BCB25CFA8C4956BEBFF1EF05300F14469AD5E6D7291D738AD41DB91
                              Function 00B97273 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00B8A1F9: GetLastError.KERNEL32(?,?,00B5AC46,00BB8130,0000000C), ref: 00B8A1FD
                                • Part of subcall function 00B8A1F9: SetLastError.KERNEL32(00000000), ref: 00B8A29F
                              • EnumSystemLocalesW.KERNEL32(00B97399,00000001,00000000,?,-00000050,?,00B979CA,00000000,?,?,?,00000055,?), ref: 00B972E5
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$EnumLocalesSystem
                              • String ID:
                              • API String ID: 2417226690-0
                              • Opcode ID: 67dc2250007b884c3e366eb7baf2063bafb671514b6fc6b23f8ac7083d69c149
                              • Instruction ID: 6efc0c28d217833d94de8aa11f4c12ddc0e37be71671d5a5d5d442efec788b0e
                              • Opcode Fuzzy Hash: 67dc2250007b884c3e366eb7baf2063bafb671514b6fc6b23f8ac7083d69c149
                              • Instruction Fuzzy Hash: 6A1129362287019FDF18AF39D8915BAB7D1FF85318B14447DE98687B40DB71A843C740
                              Function 00B927AA Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              • IsDebuggerPresent.KERNEL32 ref: 00B927B1
                                • Part of subcall function 00B9EAAB: OutputDebugStringW.KERNEL32(00000000,?,?,?,?), ref: 00B9EB01
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: DebugDebuggerOutputPresentString
                              • String ID:
                              • API String ID: 4086329628-0
                              • Opcode ID: d21cb160f9a6e98a8df3ae7247c96638d166b5a803e5968c081a0b79572ca9eb
                              • Instruction ID: db85d43272cbc83520a6327614e1650060492999baba8f973a208e8bb80dd18c
                              • Opcode Fuzzy Hash: d21cb160f9a6e98a8df3ae7247c96638d166b5a803e5968c081a0b79572ca9eb
                              • Instruction Fuzzy Hash: 3BF0AF31801215BAEE213BA05C82BBB37D9EF013A4F1844E1FD18A6562CB21CC01E6B2
                              Function 00B9781B Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00B8A1F9: GetLastError.KERNEL32(?,?,00B5AC46,00BB8130,0000000C), ref: 00B8A1FD
                                • Part of subcall function 00B8A1F9: SetLastError.KERNEL32(00000000), ref: 00B8A29F
                              • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00B975B5,00000000,00000000,?), ref: 00B97847
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$InfoLocale
                              • String ID:
                              • API String ID: 3736152602-0
                              • Opcode ID: 871d387724f882bbbeeaefe67432b0fde36f841b3b07a84c0a0028cca6573539
                              • Instruction ID: c95291b4856c188a4de2c11eccd13a2672a12c9670bd158afe50d16c37e8f2fe
                              • Opcode Fuzzy Hash: 871d387724f882bbbeeaefe67432b0fde36f841b3b07a84c0a0028cca6573539
                              • Instruction Fuzzy Hash: 52F0F932AA4111BBDF2867A6CC4ABFA77E4EB40754F1444B5ED16A3540DE30FD41C6D0
                              Function 00B97163 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00B8A1F9: GetLastError.KERNEL32(?,?,00B5AC46,00BB8130,0000000C), ref: 00B8A1FD
                                • Part of subcall function 00B8A1F9: SetLastError.KERNEL32(00000000), ref: 00B8A29F
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00B971B7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$InfoLocale
                              • String ID: utf8
                              • API String ID: 3736152602-905460609
                              • Opcode ID: 9b6766a83c4258dd111c32580f64876af1b82ffca3886630109d4b923f74be11
                              • Instruction ID: b0221e896d22be9d5310e5900ab7326dbc88a8a21051a2283b9eb8b1bb760b27
                              • Opcode Fuzzy Hash: 9b6766a83c4258dd111c32580f64876af1b82ffca3886630109d4b923f74be11
                              • Instruction Fuzzy Hash: 59F0CD32654155A7DB14BF78DC49EBA33ECEB45314F1401BAF602E7141DE749D058754
                              Function 00B9730E Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00B8A1F9: GetLastError.KERNEL32(?,?,00B5AC46,00BB8130,0000000C), ref: 00B8A1FD
                                • Part of subcall function 00B8A1F9: SetLastError.KERNEL32(00000000), ref: 00B8A29F
                              • EnumSystemLocalesW.KERNEL32(00B975EC,00000001,?,?,-00000050,?,00B9798E,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00B97358
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$EnumLocalesSystem
                              • String ID:
                              • API String ID: 2417226690-0
                              • Opcode ID: 9e6840d94b914ce31137126fb4635fe7a194594c08d6008f16a7980d46c8e89a
                              • Instruction ID: 68088fe6ae67d6219fd8e634408ea875110f2ec0d9e21d3e47c6378ce5f83486
                              • Opcode Fuzzy Hash: 9e6840d94b914ce31137126fb4635fe7a194594c08d6008f16a7980d46c8e89a
                              • Instruction Fuzzy Hash: 1AF022322583045FDF14AF399C82A6A7BD1FF81728F1540BDFA458B690CA719C02DB44
                              Function 00B88682 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00B76CF0: EnterCriticalSection.KERNEL32(?,?,00B89A3D,?,00BB8710,00000008,00B89E30,?,?,?), ref: 00B76CFF
                              • EnumSystemLocalesW.KERNEL32(00B8866F,00000001,00BB86B0,0000000C,00B88FAF,00000000), ref: 00B886BA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CriticalEnterEnumLocalesSectionSystem
                              • String ID:
                              • API String ID: 1272433827-0
                              • Opcode ID: 1fce3370edce5c07c8ef45632b8746029c34108bb3eb0930ccf0cab2cca28e72
                              • Instruction ID: deb5a85313eacaed51b220cc3afc1adbaccae00b0af5ae463791a5a6f4c9fb47
                              • Opcode Fuzzy Hash: 1fce3370edce5c07c8ef45632b8746029c34108bb3eb0930ccf0cab2cca28e72
                              • Instruction Fuzzy Hash: D4F03C32A00204DFD700EF98E842B9D77F0FB05720F10416AE414A72A0DFB55900CF40
                              Function 00B4B82A Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLocaleInfoEx.KERNEL32(?,00000022,00000000,00000002,?,?,00B4900C,00000000,?,00000004,00B479FB,?,00000004,00B48002,00000000,00000000), ref: 00B4B843
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: InfoLocale
                              • String ID:
                              • API String ID: 2299586839-0
                              • Opcode ID: 4df77730d3504737be0d001a94c1e46c63e8eecffaa85566aaf7aa320c1d84e4
                              • Instruction ID: dd147824d908a2a0257ffb301842911b4ad626f6483430a1affc9428e87e50cc
                              • Opcode Fuzzy Hash: 4df77730d3504737be0d001a94c1e46c63e8eecffaa85566aaf7aa320c1d84e4
                              • Instruction Fuzzy Hash: D9E0D832650204B6D7198BBD9E0FF6A77DCDB01709F0042C5F202E50E2DBB0CB00E251
                              Function 00B9720A Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00B8A1F9: GetLastError.KERNEL32(?,?,00B5AC46,00BB8130,0000000C), ref: 00B8A1FD
                                • Part of subcall function 00B8A1F9: SetLastError.KERNEL32(00000000), ref: 00B8A29F
                              • EnumSystemLocalesW.KERNEL32(00B97163,00000001,?,?,?,00B979EC,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00B97241
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$EnumLocalesSystem
                              • String ID:
                              • API String ID: 2417226690-0
                              • Opcode ID: 5518e20649acbd44dab99951c9303c43cedd93ddc95eca2f87be86be117a505b
                              • Instruction ID: 39193c6bb8689452553faad7330f7c898c5157f6839cc1ceacb30c314c5b5157
                              • Opcode Fuzzy Hash: 5518e20649acbd44dab99951c9303c43cedd93ddc95eca2f87be86be117a505b
                              • Instruction Fuzzy Hash: 03F0203635020457CB04AB39DC4966ABBD4EBC2750B0640A9EE098B250CA719842C790
                              Function 00B8913F Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00B876CB,?,20001004,00000000,00000002,?,?,00B86A43), ref: 00B89173
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: InfoLocale
                              • String ID:
                              • API String ID: 2299586839-0
                              • Opcode ID: b3b04c3b702b4ac7f9bc48704953f6a1ac22e9363669738aabae15bf52029e9f
                              • Instruction ID: 74e97b594979776ae65533056731d876c7a125aa2c85738499cb7e3ef3c3e053
                              • Opcode Fuzzy Hash: b3b04c3b702b4ac7f9bc48704953f6a1ac22e9363669738aabae15bf52029e9f
                              • Instruction Fuzzy Hash: DDE01A31500219BBCF123F61DC09AAE3A6AEB45750F084050F915661718F328D21EBD5
                              Function 00B88813 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                              Download Yara Rule
                              APIs
                              • EnumSystemLocalesW.KERNEL32(Function_0006866F,00000001), ref: 00B8882D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: EnumLocalesSystem
                              • String ID:
                              • API String ID: 2099609381-0
                              • Opcode ID: 3cc7b7f5c0d1ebf3ccd280869dca88227ce66f96d6f148c8d09ac2ae75095eeb
                              • Instruction ID: 61204cffddef0d50fd046d96028688d8223feb20a9e0049ec69c714790eac0d6
                              • Opcode Fuzzy Hash: 3cc7b7f5c0d1ebf3ccd280869dca88227ce66f96d6f148c8d09ac2ae75095eeb
                              • Instruction Fuzzy Hash: 92D0C735944304AFD704BF51EC46B183B65F745750F610255F50857270DFF56851C784
                              Function 00B4D08F Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                              Download Yara Rule
                              APIs
                              • SetUnhandledExceptionFilter.KERNEL32(Function_0002D09E,00B4C18B), ref: 00B4D094
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExceptionFilterUnhandled
                              • String ID:
                              • API String ID: 3192549508-0
                              • Opcode ID: 5a3a116e51f9103fb117cbe7a4ab6aea3ca3b2d4bdaf64227805d8e1eb78a842
                              • Instruction ID: 2bff36f4e61bb9fd7843e601aea3ba33d27e915250f9112edaa179d5e565a3a7
                              • Opcode Fuzzy Hash: 5a3a116e51f9103fb117cbe7a4ab6aea3ca3b2d4bdaf64227805d8e1eb78a842
                              • Instruction Fuzzy Hash:
                              Function 00B825A5 Relevance: .7, Instructions: 655COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocHeap
                              • String ID:
                              • API String ID: 4292702814-0
                              • Opcode ID: e2c3cd4ec104fe45a7497e434827adf0bb42497d402952af367d7912bdf07121
                              • Instruction ID: bfb1dc29ad84e3601eff9c27d5078a776074d858136ec07595b7674157673276
                              • Opcode Fuzzy Hash: e2c3cd4ec104fe45a7497e434827adf0bb42497d402952af367d7912bdf07121
                              • Instruction Fuzzy Hash: 15328C74A0021ADFCF28DF98C981ABEB7F5EF45304F2445A8DC45A7365D632AE46CB90
                              Function 00B7C99E Relevance: .5, Instructions: 481COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9d7808b414df47d490fb91bcc2d12300d2cb92d85c574c9be3af2e2893a6b1f5
                              • Instruction ID: 663809e89c118b96e5cbf972eed3a2a489eb9c09f7c71249f401c0979aa271a3
                              • Opcode Fuzzy Hash: 9d7808b414df47d490fb91bcc2d12300d2cb92d85c574c9be3af2e2893a6b1f5
                              • Instruction Fuzzy Hash: 93122F71A002299FDB25CF18C8807AABBF9FB45301F5481EED95DEB245E7709E858F81
                              Function 00B7FE60 Relevance: .4, Instructions: 386COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c4d9caf02bc87c38edef879cef37559086af3cbbfab73cc247b1b794f6a33cc2
                              • Instruction ID: 171ad684a4834e0cf98380988be6dc7b6216d9154dc30a9e88142b38ea2e5d79
                              • Opcode Fuzzy Hash: c4d9caf02bc87c38edef879cef37559086af3cbbfab73cc247b1b794f6a33cc2
                              • Instruction Fuzzy Hash: 10E18271A102299FDB65EF18CC80BAAB7F9FF46344F1441EAD849A7251D7709E84CF41
                              Function 00B31560 Relevance: .3, Instructions: 278COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d5c21c2bc6b46b4716385ef8c57e636fae7336e4a122daa0505a6f758dec1037
                              • Instruction ID: e5eae8cd066aa244b05f183d1810707a0a34ef929c018f1bd2fe4af9724c7657
                              • Opcode Fuzzy Hash: d5c21c2bc6b46b4716385ef8c57e636fae7336e4a122daa0505a6f758dec1037
                              • Instruction Fuzzy Hash: C5B17C71D112198ADB11CFBCC8912DDF7F5EFAA310F29C79AD824B7250E731A9818B54
                              Function 00B7FA20 Relevance: .3, Instructions: 259COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5f0fe014724f46a4fdf71df1785f04c793b8600df146020ac055adbf297819a0
                              • Instruction ID: 3da89b42fec10c832b3b3525ee692f662f5e68def4749965e6f87a4c338499f9
                              • Opcode Fuzzy Hash: 5f0fe014724f46a4fdf71df1785f04c793b8600df146020ac055adbf297819a0
                              • Instruction Fuzzy Hash: 91A12D71A001299BCB25DF18D891BEDB7F5FB89304F1581FAD81DAB241E7719E818F84
                              Function 00B7D471 Relevance: .2, Instructions: 158COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fe929d91a9f0e64f20453904c9813c4125ae80857842bde4f6557e49449952d1
                              • Instruction ID: 03395b3f651362e768c1ee350f406b760f53bc95188003c036687364207332b9
                              • Opcode Fuzzy Hash: fe929d91a9f0e64f20453904c9813c4125ae80857842bde4f6557e49449952d1
                              • Instruction Fuzzy Hash: 31516371D00219AFDF04CF99C981AEEBBF1EF84354F19C099E819AB241D734AE50CB91
                              Function 00B4EC30 Relevance: .1, Instructions: 76COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                              • Instruction ID: 1826196041e0a70c182d5ce47b875fc4125cc664647da7e3c3a7ff43aeb16151
                              • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                              • Instruction Fuzzy Hash: D3113D7724009283DA148A3DD9F86B7A7D6FBC5322B2C43FAD1728B756D222DB45F604
                              Function 00B8A750 Relevance: .0, Instructions: 40COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5b5fba63f53d19527fc7a8df6216b17823e8423280ca3664fab53575dd68de03
                              • Instruction ID: 729436cd201b1e01d03a0c80144296d64141d7bc5a2a8431dbc52a848dd96fa3
                              • Opcode Fuzzy Hash: 5b5fba63f53d19527fc7a8df6216b17823e8423280ca3664fab53575dd68de03
                              • Instruction Fuzzy Hash: 51F09636A942609BE717EA5CC989B5573F8EB45B11F1501D3E201DB6A0C6A4DE00D7D1
                              Function 00B8A576 Relevance: .0, Instructions: 38COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 944dd0397f84d6fac56f40ee474188b5ea1f29462e9c26bbd030b6a775e0e63a
                              • Instruction ID: bd983afc627be6f8689cfd6f54c58cee04dd3c9a735aec7f156bc02c76f7c673
                              • Opcode Fuzzy Hash: 944dd0397f84d6fac56f40ee474188b5ea1f29462e9c26bbd030b6a775e0e63a
                              • Instruction Fuzzy Hash: B1F09031684245EFEB15EE6CC948B9573E4EB25700F2040E2E105D7AA4D370EE80C702
                              Function 00B8A6DB Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 39cad7066b96d67aa45a461a754e8bf1bfa98c3c8bea480aa690be5e78c388a2
                              • Instruction ID: d035d3e6ca387d55a4b5027fe9d4b1ff974e21e2575fdf6e8f9cca1771c3b47b
                              • Opcode Fuzzy Hash: 39cad7066b96d67aa45a461a754e8bf1bfa98c3c8bea480aa690be5e78c388a2
                              • Instruction Fuzzy Hash: 06F01572A51224AFDB2AAA4CC845A8973F8EB48B54F1140D6E501EB6A1D6B0EE00D7C1
                              Function 00B8A4F0 Relevance: .0, Instructions: 26COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b0838929bd9fb429a0a1637d5a7a3d48d2e56fd9b69cef30005072a05cf9426d
                              • Instruction ID: 2c9232b62e43f30a6d9f26912fdacd521c047be1bf61ab78f86134319edbaacc
                              • Opcode Fuzzy Hash: b0838929bd9fb429a0a1637d5a7a3d48d2e56fd9b69cef30005072a05cf9426d
                              • Instruction Fuzzy Hash: 4AE06535A01304EFDB09DF68C944B49B7E8EB48748F2084A9E819C7660E734EE80CB10
                              Function 00B8A533 Relevance: .0, Instructions: 26COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: be2caa3698abf477bc768ee28205dd3e26a7e687ae3bc470bd5e7bd6ced4444b
                              • Instruction ID: e548a7e94584e28ccbb095d7e17ef0daa31d43e4dfc7cda7702154dbdfa77aab
                              • Opcode Fuzzy Hash: be2caa3698abf477bc768ee28205dd3e26a7e687ae3bc470bd5e7bd6ced4444b
                              • Instruction Fuzzy Hash: D3E06531A01244EFDB19DBA8C544B49B3F9FB48784F2040A8E419D7AA1E734EE80CB40
                              Function 00B8A71F Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1180572ebc423d528d6d2b2aa93c3161b85fd8ca66b3f8678dd1786479aba326
                              • Instruction ID: 4dff1b4ab402781d0660310fc2b23050dd698586ffa0093298c5212b7637c577
                              • Opcode Fuzzy Hash: 1180572ebc423d528d6d2b2aa93c3161b85fd8ca66b3f8678dd1786479aba326
                              • Instruction Fuzzy Hash: 24E08C32912228EBCB14EB8CC904D8AF3FCEB45B00B1104ABB601D3121C270DE00D7D0
                              Function 00B8A5D1 Relevance: .0, Instructions: 18COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1f1f9998198fe091ba8346b06ba6bb319a3cc15cfdbdd13e1c646f71437b3e48
                              • Instruction ID: a90a5e3ab8734a098b178e977981d69a85d739ae784b0f669ae7f525ad4e0e22
