Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1466203
MD5:5d505724b7a084217d7db6b2710d8613
SHA1:f444284be57973aa0d2fa22cdea4e3a639bdb6c4
SHA256:c4024302b2f74461f6aecd5ca2f2889fa8ed48a420cb2176ae782368e2c5c6eb
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RedLine Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6724 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 5D505724B7A084217D7DB6B2710D8613)
    • RegAsm.exe (PID: 6804 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • WerFault.exe (PID: 7048 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6724 -s 312 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "77.105.135.107:3445", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000001.00000002.1783599988.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Process Memory Space: file.exe PID: 6724JoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 2 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.file.exe.17ab00.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  1.2.RegAsm.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.2.file.exe.17ab00.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      0.2.file.exe.e0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                        Sigma Signatures

                        No Sigma rule has matched

                        Snort Signatures

                        Timestamp:07/02/24-17:18:57.592984
                        SID:2046045
                        Source Port:49731
                        Destination Port:3445
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:07/02/24-17:18:57.785662
                        SID:2043234
                        Source Port:3445
                        Destination Port:49731
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:07/02/24-17:19:08.955501
                        SID:2043231
                        Source Port:49731
                        Destination Port:3445
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:07/02/24-17:19:03.098044
                        SID:2046056
                        Source Port:3445
                        Destination Port:49731
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Found malware configuration
                        Source: 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "77.105.135.107:3445", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}
                        Multi AV Scanner detection for submitted file
                        Source: file.exeReversingLabs: Detection: 36%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for sample
                        Source: file.exeJoe Sandbox ML: detected
                        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: Binary string: C:\rr5fat94pc9blu\output.pdb' source: file.exe
                        Source: Binary string: C:\rr5fat94pc9blu\output.pdb source: file.exe
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00152EFA FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00152EFA
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0015317F FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_0015317F

                        Networking

                        barindex
                        Snort IDS alert for network traffic
                        Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.4:49731 -> 77.105.135.107:3445
                        Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49731 -> 77.105.135.107:3445
                        Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 77.105.135.107:3445 -> 192.168.2.4:49731
                        Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 77.105.135.107:3445 -> 192.168.2.4:49731
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: 77.105.135.107:3445
                        Source: global trafficTCP traffic: 192.168.2.4:49731 -> 77.105.135.107:3445
                        Source: Joe Sandbox ViewASN Name: PLUSTELECOM-ASRU PLUSTELECOM-ASRU
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.1784877150.00000000031AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.1784877150.00000000031AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.1784877150.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.1784877150.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.1784877150.0000000002F77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                        Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000003495000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: file.exe, 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.1783599988.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000003495000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000003495000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000003495000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000003495000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000003495000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabS
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000003495000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000003495000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                        Source: RegAsm.exe, 00000001.00000002.1784877150.0000000003495000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0015A00C0_2_0015A00C
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012E1840_2_0012E184
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012C2A60_2_0012C2A6
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014C2FF0_2_0014C2FF
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001425950_2_00142595
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012E5A50_2_0012E5A5
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012C5EE0_2_0012C5EE
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012C9450_2_0012C945
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013C98E0_2_0013C98E
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012E9D50_2_0012E9D5
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014A9E40_2_0014A9E4
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0010EC100_2_0010EC10
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012CC8D0_2_0012CC8D
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00158CE30_2_00158CE3
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012D01B0_2_0012D01B
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012D3B80_2_0012D3B8
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013D4610_2_0013D461
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013F4E00_2_0013F4E0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000F15500_2_000F1550
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012D7460_2_0012D746
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E37700_2_000E3770
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001678F00_2_001678F0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013FA100_2_0013FA10
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012DAAB0_2_0012DAAB
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012DE1F0_2_0012DE1F
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013FE500_2_0013FE50
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00113FD40_2_00113FD4
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0122DC741_2_0122DC74
                        Source: C:\Users\user\Desktop\file.exeCode function: String function: 00148C74 appears 33 times
                        Source: C:\Users\user\Desktop\file.exeCode function: String function: 0010C7CB appears 71 times
                        Source: C:\Users\user\Desktop\file.exeCode function: String function: 0010D150 appears 65 times
                        Source: C:\Users\user\Desktop\file.exeCode function: String function: 0010C798 appears 117 times
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6724 -s 312
                        Source: file.exe, 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePunningly.exe8 vs file.exe
                        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/6@0/1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\SystemCacheJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6724
                        Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\26b8b2c4-0dc3-4971-9e1c-f1be8bf6559cJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: file.exeReversingLabs: Detection: 36%
                        Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6724 -s 312
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32Jump to behavior
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: C:\rr5fat94pc9blu\output.pdb' source: file.exe
                        Source: Binary string: C:\rr5fat94pc9blu\output.pdb source: file.exe
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0010C766 push ecx; ret 0_2_0010C779
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0010D1A0 push ecx; ret 0_2_0010D1B3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_012247D7 push ebp; iretd 1_2_0122483D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 1200000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2EA0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2C50000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 1082Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 4509Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeAPI coverage: 6.4 %
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7060Thread sleep time: -19369081277395017s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6912Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00152EFA FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00152EFA
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0015317F FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_0015317F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: Amcache.hve.4.drBinary or memory string: VMware
                        Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
                        Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
                        Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
                        Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
                        Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                        Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                        Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                        Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                        Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                        Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                        Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                        Source: RegAsm.exe, 00000001.00000002.1783992387.00000000010E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: Amcache.hve.4.drBinary or memory string: vmci.sys
                        Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                        Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
                        Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
                        Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                        Source: Amcache.hve.4.drBinary or memory string: VMware20,1
                        Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
                        Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
                        Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                        Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                        Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                        Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                        Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
                        Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
                        Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
                        Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                        Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00152799 IsDebuggerPresent,0_2_00152799
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014A686 mov eax, dword ptr fs:[00000030h]0_2_0014A686
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014A4DF mov eax, dword ptr fs:[00000030h]0_2_0014A4DF
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014A522 mov eax, dword ptr fs:[00000030h]0_2_0014A522
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014A565 mov eax, dword ptr fs:[00000030h]0_2_0014A565
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014A5C0 mov eax, dword ptr fs:[00000030h]0_2_0014A5C0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014A6CA mov eax, dword ptr fs:[00000030h]0_2_0014A6CA
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014A70E mov eax, dword ptr fs:[00000030h]0_2_0014A70E
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014A73F mov eax, dword ptr fs:[00000030h]0_2_0014A73F
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001457D9 mov ecx, dword ptr fs:[00000030h]0_2_001457D9
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001369C1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_001369C1
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0010CEEF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0010CEEF
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0010D07F SetUnhandledExceptionFilter,0_2_0010D07F
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0010D1B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0010D1B4
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Allocates memory in foreign processes
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                        Contains functionality to inject code into remote processes
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0284018D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_0284018D
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                        Writes to foreign memory regions
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44E000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D0E008Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0010CBB5 cpuid 0_2_0010CBB5
                        Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00148672
                        Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00148803
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoEx,FormatMessageA,0_2_000EE9AF
                        Source: C:\Users\user\Desktop\file.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00156F54
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_0014912E
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_0015714F
                        Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_001571F6
                        Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_0015725F
                        Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_001572FA
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00157385
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_001575D8
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00157701
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00157807
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoEx,0_2_0010B80D
                        Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_001578D6
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0010CDC4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_0010CDC4
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00152067 GetTimeZoneInformation,0_2_00152067
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                        Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
                        Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                        Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.file.exe.17ab00.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.17ab00.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000002.1783599988.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 6724, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6804, type: MEMORYSTR
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Tries to steal Crypto Currency Wallets
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                        Source: Yara matchFile source: 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6804, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.file.exe.17ab00.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.17ab00.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000002.1783599988.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 6724, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6804, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		411
                        Process Injection                        		1
                        Masquerading                        		1
                        OS Credential Dumping                        		2
                        System Time Discovery                        		Remote Services1
                        Archive Collected Data                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		LSASS Memory241
                        Security Software Discovery                        		Remote Desktop Protocol2
                        Data from Local System                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                        Virtualization/Sandbox Evasion                        		Security Account Manager1
                        Process Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive1
                        Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
                        Process Injection                        		NTDS241
                        Virtualization/Sandbox Evasion                        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Deobfuscate/Decode Files or Information                        		LSA Secrets1
                        Application Window Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                        Obfuscated Files or Information                        		Cached Domain Credentials1
                        File and Directory Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        DLL Side-Loading                        		DCSync134
                        System Information Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        file.exe37%ReversingLabsByteCode-MSIL.Infostealer.Kysler
                        file.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://tempuri.org/0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                        https://api.ip.sb/ip0%URL Reputationsafe
                        https://www.ecosia.org/newtab/0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%URL Reputationsafe
                        http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                        https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%Avira URL Cloudsafe
                        77.105.135.107:34450%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id14ResponseD0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id6ResponseD0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id13ResponseD0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/sc0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%Avira URL Cloudsafe
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id21ResponseD0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/trust0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id10ResponseD0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id15ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/Renew0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id11ResponseD0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2006/02/addressingidentity0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.00%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id8ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id17ResponseD0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        No contacted domains info

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        77.105.135.107:3445true
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/sc/sctRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://duckduckgo.com/ac/?q=RegAsm.exe, 00000001.00000002.1784877150.0000000003495000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id14ResponseDRegAsm.exe, 00000001.00000002.1784877150.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id23ResponseDRegAsm.exe, 00000001.00000002.1784877150.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id12ResponseRegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id2ResponseRegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id21ResponseRegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id9RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id8RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id6ResponseDRegAsm.exe, 00000001.00000002.1784877150.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id5RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id4RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id7RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.1784877150.0000000002F77000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id6RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id19ResponseRegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceRegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id13ResponseDRegAsm.exe, 00000001.00000002.1784877150.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/faultRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsatRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id15ResponseRegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id5ResponseDRegAsm.exe, 00000001.00000002.1784877150.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000001.00000002.1784877150.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id6ResponseRegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://api.ip.sb/ipfile.exe, 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.1783599988.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/scRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id1ResponseDRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id9ResponseRegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegAsm.exe, 00000001.00000002.1784877150.0000000003495000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id20RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id21RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id22RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id23RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.1784877150.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id24RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id24ResponseRegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.ecosia.org/newtab/RegAsm.exe, 00000001.00000002.1784877150.0000000003495000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id1ResponseRegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedRegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id21ResponseDRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/08/addressingRegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/trustRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id10RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id11RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.1784877150.00000000031AA000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id10ResponseDRegAsm.exe, 00000001.00000002.1784877150.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id12RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id16ResponseRegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id13RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id14RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id15RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id16RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/NonceRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id17RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id18RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id5ResponseRegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id19RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsRegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id15ResponseDRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id10ResponseRegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RenewRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id11ResponseDRegAsm.exe, 00000001.00000002.1784877150.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.1784877150.00000000031AA000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id8ResponseRegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0RegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2006/02/addressingidentityRegAsm.exe, 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id17ResponseDRegAsm.exe, 00000001.00000002.1784877150.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/soap/envelope/RegAsm.exe, 00000001.00000002.1784877150.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id8ResponseDRegAsm.exe, 00000001.00000002.1784877150.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        77.105.135.107
                        		unknownRussian Federation
                        		42031PLUSTELECOM-ASRUtrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1466203
                        Start date and time:2024-07-02 17:18:06 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 5m 20s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:9
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:file.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@4/6@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 99%
                        • Number of executed functions: 26
                        • Number of non-executed functions: 157
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 20.42.65.92
                        • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        • VT rate limit hit for: file.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        11:19:05API Interceptor29x Sleep call for process: RegAsm.exe modified
                        11:19:12API Interceptor1x Sleep call for process: WerFault.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        77.105.135.107file.exeGet hashmaliciousRedLineBrowse
                          setup.exeGet hashmaliciousRedLineBrowse
                            1719859269.0326595_setup.exeGet hashmaliciousLummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, XmrigBrowse

                              Domains

                              No context

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              PLUSTELECOM-ASRUfile.exeGet hashmaliciousRedLineBrowse
                              • 77.105.135.107
                              file.exeGet hashmaliciousUnknownBrowse
                              • 77.105.133.27
                              setup.exeGet hashmaliciousRedLineBrowse
                              • 77.105.135.107
                              1719859269.0326595_setup.exeGet hashmaliciousLummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, XmrigBrowse
                              • 77.105.135.107
                              zyJWi2vy29.exeGet hashmaliciousLummaC, PureLog Stealer, RisePro Stealer, Vidar, zgRATBrowse
                              • 77.105.132.27
                              1719520929.094843_setup.exeGet hashmaliciousLummaC Stealer, Mars Stealer, PrivateLoader, PureLog Stealer, Socks5Systemz, Stealc, VidarBrowse
                              • 77.105.132.27
                              1Cvd8TyYPm.exeGet hashmaliciousLummaC, Mars Stealer, PureLog Stealer, Stealc, Vidar, Xmrig, zgRATBrowse
                              • 77.105.133.27
                              HXUYIDwIMY.exeGet hashmaliciousMeduza StealerBrowse
                              • 77.105.147.172
                              lhZOo8vhuI.elfGet hashmaliciousUnknownBrowse
                              • 77.105.138.202
                              file.exeGet hashmaliciousPrivateLoader, PureLog StealerBrowse
                              • 77.105.147.130

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_a35f85a9697e8c5bfcd541ff1e0c59facae73a9_33636041_10cb29f1-59b3-47ba-8a2b-bf10dbfe6815\Report.wer

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):65536
                              Entropy (8bit):0.7030705390227604
                              Encrypted:false
                              SSDEEP:192:UQDd5EhmOvYPliftiX0c20cI3jGGzuiFTZ24IO8TVB1:v+YNiFikc20bjHzuiFTY4IO8X1
                              MD5:35088836DF5A582A3D76A12BD7C0CC11
                              SHA1:302CC1A39FF05BF967877C44838D018F29828D9F
                              SHA-256:796C91D16377C34B0185A30A4F075A8792E959E270EF8B5BF5E61A786EED2DE3
                              SHA-512:AA6B663C53D28A4310746548F4BF9077385B7C1382946D65E4BA0807472448CF147F5CCA64A297FFD141E1184EAE4CE393E1B7C123F1CA105E0BA97D703A1FEC
                              Malicious:true
                              Reputation:low
                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.4.0.7.1.3.5.2.7.9.8.2.7.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.4.0.7.1.3.5.7.3.2.9.5.1.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.0.c.b.2.9.f.1.-.5.9.b.3.-.4.7.b.a.-.8.a.2.b.-.b.f.1.0.d.b.f.e.6.8.1.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.8.3.e.c.e.2.d.-.0.8.6.1.-.4.8.1.2.-.8.5.7.9.-.7.0.6.1.c.d.5.5.8.1.a.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.4.4.-.0.0.0.1.-.0.0.1.4.-.9.a.2.9.-.d.c.2.6.9.3.c.c.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.f.4.4.4.2.8.4.b.e.5.7.9.7.3.a.a.0.d.2.f.a.2.2.c.d.e.a.4.e.3.a.6.3.9.b.d.b.6.c.4.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.7.