                              • Opcode Fuzzy Hash: 1f1f9998198fe091ba8346b06ba6bb319a3cc15cfdbdd13e1c646f71437b3e48
                              • Instruction Fuzzy Hash: 8DE0E235501248EFCB04EBA8C549A8AB7F9FB48754F5148A5E405D7261D634EE80DB00
                              Function 00B857E9 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 37bda6c8782477086c2f554060ec6b9e85648076b406dd39fdadbdaddbab4169
                              • Instruction ID: dc8898375e22d57a069afbbfa1883cb1e6b084c8bfca7f101d23dc00dfc06479
                              • Opcode Fuzzy Hash: 37bda6c8782477086c2f554060ec6b9e85648076b406dd39fdadbdaddbab4169
                              • Instruction Fuzzy Hash: C2C08C38410D404ACE39AA1082713A837E4F392782FC004CEC5020B662C92E9CC2EB21
                              Function 00B56DDC Relevance: 19.8, APIs: 13, Instructions: 332COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1318 b56ddc-b56def 1319 b56df5-b56df7 1318->1319 1320 b5716e-b5717b call b53c74 1318->1320 1321 b56dfd-b56dff 1319->1321 1322 b56df9-b56dfb 1319->1322 1328 b5717e 1320->1328 1324 b56e05-b56e15 1321->1324 1326 b5716a-b5716c 1321->1326 1322->1321 1322->1324 1329 b56e17-b56e1b 1324->1329 1330 b56e3d-b56e3f 1324->1330 1327 b57160-b57168 call b538d5 1326->1327 1327->1328 1333 b57181-b57185 1328->1333 1329->1320 1334 b56e21-b56e31 1329->1334 1330->1326 1331 b56e45-b56e48 1330->1331 1331->1326 1337 b56e4e-b56e51 1331->1337 1335 b56e33-b56e36 1334->1335 1336 b56e38-b56e3b 1334->1336 1335->1336 1335->1337 1336->1337 1337->1326 1339 b56e57-b56e72 1337->1339 1340 b56f5f-b56f62 1339->1340 1341 b56e78-b56e7b 1339->1341 1342 b56f64-b56f73 1340->1342 1343 b56fe2-b56ff1 1340->1343 1344 b56e81-b56ebe call b53833 call b53cb8 1341->1344 1345 b56f1e-b56f1f 1341->1345 1346 b56f75-b56fa3 call b553c0 call b53c49 call b53cb8 1342->1346 1347 b56fd3-b56fdd call b553c0 call b53f42 1342->1347 1348 b57015-b5701f call b55abc call b53f42 1343->1348 1349 b56ff3-b57013 call b55abc call b53cb8 1343->1349 1379 b56ef1-b56f10 call b538d5 call b53cb8 1344->1379 1380 b56ec0-b56eef call b583d4 call b53c49 call b53cb8 1344->1380 1351 b56f25-b56f29 1345->1351 1346->1343 1347->1343 1375 b57024-b57028 1348->1375 1349->1375 1356 b56fb6-b56fce call b538d5 call b53cb8 1351->1356 1357 b56f2f-b56f31 1351->1357 1356->1328 1357->1326 1363 b56f37-b56f4c 1357->1363 1372 b56fa5-b56fb4 call b593b4 call b53f42 1363->1372 1373 b56f4e-b56f5c call b593b4 1363->1373 1372->1340 1373->1340 1383 b57054-b57064 call b572c0 1375->1383 1384 b5702a-b57051 call b53c49 call b53cda 1375->1384 1408 b56f13-b56f1c 1379->1408 1380->1408 1404 b57066-b5706b 1383->1404 1405 b5706d 1383->1405 1384->1383 1409 b5706f-b570b4 call b583a5 call b55009 call b53c49 call b53cda call b53db2 1404->1409 1405->1409 1408->1351 1421 b570b6-b570b8 1409->1421 1422 b570cc-b570d8 1409->1422 1421->1422 1423 b570ba-b570c6 call b53db2 1421->1423 1424 b570eb-b570f5 call b5828c call b53f42 1422->1424 1425 b570da-b570e9 call b5828c call b53db2 1422->1425 1423->1422 1435 b570fa-b5711d call b5734a call b53db2 1424->1435 1425->1435 1440 b57130-b5713a call b593e3 call b53f42 1435->1440 1441 b5711f-b5712e call b593e3 call b53db2 1435->1441 1448 b5713f-b57141 1440->1448 1441->1448 1450 b57143-b5715c 1448->1450 1451 b5715e 1448->1451 1450->1333 1451->1327
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Name::operator+$NameName::$Decorator::getReturnTypeoperator+
                              • String ID:
                              • API String ID: 2932655852-0
                              • Opcode ID: 52b987f456a3b4be9028f002f0d07d357b695b2360208e9ec8a02c052755df3e
                              • Instruction ID: 5646a5d181282c0d25c2e145e28791d0d75a505a311cf8871b971031e052fc4a
                              • Opcode Fuzzy Hash: 52b987f456a3b4be9028f002f0d07d357b695b2360208e9ec8a02c052755df3e
                              • Instruction Fuzzy Hash: 4EC15075D04208AFDB18EBA4D892BEE77F4EB04712F5401D9F906A7391DB70AA4DCB60
                              Function 00B583D4 Relevance: 19.8, APIs: 13, Instructions: 305COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • DName::operator+.LIBCMT ref: 00B5843F
                              • DName::operator+.LIBCMT ref: 00B58582
                                • Part of subcall function 00B53D5A: shared_ptr.LIBCMT ref: 00B53D76
                              • DName::operator+.LIBCMT ref: 00B5852D
                              • DName::operator+.LIBCMT ref: 00B585CE
                              • DName::operator+.LIBCMT ref: 00B585DD
                              • DName::operator+.LIBCMT ref: 00B58709
                              • DName::operator=.LIBVCRUNTIME ref: 00B58749
                              • DName::DName.LIBVCRUNTIME ref: 00B58753
                              • DName::operator+.LIBCMT ref: 00B58770
                              • DName::operator+.LIBCMT ref: 00B5877C
                                • Part of subcall function 00B59C94: Replicator::operator[].LIBCMT ref: 00B59CD1
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]shared_ptr
                              • String ID:
                              • API String ID: 1043660730-0
                              • Opcode ID: 41dbe3805d9ec3dbe02dc3f9f6f87dad197269f117f69a7fb735a6c0cdd66d54
                              • Instruction ID: d6a3e859d40e7afb3757af2d813c18fdf0decfe44cbd2607bee8b9ba7d8de6ca
                              • Opcode Fuzzy Hash: 41dbe3805d9ec3dbe02dc3f9f6f87dad197269f117f69a7fb735a6c0cdd66d54
                              • Instruction Fuzzy Hash: 1FC1ADB1D042049FDB15DFA4D895BEEBBF4EB09306F1440D9E949B7281EB74AA48CF50
                              Function 00B259F0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 136COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B259FD
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B25A17
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B25A38
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B25A64
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B25A99
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B25AD6
                              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00B25B27
                              • __Getctype.LIBCPMT ref: 00B25B3E
                              • std::_Facet_Register.LIBCPMT ref: 00B25B57
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B25B70
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::~_$Lockit::_$Facet_GetctypeLocinfo::_Locinfo_ctorRegister
                              • String ID: bad locale name
                              • API String ID: 1407599034-1405518554
                              • Opcode ID: 50d8151ef9ee6cda925b31f00c809b57b5808578099d51430a7bda84c35e2f39
                              • Instruction ID: 05986472a270300c884cf66444b4e86c845a9ee4d4632fe490ae0ea31eff1e6c
                              • Opcode Fuzzy Hash: 50d8151ef9ee6cda925b31f00c809b57b5808578099d51430a7bda84c35e2f39
                              • Instruction Fuzzy Hash: CB41E1716043A49FC720EF58E881B6AB7E0EF91710F15499DE88C87251EB35E909CB92
                              Function 00B25F80 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 133COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B25F8D
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B25FA7
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B25FC8
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B25FF4
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B26029
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B26066
                              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00B260B7
                              • std::_Facet_Register.LIBCPMT ref: 00B260D6
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B260EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::~_$Lockit::_$Facet_Locinfo::_Locinfo_ctorRegister
                              • String ID: bad locale name
                              • API String ID: 3434717313-1405518554
                              • Opcode ID: 4442e40c581d45b893e97a9335cc697f5dd2a9ce1293541df50b984f666483a8
                              • Instruction ID: 036099e9c0aac732d4ab3762333c2fe7960505e27d42b04a981f94ecd944b7ac
                              • Opcode Fuzzy Hash: 4442e40c581d45b893e97a9335cc697f5dd2a9ce1293541df50b984f666483a8
                              • Instruction Fuzzy Hash: 83419E716043A09FC711DF58E891B5BBBE0EF90710F15489DE88D9B251DB71E909CBA3
                              Function 00B5546F Relevance: 16.9, APIs: 11, Instructions: 359COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: shared_ptr$operator+$Name::operator+Name::operator=
                              • String ID:
                              • API String ID: 1464150960-0
                              • Opcode ID: 0d4ad61a5d645095a4b371a7c4d25d3cd48775287105c1ee38bb35fdc6dc7428
                              • Instruction ID: 142eda82c250354ae687735774679016599969514d3e1eb02085294370ae446a
                              • Opcode Fuzzy Hash: 0d4ad61a5d645095a4b371a7c4d25d3cd48775287105c1ee38bb35fdc6dc7428
                              • Instruction Fuzzy Hash: 8CE12AB2C04609DBCB24DF94C4A9BFEBBF4EB05306F1081DAD922A6251D7745A4DCF91
                              Function 00B59C94 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 185COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • Replicator::operator[].LIBCMT ref: 00B59CD1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Replicator::operator[]
                              • String ID: @$generic-type-$template-parameter-
                              • API String ID: 3676697650-1320211309
                              • Opcode ID: e6b7d5fcb7da4955ad4e3eee36d094d70ee51a8f4e4dcea3e49c449d3345e33d
                              • Instruction ID: a271caa8ec292ab3f422130d277a0a605a449266eddc4f3996b31c6954d95dda
                              • Opcode Fuzzy Hash: e6b7d5fcb7da4955ad4e3eee36d094d70ee51a8f4e4dcea3e49c449d3345e33d
                              • Instruction Fuzzy Hash: EF619171D04209DFDB04DFA4D842BEEB7F8EB08715F1441D9EA05A7291DB74AA0DCBA1
                              Function 00B75B85 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 487COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __aulldiv
                              • String ID: :$f$f$f$p$p$p
                              • API String ID: 3732870572-1434680307
                              • Opcode ID: 68fde4c78655b4e3f40e40687d29b2e0e9f729efd37e4ac4a778d9f1ff3c1aee
                              • Instruction ID: fa183dcb6c0491bd142022b283a42cb186dd06db17563678814621fe70353239
                              • Opcode Fuzzy Hash: 68fde4c78655b4e3f40e40687d29b2e0e9f729efd37e4ac4a778d9f1ff3c1aee
                              • Instruction Fuzzy Hash: 900282759006189ADF348F64C8986EDB7F6FB40B14FA4C5DAD43DBB280E7708E899B14
                              Function 00B42620 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B42627
                                • Part of subcall function 00B39040: __EH_prolog3.LIBCMT ref: 00B39047
                                • Part of subcall function 00B39040: std::_Lockit::_Lockit.LIBCPMT ref: 00B39051
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: H_prolog3$LockitLockit::_std::_
                              • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                              • API String ID: 2181796688-2891247106
                              • Opcode ID: 1420d041dd726ed80bb54f0f89775bb8804fee2b02ac4b7f09453b861553ac43
                              • Instruction ID: 84de5fff63cdcfe5e10a62b913dc4e8cd48efcb2d4025f137049db0aae2d3d0c
                              • Opcode Fuzzy Hash: 1420d041dd726ed80bb54f0f89775bb8804fee2b02ac4b7f09453b861553ac43
                              • Instruction Fuzzy Hash: 5DC15C7250010AABDB18DFA8CD96DFE7BE8EF05300F5541A9FA46E2291D6309F04FB61
                              Function 00B42A10 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B42A17
                                • Part of subcall function 00B390D5: __EH_prolog3.LIBCMT ref: 00B390DC
                                • Part of subcall function 00B390D5: std::_Lockit::_Lockit.LIBCPMT ref: 00B390E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: H_prolog3$LockitLockit::_std::_
                              • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                              • API String ID: 2181796688-2891247106
                              • Opcode ID: 18b4d781a2a2f01fcddaa987532f48af633992d932eb856fa69bb6bfecea115b
                              • Instruction ID: 7b17861b37aae19082905e56b63403118f116a027d87ff757849a95186e89bf0
                              • Opcode Fuzzy Hash: 18b4d781a2a2f01fcddaa987532f48af633992d932eb856fa69bb6bfecea115b
                              • Instruction Fuzzy Hash: B7C16F7290010AABDB19DF58C996DFE7BF8EF09304F5545A9FA02E6251D630DB40FB60
                              Function 00B49D04 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B49D0B
                                • Part of subcall function 00B259F0: std::_Lockit::_Lockit.LIBCPMT ref: 00B259FD
                                • Part of subcall function 00B259F0: std::_Lockit::_Lockit.LIBCPMT ref: 00B25A17
                                • Part of subcall function 00B259F0: std::_Lockit::~_Lockit.LIBCPMT ref: 00B25A38
                                • Part of subcall function 00B259F0: std::_Lockit::~_Lockit.LIBCPMT ref: 00B25A64
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                              • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                              • API String ID: 1383202999-2891247106
                              • Opcode ID: c083e28cfa9edc3e82fc248b2ed7b69a2ee85b05208eef35c6b484a62f6413df
                              • Instruction ID: 146a2ea06f111a3f3892a3b8758efe713798ff8e40d4629f884269297aac6eb9
                              • Opcode Fuzzy Hash: c083e28cfa9edc3e82fc248b2ed7b69a2ee85b05208eef35c6b484a62f6413df
                              • Instruction Fuzzy Hash: 2DC17D72540109AFDF18DFA8C9A5DFB7BF8EB09300F14459AFA06E6291D631DB04EB61
                              Function 00B27230 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 120COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B27282
                              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00B272D7
                              • Concurrency::cancel_current_task.LIBCPMT ref: 00B273A1
                              • Concurrency::cancel_current_task.LIBCPMT ref: 00B273A6
                              • Concurrency::cancel_current_task.LIBCPMT ref: 00B273AB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Concurrency::cancel_current_task$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                              • String ID: bad locale name$false$true
                              • API String ID: 164343898-1062449267
                              • Opcode ID: 6fc6b1a6709efbf26c186b820aaef0e99e8cf9e64e29d81494c5ace25d858940
                              • Instruction ID: c065bb05005a65c11c4ff3c4a02ca8cab4b8cda9fb491d7f78eb1efc33a4dcb5
                              • Opcode Fuzzy Hash: 6fc6b1a6709efbf26c186b820aaef0e99e8cf9e64e29d81494c5ace25d858940
                              • Instruction Fuzzy Hash: E8419D701483509FD720DF68E881B4BBBE4EF85700F0449ADF89C8B292DBB5D509CBA6
                              Function 00B4B4B8 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00B4B4BE
                              • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00B4B4CC
                              • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00B4B4DD
                              • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00B4B4EE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$HandleModule
                              • String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
                              • API String ID: 667068680-1247241052
                              • Opcode ID: 93d195ad6b9de49baec04230549d6cc5ffca00d9c24846dd2418e182e9c7739a
                              • Instruction ID: 35481a066fec30608965c3f16f17223fc10f5dd55b4d63f6b51fa2e058d7e327
                              • Opcode Fuzzy Hash: 93d195ad6b9de49baec04230549d6cc5ffca00d9c24846dd2418e182e9c7739a
                              • Instruction Fuzzy Hash: 92E0B635949230ABD7226F74AC0E99B3AE8EA0F7213024056F505D3660EFF44458CBA1
                              Function 00B58EDB Relevance: 13.8, APIs: 9, Instructions: 297COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • DName::operator+.LIBCMT ref: 00B58FB1
                              • UnDecorator::getSignedDimension.LIBCMT ref: 00B58FBC
                              • UnDecorator::getSignedDimension.LIBCMT ref: 00B590A8
                              • UnDecorator::getSignedDimension.LIBCMT ref: 00B590C5
                              • UnDecorator::getSignedDimension.LIBCMT ref: 00B590E2
                              • DName::operator+.LIBCMT ref: 00B590F7
                              • UnDecorator::getSignedDimension.LIBCMT ref: 00B59111
                              • DName::operator+.LIBCMT ref: 00B591E6
                                • Part of subcall function 00B54E94: DName::DName.LIBVCRUNTIME ref: 00B54EF2
                              • DName::DName.LIBVCRUNTIME ref: 00B5925D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Decorator::getDimensionSigned$Name::operator+$NameName::
                              • String ID:
                              • API String ID: 3679549980-0
                              • Opcode ID: c4dc0b3128624ef7c971d44a6bc80accb38a3e8fee0e12d5657feef5c62c42b0
                              • Instruction ID: ac98ae8680da6ca562a7a6f9b9ecdd4c1a60ca93c89314c911eeff637c5b2fe8
                              • Opcode Fuzzy Hash: c4dc0b3128624ef7c971d44a6bc80accb38a3e8fee0e12d5657feef5c62c42b0
                              • Instruction Fuzzy Hash: 3791C672C04209E9DB18EBB4DD9ABBE77F8EB04302F5404D6F901B6191DF759A0C8B61
                              Function 00B522D6 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • type_info::operator==.LIBVCRUNTIME ref: 00B523F5
                              • ___TypeMatch.LIBVCRUNTIME ref: 00B52503
                              • _UnwindNestedFrames.LIBCMT ref: 00B52655
                              • CallUnexpected.LIBVCRUNTIME ref: 00B52670
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                              • String ID: csm$csm$csm
                              • API String ID: 2751267872-393685449
                              • Opcode ID: 4a8c2e6dd2a7d8a1f205e42f93e6e15af2f56ca44057c2f13c8a58465bd9afa8
                              • Instruction ID: 198376a065aae578c65a35c6912f4aa18ab96f87472c2587c3be1b0db90dd01a
                              • Opcode Fuzzy Hash: 4a8c2e6dd2a7d8a1f205e42f93e6e15af2f56ca44057c2f13c8a58465bd9afa8
                              • Instruction Fuzzy Hash: A1B17A71802209EFCF19DFA4D881AAEB7F5FF16312B1445E9EC146B212D730DA59CBA1
                              Function 00B8FA7C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID: 0-3907804496
                              • Opcode ID: 7b351b185aa23f660b5eac9d602d10eb195361eacd29c052e7789e2c5af612b4
                              • Instruction ID: 6691f66c9e0435af715b2ee6c38a5d74da68769a655fbadaab8215d5fc839945
                              • Opcode Fuzzy Hash: 7b351b185aa23f660b5eac9d602d10eb195361eacd29c052e7789e2c5af612b4
                              • Instruction Fuzzy Hash: 14B19170A0424A9FDB15EF99C881BBD7BF1FF89310F1481E9E5149B2A2D7709D42CB61
                              Function 00B3E3E0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 73COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: MaklocchrMaklocstr$H_prolog3_
                              • String ID: false$true
                              • API String ID: 2404127365-2658103896
                              • Opcode ID: a9f0780bf3cd228476f9e25da3ced7e411bdc3df076f8772121a6f974baef814
                              • Instruction ID: 1b72af9b43f91d07dc1165feb4b590d25b313c1fddfed1b33b813fe4223f9590
                              • Opcode Fuzzy Hash: a9f0780bf3cd228476f9e25da3ced7e411bdc3df076f8772121a6f974baef814
                              • Instruction Fuzzy Hash: E1216BB1C00344AADB14EFA5D88599EBBF8EF44700F10849AF8159F256EB74D500CB60
                              Function 00B55223 Relevance: 10.7, APIs: 7, Instructions: 151COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • DName::operator+.LIBCMT ref: 00B552B1
                              • DName::operator+.LIBCMT ref: 00B55304
                                • Part of subcall function 00B53D5A: shared_ptr.LIBCMT ref: 00B53D76
                                • Part of subcall function 00B53C49: DName::operator+.LIBCMT ref: 00B53C6A
                              • DName::operator+.LIBCMT ref: 00B552F5
                              • DName::operator+.LIBCMT ref: 00B55355
                              • DName::operator+.LIBCMT ref: 00B55362
                              • DName::operator+.LIBCMT ref: 00B553A9
                              • DName::operator+.LIBCMT ref: 00B553B6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Name::operator+$shared_ptr
                              • String ID:
                              • API String ID: 1037112749-0
                              • Opcode ID: 2af2b22d27d8fa593efdbda213524de0ed0f7d8b9737edb820c9b5a393c9439e
                              • Instruction ID: 63e4ad68140b4306898fe7d4bd2fdc8150e236aff30160450042ee96bba0a094
                              • Opcode Fuzzy Hash: 2af2b22d27d8fa593efdbda213524de0ed0f7d8b9737edb820c9b5a393c9439e
                              • Instruction Fuzzy Hash: B9515171D04218ABDB15DB94C855FEEBBF8EB18742F0441D9F906A7281DB709A4CCBA0
                              Function 00B27890 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 113COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: false$ios_base::badbit set$true
                              • API String ID: 0-1679644946
                              • Opcode ID: 56eddf6c40e62d6979851588b16eb948045df3f080408ecd8c768b219a1c6dfe
                              • Instruction ID: 36c90c10e670f2e40f4f24a8eeec6f7c1903c5c649cdf6b7261375b26d43c441
                              • Opcode Fuzzy Hash: 56eddf6c40e62d6979851588b16eb948045df3f080408ecd8c768b219a1c6dfe
                              • Instruction Fuzzy Hash: 363108756443405FD310DF68A840B67BFE0EF56304F0889EDE98D8B312DBB29809CBA2
                              Function 00B27AB0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104COMMONLIBRARYCODE
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: false$ios_base::badbit set$true
                              • API String ID: 0-1679644946
                              • Opcode ID: 079d697dd17eb61bddd817d6daaf87c5344dcf6999dcd722238c36eec77bf652
                              • Instruction ID: de52a4913783cd675fe42a4042e2b9f858b94f3e1b2ec33c4edf5e40a1d3631a
                              • Opcode Fuzzy Hash: 079d697dd17eb61bddd817d6daaf87c5344dcf6999dcd722238c36eec77bf652
                              • Instruction Fuzzy Hash: 9A3135351443504FD720DF74A855B67BFE0EF56314F0889EEE8894B312DAB69409C7A2
                              Function 00B3E307 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Maklocstr$GetvalsH_prolog3_
                              • String ID: false$true
                              • API String ID: 1611767717-2658103896
                              • Opcode ID: 1d4cec7261dedc242c579c54bb683f09bd4ea69c30904ac8ef4ec6ebb85198d7
                              • Instruction ID: 5b1777d3580005632f98180ad96c3a27e98e28c8ef1b4b52e0dba623e687c2b2
                              • Opcode Fuzzy Hash: 1d4cec7261dedc242c579c54bb683f09bd4ea69c30904ac8ef4ec6ebb85198d7
                              • Instruction Fuzzy Hash: 93213072D00214ABDB15EFE5D885ADF7BE8EF04710F108496B9189F292DBB0D544CBA1
                              Function 00BA0828 Relevance: 9.2, APIs: 6, Instructions: 248COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetCPInfo.KERNEL32(00C24E28,00C24E28,?,7FFFFFFF,?,00BA0AF8,00C24E28,00C24E28,?,00C24E28,?,?,?,?,00C24E28,?), ref: 00BA08CE
                              • __freea.LIBCMT ref: 00BA0A63
                              • __freea.LIBCMT ref: 00BA0A69
                              • __freea.LIBCMT ref: 00BA0A9F
                              • __freea.LIBCMT ref: 00BA0AA5
                              • __freea.LIBCMT ref: 00BA0AB5
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __freea$Info
                              • String ID:
                              • API String ID: 541289543-0
                              • Opcode ID: 505049043a11120acb42dabd15e581472054b9ecfe1093b0ae57da048af54eb3
                              • Instruction ID: f83732663a5ab2ba5954134e52ece76cd5ca058aa876f08306b3f4845acb77a3
                              • Opcode Fuzzy Hash: 505049043a11120acb42dabd15e581472054b9ecfe1093b0ae57da048af54eb3
                              • Instruction Fuzzy Hash: ED71B572A18305ABEF20BEA8CC81FAF7BF9DF47310F1940D5E915A7242E6359D4087A5
                              Function 00B4BDAB Relevance: 9.2, APIs: 6, Instructions: 225COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetCPInfo.KERNEL32(?,?,?,?,?), ref: 00B4BE36
                              • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00B4BEC2
                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B4BF2D
                              • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00B4BF49
                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B4BFAC
                              • CompareStringEx.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00B4BFC9
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharMultiWide$CompareInfoString
                              • String ID:
                              • API String ID: 2984826149-0
                              • Opcode ID: 5ef4e7cdf3b4b391a98088974fc2767eed36a2c4b0d1dcf4b80d4a115e6d771e
                              • Instruction ID: 8224c627e9188964cd8edd6651e6cb4f391c7d3133b6c6111af81f89dec9eedd
                              • Opcode Fuzzy Hash: 5ef4e7cdf3b4b391a98088974fc2767eed36a2c4b0d1dcf4b80d4a115e6d771e
                              • Instruction Fuzzy Hash: BC71D032900215ABDF209F65CC81FEE7BF5EF45750F144595EA44B7190DB31CE08ABA0
                              Function 00B2EA77 Relevance: 9.2, APIs: 6, Instructions: 175COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00B2EAC0
                              • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00B2EB2B
                              • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B2EB48
                              • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00B2EB87
                              • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B2EBE6
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00B2EC09
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharMultiStringWide
                              • String ID:
                              • API String ID: 2829165498-0
                              • Opcode ID: f1c52221a6ad51dc37b107a164950c80fb561fa7c95f42c6832feb78abf3f7f5
                              • Instruction ID: 1cac9d13b9bf2c72f833ae22f2420922dd6e1a641529293cc914f01244e984bb
                              • Opcode Fuzzy Hash: f1c52221a6ad51dc37b107a164950c80fb561fa7c95f42c6832feb78abf3f7f5
                              • Instruction Fuzzy Hash: 5051C37290022AAFDF209FA6EC85FAB7BF9FF45740F1445A4F929A6150DB30DC009B50
                              Function 00B59B40 Relevance: 9.1, APIs: 6, Instructions: 119COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • DName::operator+.LIBCMT ref: 00B59B84
                              • DName::operator+.LIBCMT ref: 00B59B90
                                • Part of subcall function 00B53D5A: shared_ptr.LIBCMT ref: 00B53D76
                              • DName::operator+=.LIBCMT ref: 00B59C4E
                                • Part of subcall function 00B583D4: DName::operator+.LIBCMT ref: 00B5843F
                                • Part of subcall function 00B583D4: DName::operator+.LIBCMT ref: 00B58709
                                • Part of subcall function 00B53C49: DName::operator+.LIBCMT ref: 00B53C6A
                              • DName::operator+.LIBCMT ref: 00B59C0B
                                • Part of subcall function 00B53DB2: DName::operator=.LIBVCRUNTIME ref: 00B53DD3
                              • DName::DName.LIBVCRUNTIME ref: 00B59C72
                              • DName::operator+.LIBCMT ref: 00B59C7E
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Name::operator+$NameName::Name::operator+=Name::operator=shared_ptr
                              • String ID:
                              • API String ID: 2795783184-0
                              • Opcode ID: d25e4f43f768c9f8195a26c5ee9d00a8ef1ac9b59a4ab5831445af0c3b30b6d3
                              • Instruction ID: c777e6daf199c446d36a7c8fcbca7e63ecfe422d4c99423a4d9432f7872583ab
                              • Opcode Fuzzy Hash: d25e4f43f768c9f8195a26c5ee9d00a8ef1ac9b59a4ab5831445af0c3b30b6d3
                              • Instruction Fuzzy Hash: 2141E8B0E04204EFEB15DF78C891BAE7BF9EB09701F4044D9E94AA7391D7345A48CB60
                              Function 00B269E0 Relevance: 9.1, APIs: 6, Instructions: 97COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B269ED
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B26A0B
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B26A2C
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B26A7C
                              • std::_Facet_Register.LIBCPMT ref: 00B26AA6
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B26ABF
                                • Part of subcall function 00B21FE0: ___std_exception_copy.LIBVCRUNTIME ref: 00B2201C
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::~_$Lockit::_$Facet_Register___std_exception_copy
                              • String ID:
                              • API String ID: 728164013-0
                              • Opcode ID: cc25f977eac83b14a4e80cd87ca6d2adee219415283fa236ee5ccab2569ef07a
                              • Instruction ID: f9296ade6d0b6f85e3bedf1e1d5bdd1a6063c30ada60f18949833ec21f67261f
                              • Opcode Fuzzy Hash: cc25f977eac83b14a4e80cd87ca6d2adee219415283fa236ee5ccab2569ef07a
                              • Instruction Fuzzy Hash: 0131D2719002209FCB11DF18F880A6EB7E4EB91324F1585A9E88D67261DB35ED5DCBD2
                              Function 00B58792 Relevance: 9.1, APIs: 6, Instructions: 94COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00B59C94: Replicator::operator[].LIBCMT ref: 00B59CD1
                              • DName::operator=.LIBVCRUNTIME ref: 00B5883E
                                • Part of subcall function 00B583D4: DName::operator+.LIBCMT ref: 00B5843F
                                • Part of subcall function 00B583D4: DName::operator+.LIBCMT ref: 00B58709
                              • DName::operator+.LIBCMT ref: 00B587F8
                              • DName::operator+.LIBCMT ref: 00B58804
                              • DName::DName.LIBVCRUNTIME ref: 00B58848
                              • DName::operator+.LIBCMT ref: 00B58865
                              • DName::operator+.LIBCMT ref: 00B58871
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]
                              • String ID:
                              • API String ID: 955152517-0
                              • Opcode ID: 79c8a991d837e5bd3f65a68d94feab716209ff9bd84c9114e706fb784b4e2796
                              • Instruction ID: eda90fa218bdd56c8722c1254121f8e7fb2385209662d6a81f3126083bc97122
                              • Opcode Fuzzy Hash: 79c8a991d837e5bd3f65a68d94feab716209ff9bd84c9114e706fb784b4e2796
                              • Instruction Fuzzy Hash: D131C0B1A043049FDB18DF64C855BAEBBF4EF48301F4484DDE986A7340EB34A948CB60
                              Function 00B51F68 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,?,00B51F5F,00B4E9FD,00B4D0E2), ref: 00B51F76
                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B51F84
                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B51F9D
                              • SetLastError.KERNEL32(00000000,00B51F5F,00B4E9FD,00B4D0E2), ref: 00B51FEF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLastValue___vcrt_
                              • String ID:
                              • API String ID: 3852720340-0
                              • Opcode ID: f6d0798e5b92a27dd9aa2ebf5e7d927dfef0fe2212e83b9e54fcda89c4d3507f
                              • Instruction ID: 73af22b746b4abca2475547f9f9ced452b5d2cb28c4a546c38ef4a99850eca2d
                              • Opcode Fuzzy Hash: f6d0798e5b92a27dd9aa2ebf5e7d927dfef0fe2212e83b9e54fcda89c4d3507f
                              • Instruction Fuzzy Hash: 2D012432A0D3216FA7603BBC7CC5B2E27C6EB05777B2007E9F910960E0EF914C089542
                              Function 00B84203 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameW.KERNEL32(00000000,00C07292,00000104), ref: 00B84260
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileModuleName
                              • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                              • API String ID: 514040917-4022980321
                              • Opcode ID: 80430f71a95b81cff92a5de7e5a370a3def8688f2927976c32f3b29a654e573a
                              • Instruction ID: 5fb1c5f623cdb2d9994547e091355a9fefb0aad56a6082bc00e56115204d4936
                              • Opcode Fuzzy Hash: 80430f71a95b81cff92a5de7e5a370a3def8688f2927976c32f3b29a654e573a
                              • Instruction Fuzzy Hash: 77213832E4430776DA2476655C0AF6B3BCCDBA2744F0406B1FD08A2162F761DD11C3E9
                              Function 00B3E140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Mpunct$GetvalsH_prolog3
                              • String ID: $+xv
                              • API String ID: 2204710431-1686923651
                              • Opcode ID: bf64aa8dd4095d49a20ea31fc2d61052053c041112d0f6c7de8f95d93c6b4c4b
                              • Instruction ID: 230c6a902aa21aeabe6747dd44f7c184831fd3262785e2e59026e135df793f72
                              • Opcode Fuzzy Hash: bf64aa8dd4095d49a20ea31fc2d61052053c041112d0f6c7de8f95d93c6b4c4b
                              • Instruction Fuzzy Hash: 8921A4B1904B566ED725DF749890B3BBEF8AF09700F14469AE499C7A41D730EA01CF90
                              Function 00B8580B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,5838D13B,?,?,00000000,00BA649A,000000FF,?,00B85792,00000002,?,00B85766,00B76DCA), ref: 00B85840
                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B85852
                              • FreeLibrary.KERNEL32(00000000,?,?,00000000,00BA649A,000000FF,?,00B85792,00000002,?,00B85766,00B76DCA), ref: 00B85874
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressFreeHandleLibraryModuleProc
                              • String ID: CorExitProcess$mscoree.dll
                              • API String ID: 4061214504-1276376045
                              • Opcode ID: 412767817119cadcc5ca3d88ff313fe7e8d4b578442e928520aebf1dfcd9a627
                              • Instruction ID: 51da8b6aeb4234fdf19b7749ee00f24e32e5cf70047a6fbd2e3458303bbd6410
                              • Opcode Fuzzy Hash: 412767817119cadcc5ca3d88ff313fe7e8d4b578442e928520aebf1dfcd9a627
                              • Instruction Fuzzy Hash: 9F01A272944A15AFCB219F50CC09BAEBBF8FB09B15F040666E811A26A0DF759800CB40
                              Function 00B88D7D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,00B88D36), ref: 00B88D8C
                              • GetLastError.KERNEL32(?,00B88D36), ref: 00B88D96
                              • LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00B88DD4
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: LibraryLoad$ErrorLast
                              • String ID: api-ms-$ext-ms-
                              • API String ID: 3177248105-537541572
                              • Opcode ID: 88eec3172cde9f280e227f6aec86729c4264ec13f3d202d9d6deb7fe2e1a2c83
                              • Instruction ID: 1e74f6ef2246cc2c0a36a9a7aadca0255bbca25e143fe65d247f601af944549b