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F49.tmp.dmp

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:Mini DuMP crash report, 14 streams, Tue Jul 2 15:18:55 2024, 0x1205a4 type
                              Category:dropped
                              Size (bytes):55812
                              Entropy (8bit):1.7111999058470664
                              Encrypted:false
                              SSDEEP:192:BNiW4aByD4tOa0Osz3S8yZMe7najYvTfkuNeUxzl:avkyjOszi7ZMe7aMLVJ
                              MD5:2D8035244D6626F5CC8754F54334FD41
                              SHA1:1C96B7B8EC9FE8A6126C2AA73F898D79608BB199
                              SHA-256:0193386846750DC1D5489C40EF695B813CD17C25C43401B6690D676EA63A67A1
                              SHA-512:42D56F16A8DB1A01759D6411166B9EDB53FFBD298B3164431A8E7A2EC263FBBADE37A857C198FBD024B4CAF27BA00BC4A5D111DDA41C56CC6D2EB84C21F7CB37
                              Malicious:false
                              Reputation:low
                              Preview:MDMP..a..... ......._..f........................0...............b$..........T.......8...........T...........................,...........................................................................................eJ..............GenuineIntel............T.......D...^..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER1FE7.tmp.WERInternalMetadata.xml

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):8258
                              Entropy (8bit):3.6907319056445425
                              Encrypted:false
                              SSDEEP:192:R6l7wVeJdCL6mE96Y9XwSU06ZgmfBWViN0pD989buhsfcjd5Gam:R6lXJE6/6YtwSU06Zgmf8UNDuafcxo
                              MD5:F71C092FF4E32F5B810BE01C7A3CC9B7
                              SHA1:BFB72B7B58D679CB6779E29F142C0998B4BFF9C5
                              SHA-256:6A03250611F3D4DEE71434EE1F531B2EB9B01B570A783C8788B80C2920DEE937
                              SHA-512:7A5FFEE6A8A65D681EB14905844D42C11BB5609DA823EDA23B6E0225DEF2464BE91149595BF16B35F81D5CC87AE332E5C6DE1DCCD8A1EE28718609F899011B39
                              Malicious:false
                              Reputation:low
                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.2.4.<./.P.i.

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER2007.tmp.xml

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4537
                              Entropy (8bit):4.4274154951868985
                              Encrypted:false
                              SSDEEP:48:cvIwWl8zsWiJg77aI9kPWpW8VYdAYm8M4JIMXLFP+q8Z8vNq8PYd:uIjfWwI72e7V0NJISFm8lqsYd
                              MD5:1D0743F024E72444D956DEF36B0818A4
                              SHA1:7FD5DE9EBCB5CF36654D2F796C54A18BA7493600
                              SHA-256:057A8C12768D419DE472FE091E282910DF43313A27455A0FEC2BB14453B0CDD6
                              SHA-512:44CA4D908D650E3FB0F40FB17F734E4082AB24A6752C6E9E038E871DEF636414DDC751CD3A19408EF7C536A232D539300D6697A56246617BC18A586B60659BE1
                              Malicious:false
                              Reputation:low
                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="393501" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):3094
                              Entropy (8bit):5.33145931749415
                              Encrypted:false
                              SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                              MD5:3FD5C0634443FB2EF2796B9636159CB6
                              SHA1:366DDE94AEFCFFFAB8E03AD8B448E05D7489EB48
                              SHA-256:58307E94C67E2348F5A838DE4FF668983B38B7E9A3B1D61535D3A392814A57D6
                              SHA-512:8535E7C0777C6B0876936D84BDE2BDC59963CF0954D4E50D65808E6E806E8B131DF5DB8FA0E030FAE2702143A7C3A70698A2B9A80519C9E2FFC286A71F0B797C
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                              C:\Windows\appcompat\Programs\Amcache.hve

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:MS Windows registry file, NT/2000 or above
                              Category:dropped
                              Size (bytes):1835008
                              Entropy (8bit):4.4653200516686375
                              Encrypted:false
                              SSDEEP:6144:SIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNPdwBCswSbc:XXD94+WlLZMM6YFH1+c
                              MD5:3EC1449458A10EC37E586A45E2F84CAF
                              SHA1:6B770E3ED921417D96C1B49B4EC91FC22BB74B9B
                              SHA-256:45FB24FA73BF33BC2C3CC514B235146C4A15B07ABF9AD4C6673D021940D79DF0
                              SHA-512:0E2543EFBE078C2A7BC7C9CD4764F083F4DA92372AE745B348FE5ACC3CBF12E1B362F35B3104708C0E5B523658DFFCBD2553336860F69263C70EAD148BF91EA9
                              Malicious:false
                              Reputation:low
                              Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.%F'.................................................................................................................................................................................................................................................................................................................................................sP.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.299279831448098
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:file.exe
                              File size:957'440 bytes
                              MD5:5d505724b7a084217d7db6b2710d8613
                              SHA1:f444284be57973aa0d2fa22cdea4e3a639bdb6c4
                              SHA256:c4024302b2f74461f6aecd5ca2f2889fa8ed48a420cb2176ae782368e2c5c6eb
                              SHA512:bcc79a8856aa5aee6349d602d75c2c1c615a12502d1256b044572b69bb3ac3bb9632a4b61956d41c7186a3d97dcf376968983bd16b417a8dcd89ecc4aeef42d0
                              SSDEEP:24576:fl5DVdQCg30luJ6ku5xTXKALkQHZqG2X3XY2QXVROMRm6R:tMEYJ6ku5d8kZqRX3o3XV0MRm6R
                              TLSH:8E15CE1135C08036D67321320AA8F7BA8ABEF4341B2966DF17D8597EAF346C15B3526F
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........~...-...-...-\..,...-\..,&..-\..,...-Mb.,...-Mb.,...-\..,...-...-...-Mb.,...-|a.,...-|a.,...-|a.-...-|a.,...-Rich...-.......

                              File Icon

                              Icon Hash:90cececece8e8eb0

                              Static PE Info

                              General

                              Entrypoint:0x42c36a
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                              Time Stamp:0x6683DD9B [Tue Jul 2 10:59:39 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:6
                              OS Version Minor:0
                              File Version Major:6
                              File Version Minor:0
                              Subsystem Version Major:6
                              Subsystem Version Minor:0
                              Import Hash:a2b3c9bb8bf21aa189ddce7cb05111e0

                              Entrypoint Preview

                              Instruction
                              call 00007EFC39065E87h
                              jmp 00007EFC390651FCh
                              cmp ecx, dword ptr [0049A040h]
                              jne 00007EFC390653E3h
                              ret
                              jmp 00007EFC3906623Fh
                              jmp 00007EFC39066524h
                              push ebp
                              mov ebp, esp
                              jmp 00007EFC390653EFh
                              push dword ptr [ebp+08h]
                              call 00007EFC390A0C25h
                              pop ecx
                              test eax, eax
                              je 00007EFC390653F1h
                              push dword ptr [ebp+08h]
                              call 00007EFC39091905h
                              pop ecx
                              test eax, eax
                              je 00007EFC390653C8h
                              pop ebp
                              ret
                              cmp dword ptr [ebp+08h], FFFFFFFFh
                              je 00007EFC3906651Ch
                              jmp 00007EFC390664F9h
                              push ebp
                              mov ebp, esp
                              push dword ptr [ebp+08h]
                              call 00007EFC390664E9h
                              pop ecx
                              pop ebp
                              ret
                              mov dword ptr [ecx], 0048A520h
                              ret
                              push ebp
                              mov ebp, esp
                              test byte ptr [ebp+08h], 00000001h
                              push esi
                              mov esi, ecx
                              mov dword ptr [esi], 0048A520h
                              je 00007EFC390653ECh
                              push 0000000Ch
                              push esi
                              call 00007EFC390653B6h
                              pop ecx
                              pop ecx
                              mov eax, esi
                              pop esi
                              pop ebp
                              retn 0004h
                              push ebp
                              mov ebp, esp
                              mov eax, dword ptr [ebp+08h]
                              push esi
                              mov ecx, dword ptr [eax+3Ch]
                              add ecx, eax
                              movzx eax, word ptr [ecx+14h]
                              lea edx, dword ptr [ecx+18h]
                              add edx, eax
                              movzx eax, word ptr [ecx+06h]
                              imul esi, eax, 28h
                              add esi, edx
                              cmp edx, esi
                              je 00007EFC390653FBh
                              mov ecx, dword ptr [ebp+0Ch]
                              cmp ecx, dword ptr [edx+0Ch]
                              jc 00007EFC390653ECh
                              mov eax, dword ptr [edx+08h]
                              add eax, dword ptr [edx+0Ch]
                              cmp ecx, eax
                              jc 00007EFC390653EEh
                              add edx, 28h
                              cmp edx, esi
                              jne 00007EFC390653CCh
                              xor eax, eax
                              pop esi
                              pop ebp
                              ret
                              mov eax, edx

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x98d600x48.rdata
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x98da80x50.rdata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xe90000x1e0.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xea0000x4ab8.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x929500x54.rdata
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x928900x40.rdata
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x880000x20c.rdata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000x855e70x856000d68ed18f7caa9ebfb8774d8c45eb92dFalse0.41277017924086223data6.671599972650418IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .bss0x870000xf7d0x100037f104a686caec84200bd218749604e0False0.629638671875data6.354355953942119IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rdata0x880000x11a100x11c00e70b33041a43508f8f445e7fd8ab10f3False0.3753163512323944data4.846543895259657IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .data0x9a0000x4e0800x4c800de1caad34b281f0974c9271d6a673e72False0.9814293555964052data7.987184428264986IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc0xe90000x1e00x2009df81114beeb0701a76cbdf68bafb630False0.53125data4.7176788329467545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0xea0000x4ab80x4c009c0abc7d63cffcb38eaaecde5bf08ab2False0.735608552631579data6.615552473192772IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_MANIFEST0xe90600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                              Imports

                              DLLImport
                              GDI32.dllSetPixel
                              USER32.dllGetDC, OffsetRect, ReleaseDC, GetUpdateRgn
                              KERNEL32.dllCreateFileW, HeapSize, GetProcessHeap, SetStdHandle, SetEnvironmentVariableW, VirtualAlloc, WaitForSingleObject, CreateThread, FormatMessageA, WideCharToMultiByte, GetCurrentThreadId, CloseHandle, WaitForSingleObjectEx, Sleep, SwitchToThread, GetExitCodeThread, GetNativeSystemInfo, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LocalFree, GetLocaleInfoEx, MultiByteToWideChar, LCMapStringEx, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, WakeConditionVariable, WakeAllConditionVariable, SleepConditionVariableSRW, QueryPerformanceCounter, QueryPerformanceFrequency, SetFileInformationByHandle, GetTempPathW, InitOnceExecuteOnce, CreateEventExW, CreateSemaphoreExW, FlushProcessWriteBuffers, GetCurrentProcessorNumber, GetSystemTimeAsFileTime, GetTickCount64, FreeLibraryWhenCallbackReturns, CreateThreadpoolTimer, SetThreadpoolTimer, WaitForThreadpoolTimerCallbacks, CloseThreadpoolTimer, CreateThreadpoolWait, SetThreadpoolWait, CloseThreadpoolWait, GetModuleHandleW, GetProcAddress, GetFileInformationByHandleEx, CreateSymbolicLinkW, GetStringTypeW, CompareStringEx, GetCPInfo, IsProcessorFeaturePresent, GetCurrentProcessId, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, FreeEnvironmentStringsW, RaiseException, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetModuleHandleExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, GetCurrentThread, SetConsoleCtrlHandler, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, GetTimeZoneInformation, OutputDebugStringW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, WriteConsoleW

                              Exports

                              NameOrdinalAddress
                              AwakeSound10x487d60

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States

                              Network Behavior

                              Snort IDS Alerts

                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                              07/02/24-17:18:57.592984TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)497313445192.168.2.477.105.135.107
                              07/02/24-17:18:57.785662TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response34454973177.105.135.107192.168.2.4
                              07/02/24-17:19:08.955501TCP2043231ET TROJAN Redline Stealer TCP CnC Activity497313445192.168.2.477.105.135.107
                              07/02/24-17:19:03.098044TCP2046056ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)34454973177.105.135.107192.168.2.4