                              • Opcode Fuzzy Hash: 88eec3172cde9f280e227f6aec86729c4264ec13f3d202d9d6deb7fe2e1a2c83
                              • Instruction Fuzzy Hash: CEF01271644204BBDF203B61EC07B5A3EA59B26B80F544070F90CB95F2EF71D912D784
                              Function 00B3EBF7 Relevance: 7.9, APIs: 5, Instructions: 433COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B3EBFE
                              • ctype.LIBCPMT ref: 00B3EC45
                                • Part of subcall function 00B3E277: __Getctype.LIBCPMT ref: 00B3E286
                                • Part of subcall function 00B39294: __EH_prolog3.LIBCMT ref: 00B3929B
                                • Part of subcall function 00B39294: std::_Lockit::_Lockit.LIBCPMT ref: 00B392A5
                                • Part of subcall function 00B393BE: __EH_prolog3.LIBCMT ref: 00B393C5
                                • Part of subcall function 00B393BE: std::_Lockit::_Lockit.LIBCPMT ref: 00B393CF
                                • Part of subcall function 00B3957D: __EH_prolog3.LIBCMT ref: 00B39584
                                • Part of subcall function 00B3957D: std::_Lockit::_Lockit.LIBCPMT ref: 00B3958E
                                • Part of subcall function 00B3957D: std::_Lockit::~_Lockit.LIBCPMT ref: 00B395FF
                                • Part of subcall function 00B394E8: __EH_prolog3.LIBCMT ref: 00B394EF
                                • Part of subcall function 00B394E8: std::_Lockit::_Lockit.LIBCPMT ref: 00B394F9
                                • Part of subcall function 00B2D92A: __EH_prolog3.LIBCMT ref: 00B2D931
                                • Part of subcall function 00B2D92A: std::_Lockit::_Lockit.LIBCPMT ref: 00B2D93B
                                • Part of subcall function 00B2D92A: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2D9E2
                              • numpunct.LIBCPMT ref: 00B3EFF3
                                • Part of subcall function 00B3A31C: __EH_prolog3.LIBCMT ref: 00B3A323
                                • Part of subcall function 00B39ABA: __EH_prolog3.LIBCMT ref: 00B39AC1
                                • Part of subcall function 00B39ABA: std::_Lockit::_Lockit.LIBCPMT ref: 00B39ACB
                                • Part of subcall function 00B39ABA: std::_Lockit::~_Lockit.LIBCPMT ref: 00B39B3C
                                • Part of subcall function 00B39BE4: __EH_prolog3.LIBCMT ref: 00B39BEB
                                • Part of subcall function 00B39BE4: std::_Lockit::_Lockit.LIBCPMT ref: 00B39BF5
                                • Part of subcall function 00B39BE4: std::_Lockit::~_Lockit.LIBCPMT ref: 00B39C66
                                • Part of subcall function 00B2D92A: Concurrency::cancel_current_task.LIBCPMT ref: 00B2D9ED
                                • Part of subcall function 00B38DEC: __EH_prolog3.LIBCMT ref: 00B38DF3
                                • Part of subcall function 00B38DEC: std::_Lockit::_Lockit.LIBCPMT ref: 00B38DFD
                                • Part of subcall function 00B38DEC: std::_Lockit::~_Lockit.LIBCPMT ref: 00B38E6E
                              • __Getcoll.LIBCPMT ref: 00B3EDB9
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • codecvt.LIBCPMT ref: 00B3F0A4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Lockitstd::_$H_prolog3$Lockit::_$Lockit::~_$Concurrency::cancel_current_taskGetcollGetctypecodecvtctypenumpunct
                              • String ID:
                              • API String ID: 778957219-0
                              • Opcode ID: 92aaee07f0d450b5e638e295c3edf76cafe6fca2290bce957dfd9b284b575608
                              • Instruction ID: b0cbd78c08c0cac5878b7c9bc4ef1f48a8f479a3f728e3930ee86a456e60baa5
                              • Opcode Fuzzy Hash: 92aaee07f0d450b5e638e295c3edf76cafe6fca2290bce957dfd9b284b575608
                              • Instruction Fuzzy Hash: 17E10472804226AFEF256F649C4297F7AE5EF41350F2445EEF868AB2C1EB71CD009791
                              Function 00B3F0D3 Relevance: 7.9, APIs: 5, Instructions: 433COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B3F0DA
                              • ctype.LIBCPMT ref: 00B3F121
                                • Part of subcall function 00B3E2B0: __Getctype.LIBCPMT ref: 00B3E2BF
                                • Part of subcall function 00B39329: __EH_prolog3.LIBCMT ref: 00B39330
                                • Part of subcall function 00B39329: std::_Lockit::_Lockit.LIBCPMT ref: 00B3933A
                                • Part of subcall function 00B39453: __EH_prolog3.LIBCMT ref: 00B3945A
                                • Part of subcall function 00B39453: std::_Lockit::_Lockit.LIBCPMT ref: 00B39464
                                • Part of subcall function 00B396A7: __EH_prolog3.LIBCMT ref: 00B396AE
                                • Part of subcall function 00B396A7: std::_Lockit::_Lockit.LIBCPMT ref: 00B396B8
                                • Part of subcall function 00B396A7: std::_Lockit::~_Lockit.LIBCPMT ref: 00B39729
                                • Part of subcall function 00B39612: __EH_prolog3.LIBCMT ref: 00B39619
                                • Part of subcall function 00B39612: std::_Lockit::_Lockit.LIBCPMT ref: 00B39623
                                • Part of subcall function 00B39612: std::_Lockit::~_Lockit.LIBCPMT ref: 00B39694
                                • Part of subcall function 00B2D92A: __EH_prolog3.LIBCMT ref: 00B2D931
                                • Part of subcall function 00B2D92A: std::_Lockit::_Lockit.LIBCPMT ref: 00B2D93B
                                • Part of subcall function 00B2D92A: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2D9E2
                              • numpunct.LIBCPMT ref: 00B3F4CF
                                • Part of subcall function 00B3A34F: __EH_prolog3.LIBCMT ref: 00B3A356
                                • Part of subcall function 00B39B4F: __EH_prolog3.LIBCMT ref: 00B39B56
                                • Part of subcall function 00B39B4F: std::_Lockit::_Lockit.LIBCPMT ref: 00B39B60
                                • Part of subcall function 00B39B4F: std::_Lockit::~_Lockit.LIBCPMT ref: 00B39BD1
                                • Part of subcall function 00B39C79: __EH_prolog3.LIBCMT ref: 00B39C80
                                • Part of subcall function 00B39C79: std::_Lockit::_Lockit.LIBCPMT ref: 00B39C8A
                                • Part of subcall function 00B39C79: std::_Lockit::~_Lockit.LIBCPMT ref: 00B39CFB
                                • Part of subcall function 00B2D92A: Concurrency::cancel_current_task.LIBCPMT ref: 00B2D9ED
                                • Part of subcall function 00B38E81: __EH_prolog3.LIBCMT ref: 00B38E88
                                • Part of subcall function 00B38E81: std::_Lockit::_Lockit.LIBCPMT ref: 00B38E92
                                • Part of subcall function 00B38E81: std::_Lockit::~_Lockit.LIBCPMT ref: 00B38F03
                              • __Getcoll.LIBCPMT ref: 00B3F295
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • codecvt.LIBCPMT ref: 00B3F580
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Lockitstd::_$H_prolog3$Lockit::_$Lockit::~_$Concurrency::cancel_current_taskGetcollGetctypecodecvtctypenumpunct
                              • String ID:
                              • API String ID: 778957219-0
                              • Opcode ID: 15b05df7fb8846657ffa6308e6d781da069ae5af45bb22024708a2cc538caf3e
                              • Instruction ID: 323cfb3912f951e890754db98a5a469da6c5f9896ff27e31cf6e0950c04f6216
                              • Opcode Fuzzy Hash: 15b05df7fb8846657ffa6308e6d781da069ae5af45bb22024708a2cc538caf3e
                              • Instruction Fuzzy Hash: 08E1E3B2C04217ABDB156FA49C42A7F7AF5EF41350F2445FDF858AB291EB318D00A791
                              Function 00B57DA4 Relevance: 7.7, APIs: 5, Instructions: 178COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: operator+shared_ptr$NameName::
                              • String ID:
                              • API String ID: 2894330373-0
                              • Opcode ID: 80c6607b113ad3ef529524821f879c1ac0d5440613350992dd930c5a51be3ece
                              • Instruction ID: bea49be325a3a1c6f81602bc1ccff494884c8a71bf959ddb5cc2f458962feca4
                              • Opcode Fuzzy Hash: 80c6607b113ad3ef529524821f879c1ac0d5440613350992dd930c5a51be3ece
                              • Instruction Fuzzy Hash: 1F616F71A48209EFDB14DF68E846BAE7BF8FB05305F1482D9EC199B211DB319A09CF50
                              Function 00B2EDB2 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetCurrentThreadId.KERNEL32 ref: 00B2EDC6
                              • AcquireSRWLockExclusive.KERNEL32(?,?,00B2BF2B,?), ref: 00B2EDE5
                              • AcquireSRWLockExclusive.KERNEL32(?,?,?,?,00B2BF2B,?), ref: 00B2EE13
                              • TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00B2BF2B,?), ref: 00B2EE6E
                              • TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00B2BF2B,?), ref: 00B2EE85
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AcquireExclusiveLock$CurrentThread
                              • String ID:
                              • API String ID: 66001078-0
                              • Opcode ID: c3d1cf87389609ed37d023b596662e6a3389c46042a519bb40e7be8a0d62a0bd
                              • Instruction ID: ea1c43bcbe2226f270fd2e681eff8ea29d69951644af593397d603cfa880f101
                              • Opcode Fuzzy Hash: c3d1cf87389609ed37d023b596662e6a3389c46042a519bb40e7be8a0d62a0bd
                              • Instruction Fuzzy Hash: 9A418E3190062ADFCB60EF66E4819BAB3F5FF08350B2249A9D46ED7650D730F985CB51
                              Function 00B29DBA Relevance: 7.6, APIs: 5, Instructions: 65COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B29DC1
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B29DCB
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • codecvt.LIBCPMT ref: 00B29E05
                              • std::_Facet_Register.LIBCPMT ref: 00B29E1C
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B29E3C
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                              • String ID:
                              • API String ID: 712880209-0
                              • Opcode ID: 3f1653f3199ed81685ba3f34a87b8a5d5b45386bb6ad4097a7d8da252b131990
                              • Instruction ID: f0302eb217996482dba63c9e6030145ae3fe7773dc524517bff27b015051c74e
                              • Opcode Fuzzy Hash: 3f1653f3199ed81685ba3f34a87b8a5d5b45386bb6ad4097a7d8da252b131990
                              • Instruction Fuzzy Hash: 171193B1904235ABCF05EFA8E842AAEBBE5EF54710F154589F80DAB391DF709E00C791
                              Function 00B38DEC Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B38DF3
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B38DFD
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • codecvt.LIBCPMT ref: 00B38E37
                              • std::_Facet_Register.LIBCPMT ref: 00B38E4E
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B38E6E
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                              • String ID:
                              • API String ID: 712880209-0
                              • Opcode ID: 05e03cf6966fc908945486b63522a56672b9ea1bc7e966603bf9373249bf4195
                              • Instruction ID: 5f7235512499fba6b57dac9a1dde820409cb6b3de0ecfeb04018ae01deb25ad2
                              • Opcode Fuzzy Hash: 05e03cf6966fc908945486b63522a56672b9ea1bc7e966603bf9373249bf4195
                              • Instruction Fuzzy Hash: 7101D271900229AFCF15EBA4E841AAEB7F1EF90710F244589F415A7391CF719E01CB91
                              Function 00B38E81 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B38E88
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B38E92
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • codecvt.LIBCPMT ref: 00B38ECC
                              • std::_Facet_Register.LIBCPMT ref: 00B38EE3
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B38F03
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                              • String ID:
                              • API String ID: 712880209-0
                              • Opcode ID: 5bb5f943966f43284218970e261c8cd638dc1a760a7a5c198bd357d7e318b1ea
                              • Instruction ID: 5ba54168f0ff30a7e5150c8c96e30aea8e567ef29670d0cd4f7f594f276a79a3
                              • Opcode Fuzzy Hash: 5bb5f943966f43284218970e261c8cd638dc1a760a7a5c198bd357d7e318b1ea
                              • Instruction Fuzzy Hash: A901C471900225ABCB05EBA4D851AAE77F1AF90710F250989F41467291CF309E00CB81
                              Function 00B474A0 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B474A7
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B474B1
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • messages.LIBCPMT ref: 00B474EB
                              • std::_Facet_Register.LIBCPMT ref: 00B47502
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B47522
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                              • String ID:
                              • API String ID: 2750803064-0
                              • Opcode ID: 8634e33dfb9d817a7ae827a3469e06aef52ea30eab923f751a1a511b06ea4fd2
                              • Instruction ID: f28fd1175e37790fc6a232c72f7d7ff051342828294fed9c56638a89de01e1a5
                              • Opcode Fuzzy Hash: 8634e33dfb9d817a7ae827a3469e06aef52ea30eab923f751a1a511b06ea4fd2
                              • Instruction Fuzzy Hash: 0D01C0719041299BCB09EFA4E855ABE77F1EF90710F244489E419AB2C2CF349F01DB90
                              Function 00B3957D Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B39584
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B3958E
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • moneypunct.LIBCPMT ref: 00B395C8
                              • std::_Facet_Register.LIBCPMT ref: 00B395DF
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B395FF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                              • String ID:
                              • API String ID: 419941038-0
                              • Opcode ID: ab7f6c16a39d0aae24bedc999a77759175714b501d69bac6376ce6b6b556cede
                              • Instruction ID: dcb980b6201bbc3825ba3f972109a7a29af3bf597461fbf744bb73d91d530e2b
                              • Opcode Fuzzy Hash: ab7f6c16a39d0aae24bedc999a77759175714b501d69bac6376ce6b6b556cede
                              • Instruction Fuzzy Hash: 7C01D671900229DFCF06EBA4E841BAEB7F0EF94710F254589F81567281CF749E01CB80
                              Function 00B396A7 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B396AE
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B396B8
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • moneypunct.LIBCPMT ref: 00B396F2
                              • std::_Facet_Register.LIBCPMT ref: 00B39709
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B39729
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                              • String ID:
                              • API String ID: 419941038-0
                              • Opcode ID: 987d40ba7c3037997639544f505597258c80a0c6efcae50bf1f631dda8affb8b
                              • Instruction ID: 9aab4e69de6c7bcae78c748d30e3ec72f7c9e1a758aeadd6eef17b6489d397ee
                              • Opcode Fuzzy Hash: 987d40ba7c3037997639544f505597258c80a0c6efcae50bf1f631dda8affb8b
                              • Instruction Fuzzy Hash: 4C01C071901129DBCB15EFA8E842AAEB7F1EF90310F240589E415A72D1CF709E01CB80
                              Function 00B476F4 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B476FB
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B47705
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • moneypunct.LIBCPMT ref: 00B4773F
                              • std::_Facet_Register.LIBCPMT ref: 00B47756
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B47776
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                              • String ID:
                              • API String ID: 419941038-0
                              • Opcode ID: 8610c093500b82e7518f125b95c8c0f88c5c3806561aaf0ae4d68ce66ff211f1
                              • Instruction ID: f1e81535885237aee5f6a1a4963cfb45b3d48dd753b838b2a7e85e24dc6ca833
                              • Opcode Fuzzy Hash: 8610c093500b82e7518f125b95c8c0f88c5c3806561aaf0ae4d68ce66ff211f1
                              • Instruction Fuzzy Hash: 4501C075A041299BCB05EBA4E845AAEB7F1EF90720F640589E414AB281CF359F05DB81
                              Function 00B39612 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B39619
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B39623
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • moneypunct.LIBCPMT ref: 00B3965D
                              • std::_Facet_Register.LIBCPMT ref: 00B39674
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B39694
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                              • String ID:
                              • API String ID: 419941038-0
                              • Opcode ID: 5b15029b9c87b8682b9e1b8387326ae0e3214c3216247d4ac5f993b4b14a5c70
                              • Instruction ID: 42f675ad75679624be3aab57e3b8bac58b978e52896d63fc2f0fcd1eb5203bb6
                              • Opcode Fuzzy Hash: 5b15029b9c87b8682b9e1b8387326ae0e3214c3216247d4ac5f993b4b14a5c70
                              • Instruction Fuzzy Hash: BA01DE759012299BCB05EBA4E842AAEB7F1EF90310F354489E819AB291CF719E00CB80
                              Function 00B4765F Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B47666
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B47670
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • moneypunct.LIBCPMT ref: 00B476AA
                              • std::_Facet_Register.LIBCPMT ref: 00B476C1
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B476E1
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                              • String ID:
                              • API String ID: 419941038-0
                              • Opcode ID: 92ab2970a22cb4a81a6b30816af2517a4094fc5f68a8bde1e22a3ade4f421acf
                              • Instruction ID: 96157c4d9fd008f98f3e6f7fba021bb3599cb5fb0c00a6eef38089c616f71114
                              • Opcode Fuzzy Hash: 92ab2970a22cb4a81a6b30816af2517a4094fc5f68a8bde1e22a3ade4f421acf
                              • Instruction Fuzzy Hash: DC012271904128ABCB05EBA8E801AAEB7F6EF90320F254088E414A73C0DF309F00DB80
                              Function 00B39990 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B39997
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B399A1
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • numpunct.LIBCPMT ref: 00B399DB
                              • std::_Facet_Register.LIBCPMT ref: 00B399F2
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B39A12
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                              • String ID:
                              • API String ID: 743221004-0
                              • Opcode ID: e9ffd25857a711ffe2f07741bef336c2601002bbbb68e9d0cf15915862b51399
                              • Instruction ID: 47ec942eb45b7ed0a9e36a554d86323d2cf8c5583b12eb88738dcf153b6fcbf6
                              • Opcode Fuzzy Hash: e9ffd25857a711ffe2f07741bef336c2601002bbbb68e9d0cf15915862b51399
                              • Instruction Fuzzy Hash: 1501C071900129EBDF05EBA8E842AAEB7F5EF90710F250589E419A7281CF749E01CB90
                              Function 00B39A25 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B39A2C
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B39A36
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • numpunct.LIBCPMT ref: 00B39A70
                              • std::_Facet_Register.LIBCPMT ref: 00B39A87
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B39AA7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                              • String ID:
                              • API String ID: 743221004-0
                              • Opcode ID: 7397eaab01952f6748460fadc1082af69b1a2ae671cdd0427087939f8910a806
                              • Instruction ID: d4052a25d1548980bf6c32cab0268a7ff34e8f54553ff9ee346e2cb362c499e0
                              • Opcode Fuzzy Hash: 7397eaab01952f6748460fadc1082af69b1a2ae671cdd0427087939f8910a806
                              • Instruction Fuzzy Hash: EF01D272901129EFCF05EBA4E841ABEB7F4EF90710F244589F414AB281CF759E04CB80
                              Function 00B2B636 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B2B63D
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B2B648
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B2B6B6
                                • Part of subcall function 00B2B7C9: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00B2B7E1
                              • std::locale::_Setgloballocale.LIBCPMT ref: 00B2B663
                              • _Yarn.LIBCPMT ref: 00B2B679
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                              • String ID:
                              • API String ID: 1088826258-0
                              • Opcode ID: a98588620da09cb569b54b9c448f873b5c23b0b91d9d18142d11b126b2721150
                              • Instruction ID: 5acd6957a031c07f623d30290f81d13fc06a006620d9b5321b1f2e58aae90c2d
                              • Opcode Fuzzy Hash: a98588620da09cb569b54b9c448f873b5c23b0b91d9d18142d11b126b2721150
                              • Instruction Fuzzy Hash: 8E01BCB5A016209BCB06AF60E851A7D7BF1FF84700B158089E80917391CF746E02CBC1
                              Function 00B81EAE Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 369COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __freea
                              • String ID: a/p$am/pm
                              • API String ID: 240046367-3206640213
                              • Opcode ID: 55280965b5ee16d88c8045d488cc4b49570b6de3b5b111fa6dbfb89a69ff9215
                              • Instruction ID: efb589068a815a0448915596258340d5eb1cbd26482c8c321b189e83480db8fe
                              • Opcode Fuzzy Hash: 55280965b5ee16d88c8045d488cc4b49570b6de3b5b111fa6dbfb89a69ff9215
                              • Instruction Fuzzy Hash: AFC1CE75904216DBDB28FFA8C889ABAB7F1FF49700F2441D9EA01AB270D3359D41DB61
                              Function 00B22480 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98COMMON
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B224C9
                              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00B2251A
                              • __Getctype.LIBCPMT ref: 00B22531
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$GetctypeLocinfo::_Locinfo_ctorLockitLockit::_
                              • String ID: bad locale name
                              • API String ID: 1612978173-1405518554
                              • Opcode ID: 757fee2313a9231af006498ba3eb31669fdbd8e4af64610eb75e7978d25ac9ed
                              • Instruction ID: dd2fbec4186599db300e18e4b5b111935225ef35b48fd349103c3f5b60cb4ec0
                              • Opcode Fuzzy Hash: 757fee2313a9231af006498ba3eb31669fdbd8e4af64610eb75e7978d25ac9ed
                              • Instruction Fuzzy Hash: 2631AFB1909350AFD7209F18E851B5BBBE0AF94714F1489ADF88C9B212D7B1D944CB92
                              Function 00B3E075 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B3E07C
                                • Part of subcall function 00B36003: _Maklocstr.LIBCPMT ref: 00B36023
                                • Part of subcall function 00B36003: _Maklocstr.LIBCPMT ref: 00B36040
                                • Part of subcall function 00B36003: _Maklocstr.LIBCPMT ref: 00B3605D
                              • _Mpunct.LIBCPMT ref: 00B3E109
                              • _Mpunct.LIBCPMT ref: 00B3E123
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Maklocstr$Mpunct$H_prolog3
                              • String ID: $+xv
                              • API String ID: 4259326447-1686923651
                              • Opcode ID: ed8cefe941e33fae429259da0cda1bddd9ec17da35faff7a7bb21b34b35b1c4f
                              • Instruction ID: 72f2886c64e77e8181c1b75bdc16c66d0a5bd4f414f65171fffd23a653e1aa61
                              • Opcode Fuzzy Hash: ed8cefe941e33fae429259da0cda1bddd9ec17da35faff7a7bb21b34b35b1c4f
                              • Instruction Fuzzy Hash: 2E21C4B1904B926ED725DF74889073BBEF8BB09301F24499AE499C7A41D770EA01CB90
                              Function 00B48EF9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Mpunct$H_prolog3
                              • String ID: $+xv
                              • API String ID: 4281374311-1686923651
                              • Opcode ID: 857ef35002ef02bc72542a508235d22ac74bf069c7fefcc45cddc7635c79fb73
                              • Instruction ID: 7870c7cfece4c0c14228ecc4a51c04e44ccd848f0ab81079703dc6e7d66cc640
                              • Opcode Fuzzy Hash: 857ef35002ef02bc72542a508235d22ac74bf069c7fefcc45cddc7635c79fb73
                              • Instruction Fuzzy Hash: 852192B1904A526EDB61DF74889077FBEF8AB09700F044A9AF499C7A41DB70EA05DB90
                              Function 00B4E956 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63COMMON
                              Download Yara Rule
                              APIs
                              • __is_exception_typeof.LIBVCRUNTIME ref: 00B4E9EA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __is_exception_typeof
                              • String ID: MOC$RCC$csm
                              • API String ID: 3140442014-2671469338
                              • Opcode ID: 9814d4fd951d7961e4b66649a77827b21ce077a29de881a9f70c9312ef954ebe
                              • Instruction ID: e2f9899b0b7e5e14c683e779be3b6870206d12d2f85f6d420aceaee6568278fa
                              • Opcode Fuzzy Hash: 9814d4fd951d7961e4b66649a77827b21ce077a29de881a9f70c9312ef954ebe
                              • Instruction Fuzzy Hash: D3118235504315DFD718DF98C405BA9B7E8FF00322F1644EAE8589B2A1D7B4EE40DB91
                              Function 00B5A5F6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,00B5A4F3,00000000,00000001,00C07074,?,?,?,00B5A74A,00000004,InitializeCriticalSectionEx,00BAB5DC,InitializeCriticalSectionEx), ref: 00B5A603
                              • GetLastError.KERNEL32(?,00B5A4F3,00000000,00000001,00C07074,?,?,?,00B5A74A,00000004,InitializeCriticalSectionEx,00BAB5DC,InitializeCriticalSectionEx,00000000,?,00B5323D), ref: 00B5A60D
                              • LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,00B51C03), ref: 00B5A635
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: LibraryLoad$ErrorLast
                              • String ID: api-ms-
                              • API String ID: 3177248105-2084034818
                              • Opcode ID: f3cad3d23a552fdc9fd7d5fe95e89e9d05f071c86e30c06eba923a3ed8f18d05
                              • Instruction ID: c74dd5e4cc082633c2018d7e37344828801e649ecfe21b3b3f01e22664db4fdc
                              • Opcode Fuzzy Hash: f3cad3d23a552fdc9fd7d5fe95e89e9d05f071c86e30c06eba923a3ed8f18d05
                              • Instruction Fuzzy Hash: C2E04F70680208B7EF202F61EC07F583AA4EB16B41F1444A1FE4DB94E1EF71E917DA99
                              Function 00B8D8DF Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetConsoleOutputCP.KERNEL32(5838D13B,00000010,00000000,?), ref: 00B8D942
                                • Part of subcall function 00B91787: WideCharToMultiByte.KERNEL32(00000010,00000000,00BB8230,00000010,00000010,00000010,00B8E31A,0000FDE9,00BB8230,?,?,?,00B8E013,0000FDE9,00000000,?), ref: 00B91833
                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00B8DB9D
                              • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00B8DBE5
                              • GetLastError.KERNEL32 ref: 00B8DC88
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                              • String ID:
                              • API String ID: 2112829910-0
                              • Opcode ID: 2191fc5c27f65ccb7333fabce6bd51fe687c352992b552e6e2f561287bfe4355
                              • Instruction ID: 2c4f3cf5d2a2241332dc717b323aaaedce06e95985fd54cba3f22e164523f18d
                              • Opcode Fuzzy Hash: 2191fc5c27f65ccb7333fabce6bd51fe687c352992b552e6e2f561287bfe4355
                              • Instruction Fuzzy Hash: EED15A75E04258AFCB15DFA8D880AADBBF5FF49300F2845AAE855E73A1D730A941CF50
                              Function 00B56411 Relevance: 6.2, APIs: 4, Instructions: 192COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B56418
                              • UnDecorator::getSymbolName.LIBCMT ref: 00B564AA
                              • DName::operator+.LIBCMT ref: 00B565AE
                              • DName::DName.LIBVCRUNTIME ref: 00B56651
                                • Part of subcall function 00B53D5A: shared_ptr.LIBCMT ref: 00B53D76
                                • Part of subcall function 00B53FF4: DName::DName.LIBVCRUNTIME ref: 00B54042
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Name$Name::$Decorator::getH_prolog3Name::operator+Symbolshared_ptr
                              • String ID:
                              • API String ID: 1134295639-0
                              • Opcode ID: bb7179c5b5e9e07019838fee16364b75903ace2683ddbec1a2d6d8289388ea97
                              • Instruction ID: c9d0e0dda5bc89cfddcac58de0b93f2fead881f6c7b20814070bb4a826e9705a
                              • Opcode Fuzzy Hash: bb7179c5b5e9e07019838fee16364b75903ace2683ddbec1a2d6d8289388ea97
                              • Instruction Fuzzy Hash: 65715E71D042199FDB15CFA4D881BEEBBF4EB08316F5441EAED05AB251DB34A948CB60
                              Function 00B56AB0 Relevance: 6.2, APIs: 4, Instructions: 169COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • DName::operator+.LIBCMT ref: 00B56BE5
                                • Part of subcall function 00B539A9: __aulldvrm.LIBCMT ref: 00B539DA
                              • DName::operator+.LIBCMT ref: 00B56B46
                              • DName::operator=.LIBVCRUNTIME ref: 00B56C2A
                              • DName::DName.LIBVCRUNTIME ref: 00B56C5C
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Name::operator+$NameName::Name::operator=__aulldvrm
                              • String ID:
                              • API String ID: 2973644308-0
                              • Opcode ID: 7cf99a1bd6add52bfb8cf6a4839b2e97e043ef86006aa4c633fab100839d0688
                              • Instruction ID: 798d52277fa759d764066b0340b4566bf8d7d3a87c001317889c8ef1023a302f
                              • Opcode Fuzzy Hash: 7cf99a1bd6add52bfb8cf6a4839b2e97e043ef86006aa4c633fab100839d0688
                              • Instruction Fuzzy Hash: D3616DB0D04219DFDB09CF64C881BAEBBF0FB45702F5582DAE9456B351D770AA44CBA0
                              Function 00B5207F Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AdjustPointer
                              • String ID:
                              • API String ID: 1740715915-0
                              • Opcode ID: f228488e0972d1c74cdc8e98f0765c155e1607ed2ec13ac137af20e62c3da62b
                              • Instruction ID: 9754e4cfa7270b94baaf33260679894740848270e42ef154582d55cd67702cff
                              • Opcode Fuzzy Hash: f228488e0972d1c74cdc8e98f0765c155e1607ed2ec13ac137af20e62c3da62b
                              • Instruction Fuzzy Hash: 8F51E576606A02AFEB289F10D881BBB73E4FF56702F1441D9EE0167291D731ED89DB90
                              Function 00B567E1 Relevance: 6.1, APIs: 4, Instructions: 131COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • DName::operator+.LIBCMT ref: 00B56814
                                • Part of subcall function 00B53D1E: DName::operator+=.LIBCMT ref: 00B53D34
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Name::operator+Name::operator+=
                              • String ID:
                              • API String ID: 382699925-0
                              • Opcode ID: 6e2243beb9ce3ade03b900cc72c8103dec4acdf3f5c9544303d31ce64c8ce997
                              • Instruction ID: 52666d0d5b5e0ddd3485f6ff9ab14ba69f83d72518d690f63cd2b509336ca3f6
                              • Opcode Fuzzy Hash: 6e2243beb9ce3ade03b900cc72c8103dec4acdf3f5c9544303d31ce64c8ce997
                              • Instruction Fuzzy Hash: 1D412971D0420ADACB04DFA8D889BEEBBF4EF19305F5041DAE915A7341D7759A8CCB90
                              Function 00B2E884 Relevance: 6.1, APIs: 4, Instructions: 88COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B2E88B
                                • Part of subcall function 00B2B636: __EH_prolog3.LIBCMT ref: 00B2B63D
                                • Part of subcall function 00B2B636: std::_Lockit::_Lockit.LIBCPMT ref: 00B2B648
                                • Part of subcall function 00B2B636: std::locale::_Setgloballocale.LIBCPMT ref: 00B2B663
                                • Part of subcall function 00B2B636: _Yarn.LIBCPMT ref: 00B2B679
                                • Part of subcall function 00B2B636: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2B6B6
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B2E8AF
                              • std::locale::_Setgloballocale.LIBCPMT ref: 00B2E8FE
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B2E95E
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_Setgloballocalestd::locale::_$Yarn
                              • String ID:
                              • API String ID: 2301162320-0
                              • Opcode ID: 40a05ae80259cb570a6b07c90309e495af029529b70d073f3b21379a21d8dbcb
                              • Instruction ID: 9dd5e8e02470af81df793c46976da0bfe311e52ef3e32b851a01d1df26126919
                              • Opcode Fuzzy Hash: 40a05ae80259cb570a6b07c90309e495af029529b70d073f3b21379a21d8dbcb
                              • Instruction Fuzzy Hash: 23217E726002249FDB44DF69D8D1A6D77F4EF8931070440AAE81EDB282DF30ED41CB91
                              Function 00B9298E Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00B91787: WideCharToMultiByte.KERNEL32(00000010,00000000,00BB8230,00000010,00000010,00000010,00B8E31A,0000FDE9,00BB8230,?,?,?,00B8E013,0000FDE9,00000000,?), ref: 00B91833
                              • GetLastError.KERNEL32 ref: 00B929F2
                              • __dosmaperr.LIBCMT ref: 00B929F9
                              • GetLastError.KERNEL32(?,?,?,?), ref: 00B92A33
                              • __dosmaperr.LIBCMT ref: 00B92A3A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                              • String ID:
                              • API String ID: 1913693674-0
                              • Opcode ID: 04680ac488c53efbbeb0316dd8c0e866add400323e0f4c1ef5033e77d6889f05
                              • Instruction ID: b4c9608c7014e6127074a760eb2d7b291903fc28b5250b81b38005f821e5fc5a
                              • Opcode Fuzzy Hash: 04680ac488c53efbbeb0316dd8c0e866add400323e0f4c1ef5033e77d6889f05
                              • Instruction Fuzzy Hash: 6621C532A00205BFDF20AF75888186BB7E8FF4936471185B9F959D7250D730ED419B90
                              Function 00B80BE4 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6afa9a4c8e6f52061ef2afe552a70e574f539fc2d9674da114b20bd408e4e193
                              • Instruction ID: cef36a6a46f9645517a9a0e7b3d53628a4e6f0f5f30520fdf219575987c9685d
                              • Opcode Fuzzy Hash: 6afa9a4c8e6f52061ef2afe552a70e574f539fc2d9674da114b20bd408e4e193
                              • Instruction Fuzzy Hash: 1121D871210205AFDBA0BF76DC81C6B77E8EF443A4B1086A5F955D7161EB30EC05DB50
                              Function 00B9463F Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                              Download Yara Rule
                              APIs