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jul 2, 2024 17:18:56.829050064 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:18:56.833928108 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:18:56.834011078 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:18:56.851866961 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:18:56.856673956 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:18:57.559993982 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:18:57.592983961 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:18:57.597780943 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:18:57.785661936 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:18:57.836581945 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:02.840955973 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:02.908231974 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:03.098043919 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:03.098067999 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:03.098083973 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:03.098098993 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:03.098115921 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:03.098144054 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:03.098191977 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:03.277807951 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:03.282900095 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:03.479861021 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:03.484389067 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:03.489553928 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:03.689344883 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:03.742944002 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:03.814285040 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:03.819273949 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:04.006629944 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:04.008682966 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:04.013871908 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:04.201425076 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:04.242974997 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:04.439975023 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:04.445111990 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:04.445136070 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:04.445151091 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:04.445163012 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:04.445183039 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:04.445213079 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:04.445223093 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:04.445231915 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:04.445265055 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:04.445277929 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:04.445291042 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:04.445369005 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:04.449706078 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:04.450089931 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:04.450103998 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:04.450193882 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:04.450253010 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:04.732207060 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:04.742652893 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:04.747467041 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:04.935038090 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:04.977202892 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:04.981808901 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:04.986629009 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:05.174751043 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:05.179867983 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:05.184755087 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:05.373558998 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:05.385514975 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:05.390727997 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:05.578237057 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:05.633457899 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:05.661946058 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:05.666687012 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:05.854449034 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:05.899074078 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.337143898 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.341975927 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.342022896 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.342950106 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.627569914 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.651699066 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.656508923 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.844556093 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.899080992 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.925995111 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.930840969 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.930854082 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.930886984 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.930887938 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.930896997 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.930926085 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.930927038 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.930936098 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.930953979 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.930975914 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.931050062 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.931060076 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.931067944 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.931098938 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.931130886 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.935441017 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.935487032 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.935540915 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.935549974 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.935590982 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.935590982 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.935601950 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.935633898 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.935643911 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.935646057 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.935686111 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.935851097 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.935954094 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.940202951 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940252066 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.940287113 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940295935 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940304995 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940314054 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940337896 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.940361023 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.940361023 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940371037 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940403938 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940413952 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940419912 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.940423012 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940450907 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940452099 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.940460920 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940469027 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940489054 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.940505028 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.940521002 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940530062 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940560102 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940567970 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940583944 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940592051 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940623999 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940632105 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940660000 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940669060 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940699100 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940706968 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940732002 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940799952 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940809011 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940817118 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940829992 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.940867901 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940871954 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.940876007 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940885067 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940907001 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940915108 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940934896 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.940948009 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940957069 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940958023 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.940983057 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.940990925 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.941000938 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.941025972 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.944927931 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.944936991 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.944967031 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.944974899 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945018053 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945027113 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945041895 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945050955 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945090055 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945099115 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945126057 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945135117 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945143938 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945152998 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945301056 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945308924 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945318937 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945385933 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945394993 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945413113 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945420027 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945442915 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945451021 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945466042 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945473909 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945503950 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945512056 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945542097 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945575953 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945612907 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945621967 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945652008 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945660114 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945683002 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945744991 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945818901 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945827007 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945866108 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945874929 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945895910 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945905924 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.945934057 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945962906 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945974112 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.945975065 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.945995092 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946002960 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946038008 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946046114 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946053982 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946072102 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946080923 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946126938 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946145058 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946152925 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946194887 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946202993 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946253061 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946260929 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946264029 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946280956 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946289062 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946330070 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946337938 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946346045 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946367025 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946374893 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946419001 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946427107 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946480989 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946489096 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946553946 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946563005 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946571112 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946578026 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946585894 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946598053 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946605921 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946613073 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946623087 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946630955 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946690083 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946698904 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946707964 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.946716070 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.949520111 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.949583054 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.949590921 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.949702024 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.950007915 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.950086117 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.950676918 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.950773954 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.950782061 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.950824976 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.950833082 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.950880051 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.950889111 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.950937033 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.950944901 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.950984955 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.950993061 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951009035 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951018095 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951055050 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951065063 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951200962 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951210022 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951229095 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951266050 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951349974 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951364040 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951421022 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951428890 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951445103 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951452971 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951462984 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951471090 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951527119 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951535940 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951544046 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951551914 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951596022 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951603889 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951611996 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951616049 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951633930 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951642036 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951649904 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951664925 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951673985 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951682091 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951690912 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951709032 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951716900 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951725006 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951733112 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951744080 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951752901 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951760054 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951767921 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951807022 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951814890 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951823950 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.951832056 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.952054977 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.952120066 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.954777002 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.954862118 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.954869986 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.954906940 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.954914093 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.954941988 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.954982996 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.954991102 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955024004 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955071926 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955080986 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955157995 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955166101 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955204964 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955213070 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955229044 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955235958 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955259085 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955267906 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955343962 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955352068 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955418110 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955426931 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955436945 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955452919 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955495119 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955571890 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955579996 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955589056 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955703020 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955712080 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955768108 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955775976 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955791950 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955800056 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955816031 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955825090 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955874920 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955883026 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955890894 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955900908 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955909014 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955940008 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955948114 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955955982 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955982924 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.955991030 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.956032038 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.956039906 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.956048965 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.956094027 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.956103086 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.956110954 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.956151962 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.956500053 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.956571102 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.956860065 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.956898928 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.956938982 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.956947088 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957042933 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957139969 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957149029 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957185984 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957194090 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957225084 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957233906 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957305908 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957360029 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957367897 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957376003 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957393885 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957406044 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957427025 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957443953 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957484961 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957494020 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957531929 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957540035 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957571030 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957578897 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957588911 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957613945 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957649946 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957659006 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957684994 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957694054 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957729101 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957737923 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957765102 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957773924 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957796097 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957804918 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957859993 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957868099 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957884073 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957892895 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957901001 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957916975 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957925081 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957957983 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957967043 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.957983971 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.958024979 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.958033085 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.958060980 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.958069086 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.958077908 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.958095074 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.958102942 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.958323002 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.958389044 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.961484909 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.961494923 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.961503983 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.961519003 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.961527109 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.961543083 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.961551905 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.961560965 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.961570024 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.961577892 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.961595058 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.961604118 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.961611986 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.961620092 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.961663008 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.961672068 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.961705923 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.961715937 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.961750984 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.961760044 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.961776972 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.961785078 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.961836100 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.961844921 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.961911917 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.961920977 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.961945057 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.961954117 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.961988926 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.961997986 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.962023973 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.962040901 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.962055922 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.962064981 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.962100983 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.962110043 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.962142944 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.962152958 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.962177992 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.962186098 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.962218046 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.962227106 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.962261915 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.962270975 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.962280989 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.962322950 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.962331057 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.962338924 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.962359905 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.962368011 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.962409019 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.962416887 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.962441921 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.962450027 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.962686062 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.962759972 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.963073969 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963167906 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963176966 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963208914 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963217020 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963313103 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963323116 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963363886 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963372946 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963406086 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963414907 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963453054 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963460922 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963470936 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963499069 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963507891 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963553905 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963562965 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963572979 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963582039 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963598013 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963607073 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963615894 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963645935 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963654995 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963716984 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963726044 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963762045 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963771105 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963798046 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963807106 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963818073 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963825941 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963857889 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963866949 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963891983 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963901043 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963927984 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963937998 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963984966 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.963994026 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.964010954 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.964019060 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.964035034 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.964044094 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.964082003 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.964091063 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.964101076 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.964139938 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.964148998 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.964153051 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.964181900 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.964190960 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.967516899 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.967526913 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.967556000 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.967565060 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.967593908 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.967602015 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.967691898 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.967701912 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.967726946 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.967736006 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.967763901 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.967767954 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.967772007 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.967786074 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.967792988 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.967825890 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.967833996 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.967838049 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.967858076 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.967865944 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.967896938 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.967904091 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.967952967 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.967961073 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.967963934 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.992830992 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:06.997652054 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:06.997817039 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:07.003189087 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:07.003279924 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:07.003367901 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:07.003376007 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:07.003454924 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:07.003462076 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:07.003483057 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:07.003490925 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:07.003532887 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:07.003540993 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:07.003567934 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:07.003580093 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:07.003597021 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:07.003638983 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:07.003647089 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:07.024063110 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:07.028865099 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:07.770225048 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:07.778347015 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:07.783381939 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:07.783493996 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:07.783523083 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:07.783586979 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:07.783617973 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:07.783644915 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:07.971118927 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:07.977639914 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:07.982624054 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:08.172461033 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:08.174741030 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:08.179542065 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:08.367037058 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:08.369126081 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:08.374027967 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:08.562109947 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:08.563743114 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:08.568604946 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:08.758742094 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:08.761815071 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:08.766613960 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:08.954621077 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:08.955501080 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:08.960370064 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:09.149492025 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:09.195966005 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:09.197372913 CEST497313445192.168.2.477.105.135.107
                              Jul 2, 2024 17:19:09.396672964 CEST34454973177.105.135.107192.168.2.4
                              Jul 2, 2024 17:19:09.396733999 CEST497313445192.168.2.477.105.135.107