                              • GetEnvironmentStringsW.KERNEL32 ref: 00B94647
                                • Part of subcall function 00B91787: WideCharToMultiByte.KERNEL32(00000010,00000000,00BB8230,00000010,00000010,00000010,00B8E31A,0000FDE9,00BB8230,?,?,?,00B8E013,0000FDE9,00000000,?), ref: 00B91833
                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B9467F
                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B9469F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                              • String ID:
                              • API String ID: 158306478-0
                              • Opcode ID: 9c6d51d12cdb44bc4d7c9d3404a6ab69bc1180974c40e819ae67bd45e5b4f680
                              • Instruction ID: 7b1c25a381d9545f8263e654c97c8c001a01f16c02d20832ee59d8be80a43aad
                              • Opcode Fuzzy Hash: 9c6d51d12cdb44bc4d7c9d3404a6ab69bc1180974c40e819ae67bd45e5b4f680
                              • Instruction Fuzzy Hash: 9B11ADE19015167FAA112BB55C8ECAF6AECEE8B2D871005F5F902A2101FF249D0292B9
                              Function 00B2D92A Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B2D931
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B2D93B
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B2D9E2
                              • Concurrency::cancel_current_task.LIBCPMT ref: 00B2D9ED
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Lockitstd::_$Concurrency::cancel_current_taskH_prolog3Lockit::_Lockit::~_
                              • String ID:
                              • API String ID: 4244582100-0
                              • Opcode ID: da13c4feffdbe46c7a8601412c8939f43db618a5326192a8dd9e617d104b7b98
                              • Instruction ID: 3fe2f7c8304d43f4afa56a4739f012c24721ecfa800287758143510f8e3cdc65
                              • Opcode Fuzzy Hash: da13c4feffdbe46c7a8601412c8939f43db618a5326192a8dd9e617d104b7b98
                              • Instruction Fuzzy Hash: EE212C7460062AAFDB04EF14D891A6DB7B1FF49710F10849AE8699B7A1DF71ED50CF80
                              Function 00B2D701 Relevance: 6.1, APIs: 4, Instructions: 59COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B2D708
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B2D712
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • std::_Facet_Register.LIBCPMT ref: 00B2D763
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B2D783
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                              • String ID:
                              • API String ID: 2854358121-0
                              • Opcode ID: c37a9bb8b4cde5212228d6d33944004bc9bb27820473e1c3c7287802381d4f44
                              • Instruction ID: 897e2f94fcec56f5db8bed716e1c8a14b6408b889867ba0433d42976225be195
                              • Opcode Fuzzy Hash: c37a9bb8b4cde5212228d6d33944004bc9bb27820473e1c3c7287802381d4f44
                              • Instruction Fuzzy Hash: 0E11C475900228EBCB05EFA4E841AAEBBF4EF54310F244599F818E7391CF759E05DB80
                              Function 00B5AE4C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                              Download Yara Rule
                              APIs
                              • CreateThread.KERNEL32(00000000,?,00B5ABA1,00000000,00000004,00000000), ref: 00B5AE9B
                              • GetLastError.KERNEL32 ref: 00B5AEA7
                              • __dosmaperr.LIBCMT ref: 00B5AEAE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateErrorLastThread__dosmaperr
                              • String ID:
                              • API String ID: 2744730728-0
                              • Opcode ID: 610e6ed5ca027f6b26cc6f8bddc3ce853578af7160252edfa99b07f9fa884862
                              • Instruction ID: 84a6a35cc7440533f5712afed43527b28aeaafbb3b4cf384f4895df9794649c3
                              • Opcode Fuzzy Hash: 610e6ed5ca027f6b26cc6f8bddc3ce853578af7160252edfa99b07f9fa884862
                              • Instruction Fuzzy Hash: 8C01DB72500104BBDB119BA5DC4AB9E7BF5DF81372F2043D5FA24A60D0DF708905D761
                              Function 00B90129 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?), ref: 00B9013F
                              • GetLastError.KERNEL32(?,?,?,?), ref: 00B9014C
                              • SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 00B90172
                              • SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 00B90198
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: FilePointer$ErrorLast
                              • String ID:
                              • API String ID: 142388799-0
                              • Opcode ID: b5e69fb01b0ad1bcbed4e39c37b7b5717cec31b2a2dd1335623a96ebadc339de
                              • Instruction ID: d028451234e5a2312730d23a31313a07fb2058a6e1e614f7442250be5a1a3043
                              • Opcode Fuzzy Hash: b5e69fb01b0ad1bcbed4e39c37b7b5717cec31b2a2dd1335623a96ebadc339de
                              • Instruction Fuzzy Hash: C4117571810228BFDF10AFA6DC499DF3FB9EF05760F108198F824A61A0CB31CA41DBA0
                              Function 00B38FAB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B38FB2
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B38FBC
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • std::_Facet_Register.LIBCPMT ref: 00B3900D
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B3902D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                              • String ID:
                              • API String ID: 2854358121-0
                              • Opcode ID: 6c83a71975e8fd8f9df108bcfbd30db731c914105329da2acc5fb73c1821acb5
                              • Instruction ID: 67cfb22c22bd0014f3adc84577f3e68d69b425b3dd9e9e14080737cd7a40eb7e
                              • Opcode Fuzzy Hash: 6c83a71975e8fd8f9df108bcfbd30db731c914105329da2acc5fb73c1821acb5
                              • Instruction Fuzzy Hash: 5501D275900129DBDB06EBA4E852AAEB7F1EF90320F240489F415A72D1DF709E01CB80
                              Function 00B38F16 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B38F1D
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B38F27
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • std::_Facet_Register.LIBCPMT ref: 00B38F78
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B38F98
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                              • String ID:
                              • API String ID: 2854358121-0
                              • Opcode ID: e555f4da398cce7a4620b44bcb4f29eb67bbc9f67c1015d2cba510a329ed94ce
                              • Instruction ID: 252f850926b1a92ce40c5ece48d0c1ca525d76e5b0a197074bf3f5e7a7913e6d
                              • Opcode Fuzzy Hash: e555f4da398cce7a4620b44bcb4f29eb67bbc9f67c1015d2cba510a329ed94ce
                              • Instruction Fuzzy Hash: 4401C4719002259BDB05EBA4D851ABE77F5EF94310F254589F4186B281CF749E01CB81
                              Function 00B4740B Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B47412
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B4741C
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • std::_Facet_Register.LIBCPMT ref: 00B4746D
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B4748D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                              • String ID:
                              • API String ID: 2854358121-0
                              • Opcode ID: 2affc321c83943d54bf0ef2a1293d882254278c0b3eb871972d45d74445b4042
                              • Instruction ID: a9f3ab877e0aa4d2232ead191395a1e5d0f39576f53763be64aa2edba15a1b26
                              • Opcode Fuzzy Hash: 2affc321c83943d54bf0ef2a1293d882254278c0b3eb871972d45d74445b4042
                              • Instruction Fuzzy Hash: 7801C075A041299BCB05EFA4E845ABE7BF1EF90310F254589E415AB3C1DF709E01DB90
                              Function 00B475CA Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B475D1
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B475DB
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • std::_Facet_Register.LIBCPMT ref: 00B4762C
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B4764C
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                              • String ID:
                              • API String ID: 2854358121-0
                              • Opcode ID: 2b32b202199969677982625a99beccd245d6627d36a6390f430d990fb38d1c6c
                              • Instruction ID: e058ae97e20019e6c76f50929c2d16c069496584f46243b8b4e5481f715b8f66
                              • Opcode Fuzzy Hash: 2b32b202199969677982625a99beccd245d6627d36a6390f430d990fb38d1c6c
                              • Instruction Fuzzy Hash: 5F01F571944629DBCB05EFA8E845BBEB7F5EF90310F254589E419AB281CF319F00DB90
                              Function 00B47535 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B4753C
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B47546
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • std::_Facet_Register.LIBCPMT ref: 00B47597
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B475B7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                              • String ID:
                              • API String ID: 2854358121-0
                              • Opcode ID: 6b6f6d4b8c20d9fc4752facfa11ca85a481956b4e598f3310b09c51de1b0baf5
                              • Instruction ID: 33dcf39aa8af99b0113f1eb6aaa50198ba46a3110effe41101a7fcf40acd212b
                              • Opcode Fuzzy Hash: 6b6f6d4b8c20d9fc4752facfa11ca85a481956b4e598f3310b09c51de1b0baf5
                              • Instruction Fuzzy Hash: 3F01C0719041299BCB15EFA4E845ABE77F4EF90320F240489E415AB291CF349F00DB90
                              Function 00B47789 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B47790
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B4779A
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • std::_Facet_Register.LIBCPMT ref: 00B477EB
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B4780B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                              • String ID:
                              • API String ID: 2854358121-0
                              • Opcode ID: 75bdc7203aac41f0892e9c407dbd381cfe244097e9fedeb71cfa58c4513154a9
                              • Instruction ID: db3eab1276b922d6b528fab23e1bb0533a2e94aafb0bd43ae7607639206f1277
                              • Opcode Fuzzy Hash: 75bdc7203aac41f0892e9c407dbd381cfe244097e9fedeb71cfa58c4513154a9
                              • Instruction Fuzzy Hash: 0301D2719441299BDF05EBA8E845ABEBBF0EF90720F254489E814AB381CF309F04DB80
                              Function 00B397D1 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B397D8
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B397E2
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • std::_Facet_Register.LIBCPMT ref: 00B39833
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B39853
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                              • String ID:
                              • API String ID: 2854358121-0
                              • Opcode ID: 39baa25898755b3f839a39841618877019aeeb18b5b2d2dbd21f383d9f88b097
                              • Instruction ID: 1645c688db90e8883cfc248c531d4b68d065aa22d971bf0af3319d31dadcced7
                              • Opcode Fuzzy Hash: 39baa25898755b3f839a39841618877019aeeb18b5b2d2dbd21f383d9f88b097
                              • Instruction Fuzzy Hash: DB01D271900129DBCF05EFA4E841AAEBBF0EF94710F244589E918AB281DF749E01CB80
                              Function 00B3973C Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B39743
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B3974D
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • std::_Facet_Register.LIBCPMT ref: 00B3979E
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B397BE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                              • String ID:
                              • API String ID: 2854358121-0
                              • Opcode ID: 8124f37d48919a88e27aaa03e5c6eaf940f7e56251dd91bbaf009493efd00ea9
                              • Instruction ID: 18d012cfbce27122d1d4e4823660a53bac5973912ce596d110605743759b240d
                              • Opcode Fuzzy Hash: 8124f37d48919a88e27aaa03e5c6eaf940f7e56251dd91bbaf009493efd00ea9
                              • Instruction Fuzzy Hash: 1C01D275900229EFCB05EFA4E846AAEB7F5EF90710F240589F815A72D1CF709E01CB80
                              Function 00B398FB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B39902
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B3990C
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • std::_Facet_Register.LIBCPMT ref: 00B3995D
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B3997D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                              • String ID:
                              • API String ID: 2854358121-0
                              • Opcode ID: ec0a495705fcb72ab17f283fff4898d1cec356710ebc0641bbdf42ecea587815
                              • Instruction ID: ef639f96cfa3d39a60f5a17728e79e6547c419b1e6ad40df537c880f6d51d746
                              • Opcode Fuzzy Hash: ec0a495705fcb72ab17f283fff4898d1cec356710ebc0641bbdf42ecea587815
                              • Instruction Fuzzy Hash: CF01D276901129DBDF05EBA4E841BAEB7F1FF90310F240589E819AB281CF719E01CB80
                              Function 00B4781E Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B47825
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B4782F
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • std::_Facet_Register.LIBCPMT ref: 00B47880
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B478A0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                              • String ID:
                              • API String ID: 2854358121-0
                              • Opcode ID: 5c9f7417995de701c56aa8ad5479ac78625dcad5229c6191de8dceef1d541c59
                              • Instruction ID: 338f3e972be6300239a85f36d70acbd158a8a82c3870e14dbc30dcaa276bab39
                              • Opcode Fuzzy Hash: 5c9f7417995de701c56aa8ad5479ac78625dcad5229c6191de8dceef1d541c59
                              • Instruction Fuzzy Hash: 7201D271900129EBCF05EBA8E845ABEB7F0EF94720F244589E419A7391CF319F04DB90
                              Function 00B39866 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B3986D
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B39877
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • std::_Facet_Register.LIBCPMT ref: 00B398C8
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B398E8
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                              • String ID:
                              • API String ID: 2854358121-0
                              • Opcode ID: 2688f992aa29f4cfea934f5573920abd4e8748578d0dea2e8edc12d82c89b743
                              • Instruction ID: 918df4bb5d2723bc0912e0a4f802633c78a3ed1f785db6e4db5f03789c5a4f9e
                              • Opcode Fuzzy Hash: 2688f992aa29f4cfea934f5573920abd4e8748578d0dea2e8edc12d82c89b743
                              • Instruction Fuzzy Hash: 13010071900228DFCF05EBA8E855AAE77F1EF81310F244488E419AB281CF709E00CB80
                              Function 00B39ABA Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B39AC1
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B39ACB
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • std::_Facet_Register.LIBCPMT ref: 00B39B1C
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B39B3C
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                              • String ID:
                              • API String ID: 2854358121-0
                              • Opcode ID: f595c959fdde30d25600ac3dd08b393f4c87b335efdb648ab88bba2adef41917
                              • Instruction ID: d5783393cb5b5cf92c7ac529681a535987534a7f17458f90f9f8f8f5c3db10d7
                              • Opcode Fuzzy Hash: f595c959fdde30d25600ac3dd08b393f4c87b335efdb648ab88bba2adef41917
                              • Instruction Fuzzy Hash: 2E019275900129DFCB05EFA4E845ABEBBF5EF94710F244589E415A7391DF749E01CB80
                              Function 00B39BE4 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B39BEB
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B39BF5
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • std::_Facet_Register.LIBCPMT ref: 00B39C46
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B39C66
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                              • String ID:
                              • API String ID: 2854358121-0
                              • Opcode ID: d18883c5850547e2fb9fd198e6c5a811bedf1853cd3c18662b8021e6a73379d2
                              • Instruction ID: ca3b5b9565f68d00c7ebdcd765fe061de6e4ab25f7de6cc4a19424fdd34c9a93
                              • Opcode Fuzzy Hash: d18883c5850547e2fb9fd198e6c5a811bedf1853cd3c18662b8021e6a73379d2
                              • Instruction Fuzzy Hash: 1501D271900129AFCB05EBA8E881BBE7BF4EF90310F640489E415A7391CF749E00CB80
                              Function 00B39B4F Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B39B56
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B39B60
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • std::_Facet_Register.LIBCPMT ref: 00B39BB1
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B39BD1
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                              • String ID:
                              • API String ID: 2854358121-0
                              • Opcode ID: a36e004afeb4a80def5481f21551760e8fb8c159a1ff10cd60a6bec719f5996d
                              • Instruction ID: f946606ae9f5c078e8a54f887f6335e7f825d546b3ee2b106dac222f7ade2cc9
                              • Opcode Fuzzy Hash: a36e004afeb4a80def5481f21551760e8fb8c159a1ff10cd60a6bec719f5996d
                              • Instruction Fuzzy Hash: FD01D271904129DBCF05EFA4E841BAEBBF5EF90710F240599F419AB291DF749E05CB80