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:11:18:54
                              Start date:02/07/2024
                              Path:C:\Users\user\Desktop\file.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\file.exe"
                              Imagebase:0xe0000
                              File size:957'440 bytes
                              MD5 hash:5D505724B7A084217D7DB6B2710D8613
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:1
                              Start time:11:18:54
                              Start date:02/07/2024
                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                              Imagebase:0xac0000
                              File size:65'440 bytes
                              MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.1783599988.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.1784877150.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:4
                              Start time:11:18:55
                              Start date:02/07/2024
                              Path:C:\Windows\SysWOW64\WerFault.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6724 -s 312
                              Imagebase:0xdc0000
                              File size:483'680 bytes
                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:0.7%
                                Dynamic/Decrypted Code Coverage:1.8%
                                Signature Coverage:18.3%
                                Total number of Nodes:339
                                Total number of Limit Nodes:6
                                execution_graph 58352 10c181 58379 10ce11 58352->58379 58354 10c186 ___unDNameEx 58383 10c568 58354->58383 58356 10c19e 58357 10c2f7 58356->58357 58366 10c1c8 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock CallUnexpected 58356->58366 58406 10ceef 4 API calls 2 library calls 58357->58406 58359 10c2fe 58407 145903 23 API calls CallUnexpected 58359->58407 58361 10c304 58408 1458c0 23 API calls CallUnexpected 58361->58408 58363 10c1e7 58364 10c30c 58365 10c268 58391 145398 58365->58391 58366->58363 58366->58365 58402 134f56 76 API calls 3 library calls 58366->58402 58369 10c26e 58395 167e90 58369->58395 58373 10c28f 58373->58359 58374 10c293 58373->58374 58375 10c29c 58374->58375 58404 1458b1 23 API calls CallUnexpected 58374->58404 58405 10c6d9 85 API calls ___scrt_uninitialize_crt 58375->58405 58378 10c2a5 58378->58363 58380 10ce27 58379->58380 58381 10ce30 58380->58381 58409 10cdc4 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 58380->58409 58381->58354 58384 10c571 58383->58384 58410 10cbb5 IsProcessorFeaturePresent 58384->58410 58386 10c57d 58411 111bde 10 API calls 2 library calls 58386->58411 58388 10c582 58390 10c586 58388->58390 58412 111c10 7 API calls 2 library calls 58388->58412 58390->58356 58392 1453a1 58391->58392 58393 1453a6 58391->58393 58413 144baa 87 API calls 58392->58413 58393->58369 58414 10c387 58395->58414 58399 167ed3 58400 10c285 58399->58400 58460 167f20 106 API calls _AnonymousOriginator 58399->58460 58403 10d03d GetModuleHandleW 58400->58403 58402->58365 58403->58373 58404->58375 58405->58378 58406->58359 58407->58361 58408->58364 58409->58381 58410->58386 58411->58388 58412->58390 58413->58393 58416 10c38c std::locale::_Locimp::_Locimp_ctor 58414->58416 58415 10c3a6 58423 167d70 58415->58423 58416->58415 58418 10c3a8 Concurrency::cancel_current_task 58416->58418 58461 147bd4 EnterCriticalSection LeaveCriticalSection messages 58416->58461 58419 10d4e7 messages 58418->58419 58462 10d7f1 RaiseException 58418->58462 58463 10d7f1 RaiseException 58419->58463 58422 10d504 58464 e1280 58423->58464 58430 10c387 messages 3 API calls 58431 167d9b 58430->58431 58432 10c387 messages 3 API calls 58431->58432 58433 167da4 58432->58433 58484 11aeba 58433->58484 58435 167dbf 58436 167e03 58435->58436 58437 167dc8 58435->58437 58500 e96b3 77 API calls CallUnexpected 58436->58500 58439 167e10 58437->58439 58440 167dcd GetCurrentThreadId 58437->58440 58501 e96b3 77 API calls CallUnexpected 58439->58501 58442 167dd6 58440->58442 58443 167e17 58440->58443 58499 ec042 WaitForSingleObjectEx GetExitCodeThread CloseHandle 58442->58499 58502 e96b3 77 API calls CallUnexpected 58443->58502 58446 167e1e 58503 e96b3 77 API calls CallUnexpected 58446->58503 58447 167de2 58447->58446 58449 167de9 58447->58449 58450 167e25 58449->58450 58451 167df2 _AnonymousOriginator 58449->58451 58504 134f56 76 API calls 3 library calls 58450->58504 58451->58399 58460->58400 58461->58416 58462->58419 58463->58422 58465 e128c _vsnprintf std::_Rng_abort 58464->58465 58505 1348db 58465->58505 58468 e5b90 58469 e5bd1 58468->58469 58524 e41a0 58469->58524 58471 e5c26 58529 e2840 58471->58529 58473 e5d5f 58474 e5d72 58473->58474 58537 e5160 77 API calls 58473->58537 58476 e5da0 58474->58476 58477 e5dc5 58476->58477 58550 e59e0 58477->58550 58479 e5dcf 58583 e7560 58479->58583 58482 e5060 77 API calls 58483 e5e0a 58482->58483 58483->58430 58485 11aec7 58484->58485 58486 11aedb 58484->58486 58610 13a7d9 14 API calls __get_errno 58485->58610 58601 11ad7d 58486->58601 58490 11aecc 58611 136be1 76 API calls __get_errno 58490->58611 58491 11aef0 CreateThread 58493 11af1b 58491->58493 58494 11af0f GetLastError 58491->58494 58639 11ac01 58491->58639 58613 11acb1 58493->58613 58612 13a77f 14 API calls 2 library calls 58494->58612 58495 11aed7 58495->58435 58499->58447 58500->58439 58501->58443 58502->58446 58503->58450 58506 1348ef _vsnprintf 58505->58506 58507 134911 58506->58507 58509 134938 58506->58509 58520 136b64 76 API calls 3 library calls 58507->58520 58521 11b32f 79 API calls 2 library calls 58509->58521 58510 13492c 58514 125f40 58510->58514 58515 125f4c 58514->58515 58516 125f63 58515->58516 58522 126c40 76 API calls 2 library calls 58515->58522 58519 e12a7 58516->58519 58523 126c40 76 API calls 2 library calls 58516->58523 58519->58468 58520->58510 58521->58510 58522->58516 58523->58519 58526 e41bc 58524->58526 58525 e41d0 58525->58471 58526->58525 58538 e5060 58526->58538 58530 e285a 58529->58530 58530->58473 58532 e2872 58530->58532 58547 10d7f1 RaiseException 58530->58547 58548 e2770 77 API calls 4 library calls 58532->58548 58534 e28a8 58549 10d7f1 RaiseException 58534->58549 58536 e28b7 58536->58473 58537->58474 58539 e50a1 58538->58539 58544 e41ef 58538->58544 58540 e41a0 77 API calls 58539->58540 58542 e50aa 58540->58542 58541 e511d 58541->58544 58546 e5160 77 API calls 58541->58546 58542->58541 58545 e2840 77 API calls 58542->58545 58544->58471 58545->58541 58546->58544 58547->58532 58548->58534 58549->58536 58590 e9280 7 API calls std::_Lockit::_Lockit 58550->58590 58552 e59f2 58557 e5a2d std::locale::_Locimp::_Locimp_ctor 58552->58557 58591 e9280 7 API calls std::_Lockit::_Lockit 58552->58591 58554 e5a0c 58592 e92e7 LeaveCriticalSection LeaveCriticalSection std::_Lockit::~_Lockit 58554->58592 58555 e5a50 58593 e92e7 LeaveCriticalSection LeaveCriticalSection std::_Lockit::~_Lockit 58555->58593 58557->58555 58558 e5a7f 58557->58558 58561 e5a98 58558->58561 58562 e5a83 58558->58562 58560 e5a59 58560->58479 58564 10c387 messages 3 API calls 58561->58564 58594 e92e7 LeaveCriticalSection LeaveCriticalSection std::_Lockit::~_Lockit 58562->58594 58566 e5a9f 58564->58566 58565 e5a8e 58565->58479 58595 e9280 7 API calls std::_Lockit::_Lockit 58566->58595 58568 e5acb 58569 e5b6f 58568->58569 58570 e5b11 58568->58570 58599 e9c57 77 API calls 2 library calls 58569->58599 58596 eb724 100 API calls 2 library calls 58570->58596 58573 e5b79 58573->58479 58574 e5b1c 58597 eba48 76 API calls __Getctype 58574->58597 58576 e5b33 58598 e20e0 100 API calls 2 library calls 58576->58598 58584 e41a0 77 API calls 58583->58584 58585 e759e 58584->58585 58586 e2840 77 API calls 58585->58586 58587 e7623 58586->58587 58589 e5e03 58587->58589 58600 e5160 77 API calls 58587->58600 58589->58482 58590->58552 58591->58554 58592->58557 58593->58560 58594->58565 58595->58568 58596->58574 58597->58576 58599->58573 58600->58589 58621 1485c2 58601->58621 58606 11ada2 GetModuleHandleExW 58607 11adbf 58606->58607 58608 11acb1 __Thrd_start 16 API calls 58607->58608 58609 11adc7 58608->58609 58609->58491 58609->58493 58610->58490 58611->58495 58612->58493 58614 11acbd 58613->58614 58620 11ace1 58613->58620 58615 11acc3 CloseHandle 58614->58615 58616 11accc 58614->58616 58615->58616 58617 11acd2 FreeLibrary 58616->58617 58618 11acdb 58616->58618 58617->58618 58619 148625 ___free_lconv_mon 14 API calls 58618->58619 58619->58620 58620->58435 58622 1485cf 58621->58622 58623 14860f 58622->58623 58624 1485fa HeapAlloc 58622->58624 58627 1485e3 __strftime_l 58622->58627 58637 13a7d9 14 API calls __get_errno 58623->58637 58625 14860d 58624->58625 58624->58627 58628 11ad8e 58625->58628 58627->58623 58627->58624 58636 147bd4 EnterCriticalSection LeaveCriticalSection messages 58627->58636 58630 148625 58628->58630 58631 148630 HeapFree 58630->58631 58635 11ad9b 58630->58635 58632 148645 GetLastError 58631->58632 58631->58635 58633 148652 __dosmaperr 58632->58633 58638 13a7d9 14 API calls __get_errno 58633->58638 58635->58606 58635->58607 58636->58627 58637->58628 58638->58635 58640 11ac0d ___unDNameEx 58639->58640 58641 11ac21 58640->58641 58642 11ac14 GetLastError ExitThread 58640->58642 58653 14a1e8 GetLastError 58641->58653 58647 11ac3d 58686 11af45 17 API calls 58647->58686 58654 14a1fe 58653->58654 58655 14a204 58653->58655 58687 149022 6 API calls std::_Locinfo::_Locinfo_dtor 58654->58687 58659 14a208 SetLastError 58655->58659 58688 149061 6 API calls std::_Locinfo::_Locinfo_dtor 58655->58688 58658 14a220 58658->58659 58661 1485c2 __get_errno 14 API calls 58658->58661 58663 14a29d 58659->58663 58664 11ac26 58659->58664 58662 14a235 58661->58662 58665 14a23d 58662->58665 58666 14a24e 58662->58666 58693 136d67 76 API calls 4 library calls 58663->58693 58680 14a686 58664->58680 58689 149061 6 API calls std::_Locinfo::_Locinfo_dtor 58665->58689 58690 149061 6 API calls std::_Locinfo::_Locinfo_dtor 58666->58690 58670 14a2a2 58671 14a25a 58672 14a275 58671->58672 58673 14a25e 58671->58673 58692 149db1 14 API calls __get_errno 58672->58692 58691 149061 6 API calls std::_Locinfo::_Locinfo_dtor 58673->58691 58674 148625 ___free_lconv_mon 14 API calls 58674->58659 58677 14a280 58679 148625 ___free_lconv_mon 14 API calls 58677->58679 58678 14a24b 58678->58674 58679->58659 58681 11ac31 58680->58681 58682 14a698 GetPEB 58680->58682 58681->58647 58685 149450 5 API calls std::_Locinfo::_Locinfo_dtor 58681->58685 58682->58681 58683 14a6ab 58682->58683 58694 148e54 58683->58694 58685->58647 58687->58655 58688->58658 58689->58678 58690->58671 58691->58678 58692->58677 58693->58670 58697 148c74 58694->58697 58698 148ca2 58697->58698 58699 148c9e 58697->58699 58698->58699 58704 148ba9 58698->58704 58699->58681 58702 148cbc GetProcAddress 58702->58699 58703 148ccc std::_Locinfo::_Locinfo_dtor 58702->58703 58703->58699 58710 148bba ___vcrt_FlsGetValue 58704->58710 58705 148bd8 LoadLibraryExW 58707 148c57 58705->58707 58708 148bf3 GetLastError 58705->58708 58706 148c50 58706->58699 58706->58702 58707->58706 58709 148c69 FreeLibrary 58707->58709 58708->58710 58709->58706 58710->58705 58710->58706 58711 148c26 LoadLibraryExW 58710->58711 58711->58707 58711->58710 58712 167b30 58731 e8390 58712->58731 58714 167b70 58715 10c387 messages 3 API calls 58714->58715 58716 167bac 58715->58716 58745 167540 58716->58745 58720 167be4 58799 1671f0 104 API calls 5 library calls 58720->58799 58722 167c31 _AnonymousOriginator 58800 10c374 58722->58800 58723 167bec 58723->58722 58725 167c4e 58723->58725 58807 136bf1 58725->58807 58726 167c47 58732 e83c3 58731->58732 58733 e83a0 58731->58733 58736 e83d4 58732->58736 58739 10c387 messages 3 API calls 58732->58739 58734 e83da 58733->58734 58735 e83a7 58733->58735 58812 e1520 77 API calls 3 library calls 58734->58812 58738 10c387 messages 3 API calls 58735->58738 58736->58714 58741 e83ad 58738->58741 58740 e83cd 58739->58740 58740->58714 58742 136bf1 std::locale::_Locimp::_Locimp_ctor 76 API calls 58741->58742 58743 e83b6 58741->58743 58744 e83e4 58742->58744 58743->58714 58744->58714 58746 167789 58745->58746 58751 16756a _AnonymousOriginator 58745->58751 58747 10c374 ctype 5 API calls 58746->58747 58748 16779a VirtualAlloc GetUpdateRgn 58747->58748 58755 1678f0 58748->58755 58749 13674a 77 API calls 58749->58751 58750 e6b50 77 API calls 58750->58751 58751->58746 58751->58749 58751->58750 58752 1677a0 58751->58752 58753 136bf1 std::locale::_Locimp::_Locimp_ctor 76 API calls 58752->58753 58754 1677a5 58753->58754 58756 10c387 messages 3 API calls 58755->58756 58758 167909 58756->58758 58759 167983 58758->58759 58813 e8160 77 API calls 5 library calls 58758->58813 58760 167b1a 58759->58760 58761 1679a8 58759->58761 58779 1679c8 CatchIt 58759->58779 58815 e79d0 77 API calls 2 library calls 58760->58815 58762 1679b7 58761->58762 58763 1679e2 58761->58763 58765 1679c2 58762->58765 58766 167b1f 58762->58766 58769 10c387 messages 3 API calls 58763->58769 58763->58779 58767 10c387 messages 3 API calls 58765->58767 58816 e1520 77 API calls 3 library calls 58766->58816 58767->58779 58768 167a9b _AnonymousOriginator 58770 167b24 58768->58770 58773 167afd _AnonymousOriginator 58768->58773 58769->58779 58772 136bf1 std::locale::_Locimp::_Locimp_ctor 76 API calls 58770->58772 58774 167b29 58772->58774 58775 10c374 ctype 5 API calls 58773->58775 58778 e8390 std::locale::_Locimp::_Locimp_ctor 77 API calls 58774->58778 58777 167b16 58775->58777 58776 e5b90 77 API calls 58776->58779 58777->58720 58780 167b70 58778->58780 58779->58768 58779->58770 58779->58776 58781 e5da0 103 API calls 58779->58781 58814 13674a 77 API calls 2 library calls 58779->58814 58782 10c387 messages 3 API calls 58780->58782 58781->58779 58783 167bac 58782->58783 58785 167540 78 API calls 58783->58785 58786 167bba VirtualAlloc GetUpdateRgn 58785->58786 58787 1678f0 104 API calls 58786->58787 58788 167be4 58787->58788 58817 1671f0 104 API calls 5 library calls 58788->58817 58790 167bec 58792 167c4e 58790->58792 58793 167c31 _AnonymousOriginator 58790->58793 58791 10c374 ctype 5 API calls 58794 167c47 58791->58794 58795 136bf1 std::locale::_Locimp::_Locimp_ctor 76 API calls 58792->58795 58793->58791 58794->58720 58797 167c53 58795->58797 58796 167c9b 58796->58720 58797->58796 58818 e2b40 77 API calls 58797->58818 58799->58723 58801 10c37c 58800->58801 58802 10c37d IsProcessorFeaturePresent 58800->58802 58801->58726 58804 10d1f1 58802->58804 58819 10d1b4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 58804->58819 58806 10d2d4 58806->58726 58820 136b2d 76 API calls 2 library calls 58807->58820 58809 136c00 58821 136c0e 11 API calls CallUnexpected 58809->58821 58811 136c0d 58812->58741 58813->58758 58814->58779 58815->58766 58816->58770 58817->58790 58818->58797 58819->58806 58820->58809 58821->58811 58822 284018d 58823 28401c5 CreateProcessA VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 58822->58823 58825 28403a2 WriteProcessMemory 58823->58825 58826 28403e7 58825->58826 58827 28403ec WriteProcessMemory 58826->58827 58828 2840429 WriteProcessMemory Wow64SetThreadContext ResumeThread 58826->58828 58827->58826