                              Function 00B39C79 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B39C80
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B39C8A
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • std::_Facet_Register.LIBCPMT ref: 00B39CDB
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B39CFB
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                              • String ID:
                              • API String ID: 2854358121-0
                              • Opcode ID: 96b03e31522f03566b7fa68bb95f9661586af36f9ec79012a95e3d63ac10ba36
                              • Instruction ID: 21aa4bff4be82dae7551bb10c14cf19a1ed99d27ab0800256d1b6defeb28d638
                              • Opcode Fuzzy Hash: 96b03e31522f03566b7fa68bb95f9661586af36f9ec79012a95e3d63ac10ba36
                              • Instruction Fuzzy Hash: 9601D271900129DBCB05EBA4E841AAE7BF0EF94710F244489E819AB381CF749E05CB80
                              Function 00B390D5 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B390DC
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B390E6
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • ctype.LIBCPMT ref: 00B39120
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B39157
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3ctype
                              • String ID:
                              • API String ID: 3358926169-0
                              • Opcode ID: 2aab3bc5347b1cfff081ec1a8c720526c07bcc17d04297fd1197510f8f02a271
                              • Instruction ID: b269f470a6601c50caf267b4dc7c983e22961fe6b17e8f556c83c0b86919bc1c
                              • Opcode Fuzzy Hash: 2aab3bc5347b1cfff081ec1a8c720526c07bcc17d04297fd1197510f8f02a271
                              • Instruction Fuzzy Hash: 76F0BB3190052ABBDB05EBA4E846BAE37E4DF50710F200594F529B71C1DF759E08D780
                              Function 00B39040 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B39047
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B39051
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • ctype.LIBCPMT ref: 00B3908B
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B390C2
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3ctype
                              • String ID:
                              • API String ID: 3358926169-0
                              • Opcode ID: b60cad6b95f1feabcf5b95f581b48c9a55835a32d7fd05b595b83b67f0c79df2
                              • Instruction ID: 6d28ae838524b58a72319dfdcdcce5f7d855845093fe0ee8f729da1ba8b9b1dc
                              • Opcode Fuzzy Hash: b60cad6b95f1feabcf5b95f581b48c9a55835a32d7fd05b595b83b67f0c79df2
                              • Instruction Fuzzy Hash: 83F0B431900129ABDB19FBB0D842BAE77E0EF50710F204588F5186B1C2EF759E04CB81
                              Function 00B391FF Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B39206
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B39210
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • messages.LIBCPMT ref: 00B3924A
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B39281
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3messages
                              • String ID:
                              • API String ID: 50917705-0
                              • Opcode ID: a49413dafeffb7602d21f00f581a5ccac72deb80c35d96bd192e4c5b4a9b5d98
                              • Instruction ID: 4a2fc6893b21d9d4b29c514490ca87ead939a5cbc80b7fc4db6f5aab6cd8f2d0
                              • Opcode Fuzzy Hash: a49413dafeffb7602d21f00f581a5ccac72deb80c35d96bd192e4c5b4a9b5d98
                              • Instruction Fuzzy Hash: F9F0BE31905529ABCB05FBA0E842BAE37E4AF50710F7005D9F918AB2D1EF75AE04CB80
                              Function 00B3916A Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B39171
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B3917B
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • messages.LIBCPMT ref: 00B391B5
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B391EC
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3messages
                              • String ID:
                              • API String ID: 50917705-0
                              • Opcode ID: 1adf6c33665d5589e49d9d970321f45440ca24cf653be1901ad5586f77bd38ad
                              • Instruction ID: 6545f9c4014fa727a3d19a8a607acb90244b54a40be9063272d59bfb1a29fee6
                              • Opcode Fuzzy Hash: 1adf6c33665d5589e49d9d970321f45440ca24cf653be1901ad5586f77bd38ad
                              • Instruction Fuzzy Hash: F8F0BE7190052ABBDB09FBA4E856BBE77E5EF50710F200688F518BB2C1DF759E058780
                              Function 00BA039B Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                              Download Yara Rule
                              APIs
                              • WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 00BA03B5
                              • GetLastError.KERNEL32 ref: 00BA03C1
                                • Part of subcall function 00BA046A: CloseHandle.KERNEL32(FFFFFFFE,00BA04B4,?,00B9BFAF,00000010,00000001,00000010,?,?,00B8DCDC,?,00000010,00000000,?,?), ref: 00BA047A
                              • ___initconout.LIBCMT ref: 00BA03D1
                                • Part of subcall function 00BA042C: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00BA045B,00B9BF9C,?,?,00B8DCDC,?,00000010,00000000,?), ref: 00BA043F
                              • WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 00BA03E5
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                              • String ID:
                              • API String ID: 2744216297-0
                              • Opcode ID: cd50afc473420079fbdb3d018150d6f1e940b3ae1c42b4c02e22be8db5603a09
                              • Instruction ID: 4680fce3cda4b655f2f1b96db0b0541400013c59f6344a9f3572c80c1ccac4fc
                              • Opcode Fuzzy Hash: cd50afc473420079fbdb3d018150d6f1e940b3ae1c42b4c02e22be8db5603a09
                              • Instruction Fuzzy Hash: 89F05E36110601BBCB222B96DC059467FF6FB8E711B104415F64993530DE729851DB60
                              Function 00BA0481 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • WriteConsoleW.KERNEL32(00000010,00000000,00BB8230,00000000,00000010,?,00B9BFAF,00000010,00000001,00000010,?,?,00B8DCDC,?,00000010,00000000), ref: 00BA0498
                              • GetLastError.KERNEL32(?,00B9BFAF,00000010,00000001,00000010,?,?,00B8DCDC,?,00000010,00000000,?,?,?,00B8E2AB,00000010), ref: 00BA04A4
                                • Part of subcall function 00BA046A: CloseHandle.KERNEL32(FFFFFFFE,00BA04B4,?,00B9BFAF,00000010,00000001,00000010,?,?,00B8DCDC,?,00000010,00000000,?,?), ref: 00BA047A
                              • ___initconout.LIBCMT ref: 00BA04B4
                                • Part of subcall function 00BA042C: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00BA045B,00B9BF9C,?,?,00B8DCDC,?,00000010,00000000,?), ref: 00BA043F
                              • WriteConsoleW.KERNEL32(00000010,00000000,00BB8230,00000000,?,00B9BFAF,00000010,00000001,00000010,?,?,00B8DCDC,?,00000010,00000000,?), ref: 00BA04C9
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                              • String ID:
                              • API String ID: 2744216297-0
                              • Opcode ID: 90a27e797715aba827c2aa3cf026f65526f6af2ede09d9865c98368c28cd763d
                              • Instruction ID: d2e508d96ba0c6f2d197835886416e2d4b1d730fc883aa2573d8419a1ab46fe5
                              • Opcode Fuzzy Hash: 90a27e797715aba827c2aa3cf026f65526f6af2ede09d9865c98368c28cd763d
                              • Instruction Fuzzy Hash: 1DF01C36514125BBCF222F91DC0598A3FB6FB0E3A1F008050FA09A6631DE728C20DBD1
                              Function 00B394E8 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00B394EF
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B394F9
                                • Part of subcall function 00B22220: std::_Lockit::_Lockit.LIBCPMT ref: 00B2222F
                                • Part of subcall function 00B22220: std::_Lockit::~_Lockit.LIBCPMT ref: 00B2224A
                              • moneypunct.LIBCPMT ref: 00B39533
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00B3956A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3moneypunct
                              • String ID:
                              • API String ID: 3160146232-0
                              • Opcode ID: bcf5b809f0e01fc0609945cb90ec67b7dc8b87a396191d265ac3598d40410fe3
                              • Instruction ID: 140cdf8636d91203bba78bbf9ab126a05a26584e8c00cb44a7c10086af43b7c1
                              • Opcode Fuzzy Hash: bcf5b809f0e01fc0609945cb90ec67b7dc8b87a396191d265ac3598d40410fe3
                              • Instruction Fuzzy Hash: D8F0A071900229BBDF02FBA0D852BAE37A5EF50700F610098F8086B281CF759F04CB81
                              Function 00B758BD Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 291COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __aulldiv
                              • String ID: +$-
                              • API String ID: 3732870572-2137968064
                              • Opcode ID: 55ea88ad12684d53603bdb65b5a3d19b7dc181b6f7c924530d379be042662d04
                              • Instruction ID: 4bf584bb9c9a6c9db6149c83cc459bd7942a60d056040a08f69403905c656210
                              • Opcode Fuzzy Hash: 55ea88ad12684d53603bdb65b5a3d19b7dc181b6f7c924530d379be042662d04
                              • Instruction Fuzzy Hash: E5A1B4309056599FDF34CE6888916FE7BF5EF45320F18C6E9E8B9AB381D2B499018B50
                              Function 00B45A6E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 193COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: H_prolog3___cftoe
                              • String ID: !%x
                              • API String ID: 855520168-1893981228
                              • Opcode ID: b94e0ae9d7d86f06522292a30dca4cf0a6b01ae9d0962d93c3726794fd11aaff
                              • Instruction ID: 4a297118d6af01295c5ae9ecc62ba0df953803c2172a7c96819c68273ce87734
                              • Opcode Fuzzy Hash: b94e0ae9d7d86f06522292a30dca4cf0a6b01ae9d0962d93c3726794fd11aaff
                              • Instruction Fuzzy Hash: 95717C71D00609AFDF18EFA8E881AEDB7F5EF48300F1041A9F415A7252EB35AE41CB50
                              Function 00B45C88 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 193COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: H_prolog3___cftoe
                              • String ID: !%x
                              • API String ID: 855520168-1893981228
                              • Opcode ID: b42173aec94d549ef68a202726b9febb0460f587b80a070e7f9db70dd93fe9e5
                              • Instruction ID: 2b6aee9842fe23a1848838de096c8c7de8964263975a17d93df639b62de6e5a3
                              • Opcode Fuzzy Hash: b42173aec94d549ef68a202726b9febb0460f587b80a070e7f9db70dd93fe9e5
                              • Instruction Fuzzy Hash: 75716A72D00509AFDF28EFA8E885AEDB7F5EF48300F1045A9F415A7252EB35AE41CB50
                              Function 00B4B2F8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 183COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __aulldiv
                              • String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
                              • API String ID: 3732870572-1956417402
                              • Opcode ID: 18df8299cf270231cd73f9332d56c356808625bb34b080de345946c641b1ec98
                              • Instruction ID: b8e2f491c73e69b697241b6c0ae3e8d1156cd37a9138764e8c9f7984086061a6
                              • Opcode Fuzzy Hash: 18df8299cf270231cd73f9332d56c356808625bb34b080de345946c641b1ec98
                              • Instruction Fuzzy Hash: F951E730A042589BCF258E6E8481FBEBBF9DF49710F1444DAE691D7342C374CB41AB55
                              Function 00B51AA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                              Download Yara Rule
                              APIs
                              • ___except_validate_context_record.LIBVCRUNTIME ref: 00B51ADF
                              • __IsNonwritableInCurrentImage.LIBCMT ref: 00B51B93
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CurrentImageNonwritable___except_validate_context_record
                              • String ID: csm
                              • API String ID: 3480331319-1018135373
                              • Opcode ID: f7dbbaa0373e66d038f5f81d439a957153cf907c8b321eb019547bd239e3a328
                              • Instruction ID: cebf957ac10454ff9e3fa7c625fb1856f82db3997f77d0b650f2f7d706b66a46
                              • Opcode Fuzzy Hash: f7dbbaa0373e66d038f5f81d439a957153cf907c8b321eb019547bd239e3a328
                              • Instruction Fuzzy Hash: 45419D34A00208ABCF10DF6CC881B9EBBF5EF46315F1485D5EC15AB392E775AA19CB91
                              Function 00B5267B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • EncodePointer.KERNEL32(00000000,?), ref: 00B526A0
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: EncodePointer
                              • String ID: MOC$RCC
                              • API String ID: 2118026453-2084237596
                              • Opcode ID: 61c1ec72569604b4d30ff335253dcbad9177b2401db552d5d33990a7ea436178
                              • Instruction ID: 6afaf5f98b8cdd309cd189ca69bf8dbfb129939db2aee13186d7b7a6d38b09b1
                              • Opcode Fuzzy Hash: 61c1ec72569604b4d30ff335253dcbad9177b2401db552d5d33990a7ea436178
                              • Instruction Fuzzy Hash: 41414472900209AFDF16CF98CD81AAEBBF5FF49305F1480D9F908A6221D335AE64DB50
                              Function 00B4422C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 00B44233
                                • Part of subcall function 00B39040: __EH_prolog3.LIBCMT ref: 00B39047
                                • Part of subcall function 00B39040: std::_Lockit::_Lockit.LIBCPMT ref: 00B39051
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: H_prolog3H_prolog3_LockitLockit::_std::_
                              • String ID: %.0Lf$0123456789-
                              • API String ID: 79917597-3094241602
                              • Opcode ID: 24a4edd964abc56c4397c729fe2b3717abf0cf935d15d489f7771aac82dae76e
                              • Instruction ID: 6f17eb8a36b4ea2d3e00649c7344e84bb30eda807febebd9a269703a2eceb237
                              • Opcode Fuzzy Hash: 24a4edd964abc56c4397c729fe2b3717abf0cf935d15d489f7771aac82dae76e
                              • Instruction Fuzzy Hash: DB415835910119EFCF05EFA4C9819EEBBF4FF09314F200199F911AB251DB709A56DB91
                              Function 00B44559 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 00B44560
                                • Part of subcall function 00B390D5: __EH_prolog3.LIBCMT ref: 00B390DC
                                • Part of subcall function 00B390D5: std::_Lockit::_Lockit.LIBCPMT ref: 00B390E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: H_prolog3H_prolog3_LockitLockit::_std::_
                              • String ID: 0123456789-$0123456789-
                              • API String ID: 79917597-2494171821
                              • Opcode ID: 7ef8cf307414121b53bff138dc45ffeb53a0e542434d13d1894fbdd4d9d6a81c
                              • Instruction ID: c149ec63dac28b44e888e49e6ee789c8d4040a05228dc9e56b99c59b38b358b5
                              • Opcode Fuzzy Hash: 7ef8cf307414121b53bff138dc45ffeb53a0e542434d13d1894fbdd4d9d6a81c
                              • Instruction Fuzzy Hash: 80416C31900219EFCF15EFA4C981AEEBBF5FF09310F200099E911AB251DB30AE56DB51
                              Function 00B4A84D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 00B4A854
                                • Part of subcall function 00B259F0: std::_Lockit::_Lockit.LIBCPMT ref: 00B259FD
                                • Part of subcall function 00B259F0: std::_Lockit::_Lockit.LIBCPMT ref: 00B25A17
                                • Part of subcall function 00B259F0: std::_Lockit::~_Lockit.LIBCPMT ref: 00B25A38
                                • Part of subcall function 00B259F0: std::_Lockit::~_Lockit.LIBCPMT ref: 00B25A64
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3_
                              • String ID: 0123456789-$0123456789-
                              • API String ID: 2088892359-2494171821
                              • Opcode ID: ea6587e61333d21d788e35b4d1d711d1ac5bc270f9b04780c00b5222374ca8ea
                              • Instruction ID: ca749bdd9d2341d5726b1d58d00721ede63eefd8a62fc238f1f5d99ad9ac34f2
                              • Opcode Fuzzy Hash: ea6587e61333d21d788e35b4d1d711d1ac5bc270f9b04780c00b5222374ca8ea
                              • Instruction Fuzzy Hash: 16415871D00218EFCF15EFA4E8819AEBBB5EF19310B10409AF815AB252DB359E16EB51
                              Function 00B273F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B27439
                              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00B2748A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                              • String ID: bad locale name
                              • API String ID: 3988782225-1405518554
                              • Opcode ID: f14fb63a410ec3fbda1ac1921071af3cb1009dda1f3812e8c85f79dc6fd61d63
                              • Instruction ID: b28a71ad1bf194054c4a24a3b6b0fb764794e56b7a602ae1ba13dadfa59a4e67
                              • Opcode Fuzzy Hash: f14fb63a410ec3fbda1ac1921071af3cb1009dda1f3812e8c85f79dc6fd61d63
                              • Instruction Fuzzy Hash: EF2168715093509BD710DF28D89174BBFE0AF94714F68489DE48C9B241D7B6C909CB97
                              Function 00B56D19 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: NameName::
                              • String ID: A
                              • API String ID: 1333004437-3554254475
                              • Opcode ID: 5a8cdd2608598b82ae1d5981a389a7bfea02516699da6bfa7ec3ddc168e6d522
                              • Instruction ID: 63ecbd74f5e1249ec1d2163d31f39c0e76595cc5b20920abd237d143cb49dcbb
                              • Opcode Fuzzy Hash: 5a8cdd2608598b82ae1d5981a389a7bfea02516699da6bfa7ec3ddc168e6d522
                              • Instruction Fuzzy Hash: DE218EB1A04208EFEF15DF64C851BAD7BF1FB04346F5488E9E8095B291C730AA8ACF50
                              Function 00B22070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00B22075
                              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00B220BA
                                • Part of subcall function 00B2B734: _Yarn.LIBCPMT ref: 00B2B753
                                • Part of subcall function 00B2B734: _Yarn.LIBCPMT ref: 00B2B777
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2271391310.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                              • Associated: 00000000.00000002.2271367347.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271452400.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271476585.0000000000BFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2271542859.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                              • String ID: bad locale name
                              • API String ID: 1908188788-1405518554
                              • Opcode ID: 41002b4104a0f591084bd71d3eaf440de21d950c5475ae4303a33fa384a21098
                              • Instruction ID: 330597de89cc10078b3c7bca885a588bbb667953c6add4bd1f8b13dd8a217cf9
                              • Opcode Fuzzy Hash: 41002b4104a0f591084bd71d3eaf440de21d950c5475ae4303a33fa384a21098
                              • Instruction Fuzzy Hash: 99F0F461101B509ED3709F399805747BEE4AF29310F048E6EE48EC7A52E375E508CBAA

                              Execution Graph

                              Execution Coverage:7.7%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:52
                              Total number of Limit Nodes:7
                              execution_graph 15596 2bad0b8 15597 2bad0fe 15596->15597 15601 2bad289 15597->15601 15605 2bad298 15597->15605 15598 2bad1eb 15602 2bad298 15601->15602 15608 2bac9a0 15602->15608 15606 2bac9a0 DuplicateHandle 15605->15606 15607 2bad2c6 15606->15607 15607->15598 15609 2bad300 DuplicateHandle 15608->15609 15610 2bad2c6 15609->15610 15610->15598 15611 2baad38 15615 2baae30 15611->15615 15623 2baae20 15611->15623 15612 2baad47 15616 2baae41 15615->15616 15617 2baae64 15615->15617 15616->15617 15631 2bab0b8 15616->15631 15635 2bab0c8 15616->15635 15617->15612 15618 2bab068 GetModuleHandleW 15620 2bab095 15618->15620 15619 2baae5c 15619->15617 15619->15618 15620->15612 15624 2baae41 15623->15624 15625 2baae64 15623->15625 15624->15625 15629 2bab0b8 LoadLibraryExW 15624->15629 15630 2bab0c8 LoadLibraryExW 15624->15630 15625->15612 15626 2bab068 GetModuleHandleW 15628 2bab095 15626->15628 15627 2baae5c 15627->15625 15627->15626 15628->15612 15629->15627 15630->15627 15632 2bab0c8 15631->15632 15634 2bab101 15632->15634 15639 2baa870 15632->15639 15634->15619 15636 2bab0dc 15635->15636 15637 2baa870 LoadLibraryExW 15636->15637 15638 2bab101 15636->15638 15637->15638 15638->15619 15640 2bab2a8 LoadLibraryExW 15639->15640 15642 2bab321 15640->15642 15642->15634 15643 2ba4668 15644 2ba4684 15643->15644 15646 2ba4696 15644->15646 15647 2ba47a0 15644->15647 15648 2ba47c5 15647->15648 15652 2ba48b0 15648->15652 15656 2ba48a1 15648->15656 15654 2ba48d7 15652->15654 15653 2ba49b4 15653->15653 15654->15653 15660 2ba4248 15654->15660 15657 2ba48b0 15656->15657 15658 2ba4248 CreateActCtxA 15657->15658 15659 2ba49b4 15657->15659 15658->15659 15661 2ba5940 CreateActCtxA 15660->15661 15663 2ba5a03 15661->15663

                              Executed Functions

                              Function 02BAAE30 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 317 2baae30-2baae3f 318 2baae6b-2baae6f 317->318 319 2baae41-2baae4e call 2ba9838 317->319 321 2baae83-2baaec4 318->321 322 2baae71-2baae7b 318->322 325 2baae50 319->325 326 2baae64 319->326 328 2baaed1-2baaedf 321->328 329 2baaec6-2baaece 321->329 322->321 376 2baae56 call 2bab0b8 325->376 377 2baae56 call 2bab0c8 325->377 326->318 330 2baaf03-2baaf05 328->330 331 2baaee1-2baaee6 328->331 329->328 336 2baaf08-2baaf0f 330->336 333 2baaee8-2baaeef call 2baa814 331->333 334 2baaef1 331->334 332 2baae5c-2baae5e 332->326 335 2baafa0-2baafb7 332->335 338 2baaef3-2baaf01 333->338 334->338 350 2baafb9-2bab018 335->350 339 2baaf1c-2baaf23 336->339 340 2baaf11-2baaf19 336->340 338->336 343 2baaf30-2baaf39 call 2baa824 339->343 344 2baaf25-2baaf2d 339->344 340->339 348 2baaf3b-2baaf43 343->348 349 2baaf46-2baaf4b 343->349 344->343 348->349 351 2baaf69-2baaf76 349->351 352 2baaf4d-2baaf54 349->352 368 2bab01a-2bab01c 350->368 359 2baaf78-2baaf96 351->359 360 2baaf99-2baaf9f 351->360 352->351 353 2baaf56-2baaf66 call 2baa834 call 2baa844 352->353 353->351 359->360 369 2bab048-2bab060 368->369 370 2bab01e-2bab046 368->370 371 2bab068-2bab093 GetModuleHandleW 369->371 372 2bab062-2bab065 369->372 370->369 373 2bab09c-2bab0b0 371->373 374 2bab095-2bab09b 371->374 372->371 374->373 376->332 377->332
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 02BAB086
                              Memory Dump Source
                              • Source File: 00000002.00000002.2194482508.0000000002BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_2ba0000_RegAsm.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 4afd5c98d305868ebc1fba2fb5e4a1b086dd0d3f4628e19201c7f480adadb64f
                              • Instruction ID: 9ae4b6519f2fa2f449e415508b6cc378a9e6d8c7e03f0053ddbc971fd27b5284
                              • Opcode Fuzzy Hash: 4afd5c98d305868ebc1fba2fb5e4a1b086dd0d3f4628e19201c7f480adadb64f
                              • Instruction Fuzzy Hash: DA8167B0A04B058FDB24DF29D55179ABBF1FF48704F00896ED49AD7A50D735E84ACBA0
                              Function 02BA5935 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 378 2ba5935-2ba593c 379 2ba5944-2ba5a01 CreateActCtxA 378->379 381 2ba5a0a-2ba5a64 379->381 382 2ba5a03-2ba5a09 379->382 389 2ba5a73-2ba5a77 381->389 390 2ba5a66-2ba5a69 381->390 382->381 391 2ba5a88-2ba5ab8 389->391 392 2ba5a79-2ba5a85 389->392 390->389 396 2ba5a6a 391->396 397 2ba5aba-2ba5b3c 391->397 392->391 396->389
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 02BA59F1
                              Memory Dump Source
                              • Source File: 00000002.00000002.2194482508.0000000002BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_2ba0000_RegAsm.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 1416a1c5d18e7122e63b756576de98e6fee6400fc304bbe6722b516abd01daca
                              • Instruction ID: 1d87ae20df298f29676b425bc5cab9a1a216d0907f586ee5ea523b26803ad8a0
                              • Opcode Fuzzy Hash: 1416a1c5d18e7122e63b756576de98e6fee6400fc304bbe6722b516abd01daca
                              • Instruction Fuzzy Hash: 1F4121B1D00619CEDB24CFA9C884BCDBBB5FF49304F24809AD019AB250DB75698ACF90
                              Function 02BA4248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 399 2ba4248-2ba5a01 CreateActCtxA 402 2ba5a0a-2ba5a64 399->402 403 2ba5a03-2ba5a09 399->403 410 2ba5a73-2ba5a77 402->410 411 2ba5a66-2ba5a69 402->411 403->402 412 2ba5a88-2ba5ab8 410->412 413 2ba5a79-2ba5a85 410->413 411->410 417 2ba5a6a 412->417 418 2ba5aba-2ba5b3c 412->418 413->412 417->410
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 02BA59F1
                              Memory Dump Source
                              • Source File: 00000002.00000002.2194482508.0000000002BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_2ba0000_RegAsm.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 25ab3a623dc6de0f017b06a1b679f7ec9794759387735182bf2c224f2ddc7ac4
                              • Instruction ID: f3829256ce7d0542b5d80f368ef56c475b92e33381b28128917ed82136cb76dc
                              • Opcode Fuzzy Hash: 25ab3a623dc6de0f017b06a1b679f7ec9794759387735182bf2c224f2ddc7ac4
                              • Instruction Fuzzy Hash: 394102B1D04719CFDB28CFA9C884B9DBBB5FF45304F60806AD419AB250DBB5694ACF90
                              Function 02BAA858 Relevance: 1.6, APIs: 1, Instructions: 77libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 420 2baa858-2baa860 422 2baa88c-2baa8c0 420->422 423 2baa862-2bab2e8 420->423 426 2bab2ea-2bab2ed 423->426 427 2bab2f0-2bab31f LoadLibraryExW 423->427 426->427 429 2bab328-2bab345 427->429 430 2bab321-2bab327 427->430 430->429
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02BAB101,00000800,00000000,00000000), ref: 02BAB312
                              Memory Dump Source
                              • Source File: 00000002.00000002.2194482508.0000000002BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_2ba0000_RegAsm.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: edf515517be21049c52932baa3758417a7fbbc8e9642f068b6dc7751ac20a9b7
                              • Instruction ID: 3b7b6dc03e23c032a24c65510a742547355461e525dc9a895eb67f9e7cedc0b2
                              • Opcode Fuzzy Hash: edf515517be21049c52932baa3758417a7fbbc8e9642f068b6dc7751ac20a9b7
                              • Instruction Fuzzy Hash: 652188B68083888FDB11DFAAD8A4ADEBFF4EF59314F04809AD458A7211C3789545CFA1
                              Function 02BAC9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 433 2bac9a0-2bad394 DuplicateHandle 435 2bad39d-2bad3ba 433->435 436 2bad396-2bad39c 433->436 436->435
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02BAD2C6,?,?,?,?,?), ref: 02BAD387
                              Memory Dump Source
                              • Source File: 00000002.00000002.2194482508.0000000002BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_2ba0000_RegAsm.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 7fe288a43f112a1dc81962b14b7d0241afefb0278694d30f286a760ef3e4e149
                              • Instruction ID: 6151afc0094ef31770aac694558b6318b3e3c9ec0c235756916076dd63514d3f
                              • Opcode Fuzzy Hash: 7fe288a43f112a1dc81962b14b7d0241afefb0278694d30f286a760ef3e4e149
                              • Instruction Fuzzy Hash: 4C21E6B59002499FDB10CF9AD984ADEBFF4EB48310F14845AE918A3310D378A954CFA4
                              Function 02BAD2F9 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 439 2bad2f9-2bad394 DuplicateHandle 440 2bad39d-2bad3ba 439->440 441 2bad396-2bad39c 439->441 441->440
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02BAD2C6,?,?,?,?,?), ref: 02BAD387
                              Memory Dump Source
                              • Source File: 00000002.00000002.2194482508.0000000002BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_2ba0000_RegAsm.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 93cf3499904b668370471c668ffd4fc03a6312d9dfe2e438a5487ceec6485264
                              • Instruction ID: 5415f41a46b7d63c8d6457a46308e1365236b75f6e4344ac73eeedad93be4f74
                              • Opcode Fuzzy Hash: 93cf3499904b668370471c668ffd4fc03a6312d9dfe2e438a5487ceec6485264
                              • Instruction Fuzzy Hash: AE21C4B5D002499FDB10CF99D585ADEBBF5EB48324F14845AE918B3310D378A954CFA0
                              Function 02BAA870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 444 2baa870-2bab2e8 446 2bab2ea-2bab2ed 444->446 447 2bab2f0-2bab31f LoadLibraryExW 444->447 446->447 448 2bab328-2bab345 447->448 449 2bab321-2bab327 447->449 449->448
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02BAB101,00000800,00000000,00000000), ref: 02BAB312
                              Memory Dump Source
                              • Source File: 00000002.00000002.2194482508.0000000002BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_2ba0000_RegAsm.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 0b68f43b6a35c6af5bcd4b977fc419f2dc5bef8d1c2efbe3f29aa8d1d9a2fa15
                              • Instruction ID: 702003bd4663007013f605baeddb82d4242a5b8ac917d9ce64e6cbf50ea48703
                              • Opcode Fuzzy Hash: 0b68f43b6a35c6af5bcd4b977fc419f2dc5bef8d1c2efbe3f29aa8d1d9a2fa15
                              • Instruction Fuzzy Hash: F41103B69043499FCB10CF9AD444ADEFBF4EB58314F10846ED529A7200C378A545CFA4
                              Function 02BAB2A0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 452 2bab2a0-2bab2e8 453 2bab2ea-2bab2ed 452->453 454 2bab2f0-2bab31f LoadLibraryExW 452->454 453->454 455 2bab328-2bab345 454->455 456 2bab321-2bab327 454->456 456->455
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02BAB101,00000800,00000000,00000000), ref: 02BAB312
                              Memory Dump Source
                              • Source File: 00000002.00000002.2194482508.0000000002BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_2ba0000_RegAsm.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 9982448e48648ae85c14f9665e51578b3cb2d18d6638fad20db87bf064ecb4bf
                              • Instruction ID: cbe3509b5bedfc4c5536217474fc571371aba75c83229d9f9d1b68343a7ee0a6
                              • Opcode Fuzzy Hash: 9982448e48648ae85c14f9665e51578b3cb2d18d6638fad20db87bf064ecb4bf
                              • Instruction Fuzzy Hash: F31144B69003498FCB10CFAAC444ADEFFF4EF58314F14845AD828A7200C378A545CFA0
                              Function 02BAB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 459 2bab020-2bab060 460 2bab068-2bab093 GetModuleHandleW 459->460 461 2bab062-2bab065 459->461 462 2bab09c-2bab0b0 460->462 463 2bab095-2bab09b 460->463 461->460 463->462
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 02BAB086
                              Memory Dump Source
                              • Source File: 00000002.00000002.2194482508.0000000002BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_2ba0000_RegAsm.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 3fb44e3032f18488783da1e3d024e44fa01eb5f4ae02efcfe8d7418f7eae35d1
                              • Instruction ID: 7c15219bea8630ad8edd336b9a9f25c497ac607b68baa66657418ef4470eda90
                              • Opcode Fuzzy Hash: 3fb44e3032f18488783da1e3d024e44fa01eb5f4ae02efcfe8d7418f7eae35d1
                              • Instruction Fuzzy Hash: CF110FB6C003498FCB20DF9AC444ADEFBF4EB88224F10845AD428B7210C379A545CFA1
                              Function 00FAD3D8 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2193708711.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_fad000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 776f27d149542d860a8c31c3ebf89589da66dd54431c0e985f8ee5052c3970ba
                              • Instruction ID: de3447eec991af7a978b05b98c8d337138e335eae7e99284145fbe2136acedf3
                              • Opcode Fuzzy Hash: 776f27d149542d860a8c31c3ebf89589da66dd54431c0e985f8ee5052c3970ba
                              • Instruction Fuzzy Hash: 4D2133B2500204DFDB05DF14C9C0B26BF65FB99324F20C569DD0A0B616C33AE846EAA2
                              Function 0100D01C Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2193825637.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_100d000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 332128dffb2f5c0bef461d1595b21f9832db03ccabdae7dce35c489318933d78
                              • Instruction ID: 5254c3b0e4f5a529764b051552c927651a11411e50e13992f8e7e42cccded838
                              • Opcode Fuzzy Hash: 332128dffb2f5c0bef461d1595b21f9832db03ccabdae7dce35c489318933d78
                              • Instruction Fuzzy Hash: A0212571604200DFEB16CFA8D980B16BFA5EB84314F20C5ADE98D4B296C33AD407CB72
                              Function 00FAD3D3 Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2193708711.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_fad000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 07d586b370810bf15e8d939e07fb0dccd80900219e7a08ccebccaf9c83e80135
                              • Instruction ID: 7ed7accb298d2cefc1cb286aadd6a58f4c261e40158ac92ef61e433af937f918
                              • Opcode Fuzzy Hash: 07d586b370810bf15e8d939e07fb0dccd80900219e7a08ccebccaf9c83e80135
                              • Instruction Fuzzy Hash: D81129B6804240CFDB06CF00D5C4B16BF71FB99324F24C6A9DD090B616C33AE456DBA1
                              Function 0100D017 Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2193825637.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_100d000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5c3f0733ce8851a1589f40a5fbe057aabe2b6f8a867c37c7fcc40a2fdda36e59
                              • Instruction ID: b5f31aa71aa851ed7b635e6d1bc4d4f948e32807313096a8549a95458e4c9cd4
                              • Opcode Fuzzy Hash: 5c3f0733ce8851a1589f40a5fbe057aabe2b6f8a867c37c7fcc40a2fdda36e59
                              • Instruction Fuzzy Hash: DE11D075504280CFDB12CF94D5C4B15FFA1FB44314F24C6AAE84D4B696C33AD44ACB62
                              Function 00FADA51 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2193708711.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_fad000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 81b3799aa5eec4a8b9169b8bc5f99db71c15ccd96bff8000824a58637215c139
                              • Instruction ID: 5cf77812a2095e249c322662a053de3e99951b7dc41da8a35c83e153d6c569ff
                              • Opcode Fuzzy Hash: 81b3799aa5eec4a8b9169b8bc5f99db71c15ccd96bff8000824a58637215c139
                              • Instruction Fuzzy Hash: B9012BB15093449EE7108A15CD84B67BF98EF42334F18C469ED0A4A647C67C9C40D6B1
                              Function 00FADA50 Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2193708711.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_fad000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6d6564a0d91b688a37a91bae255925e98bc2f8decc1ec7f80d0297a244eb8da6
                              • Instruction ID: 1fafa0ba9bb42338672c534da949a44409a965de2cf0cca39119cb2bd3dd22e9
                              • Opcode Fuzzy Hash: 6d6564a0d91b688a37a91bae255925e98bc2f8decc1ec7f80d0297a244eb8da6
                              • Instruction Fuzzy Hash: A9F0F6715093449EE7108A06CDC4B62FFA8EF52734F18C45AED084F686C2789C44CAB0