                                Executed Functions

                                Function 0284018D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282threadinjectionmemoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,028400FF,028400EF), ref: 028402FC
                                • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0284030F
                                • Wow64GetThreadContext.KERNEL32(000000E8,00000000), ref: 0284032D
                                • ReadProcessMemory.KERNELBASE(00000118,?,02840143,00000004,00000000), ref: 02840351
                                • VirtualAllocEx.KERNELBASE(00000118,?,?,00003000,00000040), ref: 0284037C
                                • WriteProcessMemory.KERNELBASE(00000118,00000000,?,?,00000000,?), ref: 028403D4
                                • WriteProcessMemory.KERNELBASE(00000118,00400000,?,?,00000000,?,00000028), ref: 0284041F
                                • WriteProcessMemory.KERNELBASE(00000118,?,?,00000004,00000000), ref: 0284045D
                                • Wow64SetThreadContext.KERNEL32(000000E8,02850000), ref: 02840499
                                • ResumeThread.KERNELBASE(000000E8), ref: 028404A8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826899123.0000000002840000.00000040.00001000.00020000.00000000.sdmp, Offset: 02840000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2840000_file.jbxd
                                Similarity
                                • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                                • API String ID: 2687962208-1257834847
                                • Opcode ID: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
                                • Instruction ID: 38a598608db21f24f7ff936583d20ec15cf66380049a70fc6f36d7b76cf8f5a3
                                • Opcode Fuzzy Hash: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
                                • Instruction Fuzzy Hash: 32B1D57664024AAFDB60CF68CC80BDA77A5FF88714F158524EA0CEB341D774FA518B94
                                Function 001678F0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 319memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 112 1678f0-16793d call 10c387 115 167940-167957 112->115 116 167966-167979 call e8160 115->116 117 167959-167964 115->117 118 16797d-167981 116->118 117->118 118->115 121 167983-16799a 118->121 122 16799c-1679a2 121->122 123 167a0d-167a14 121->123 126 167b1a call e79d0 122->126 127 1679a8-1679b5 122->127 124 167a1a-167a1c 123->124 125 167a9b-167a9d 123->125 133 167a20-167a99 call e5b90 call e5da0 call e5b90 call e5da0 call 13674a 124->133 130 167a9f-167aac 125->130 131 167ac8-167adc call 10c3b7 125->131 136 167b1f call e1520 126->136 128 1679b7-1679bc 127->128 129 1679e2-1679e4 127->129 135 1679c2-1679cd call 10c387 128->135 128->136 138 1679e6-1679f5 call 10c387 129->138 139 1679f7 129->139 140 167abe-167ac5 call 10c3b7 130->140 141 167aae-167abc 130->141 153 167b07-167b19 call 10c374 131->153 154 167ade-167aeb 131->154 133->125 147 167b24-167bdf call 136bf1 call e8390 call 10c387 call 167540 VirtualAlloc GetUpdateRgn call 1678f0 135->147 160 1679d3-1679e0 135->160 136->147 146 1679f9-167a0a call 10e260 138->146 139->146 140->131 141->140 141->147 146->123 182 167be4-167c11 call 1671f0 147->182 161 167afd-167b04 call 10c3b7 154->161 162 167aed-167afb 154->162 160->146 161->153 162->147 162->161 186 167c13-167c1f 182->186 187 167c3b-167c4d call 10c374 182->187 188 167c31-167c38 call 10c3b7 186->188 189 167c21-167c2f 186->189 188->187 189->188 191 167c4e-167c73 call 136bf1 189->191 197 167c75-167c7c 191->197 198 167c9d-167c9f 191->198 199 167c80 197->199 200 167c85-167c94 call e2b40 199->200 203 167c96-167c99 200->203 203->199 204 167c9b-167c9c 203->204 204->198
                                APIs
                                  • Part of subcall function 000E1520: ___std_exception_copy.LIBVCRUNTIME ref: 000E155C
                                • VirtualAlloc.KERNELBASE(00000000,000004AC,00001000,00000040,?), ref: 00167BC8
                                • GetUpdateRgn.USER32(00000000,00000000,00000000), ref: 00167BD9
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocUpdateVirtual___std_exception_copy
                                • String ID: Earth$Own head
                                • API String ID: 3005764785-4036566267
                                • Opcode ID: 79a5ec9e9551ae690216df512199b0f8a72d0cf20975c8785a3b4dbf0b06c529
                                • Instruction ID: 00e3b539717cc4579603771094d2f36e657edb36106ea83fef1975fdeb57992d
                                • Opcode Fuzzy Hash: 79a5ec9e9551ae690216df512199b0f8a72d0cf20975c8785a3b4dbf0b06c529
                                • Instruction Fuzzy Hash: 96A154719083445BC710EF78DC82AAFB7E4FF95318F144729F889A7282E774EA948791
                                Function 0014A686 Relevance: .0, Instructions: 29COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 336 14a686-14a696 337 14a6c5-14a6c9 336->337 338 14a698-14a6a9 GetPEB 336->338 339 14a6bc-14a6c3 338->339 340 14a6ab-14a6af call 148e54 338->340 339->337 342 14a6b4-14a6b7 340->342 342->339 343 14a6b9-14a6bb 342->343 343->339
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3d751a3a3cd6dd7e0fee05428575dca24a42cbc7875043f7805a2fd7a97bd744
                                • Instruction ID: fdadcb355412c664236756966a8c06116015c3336711bf130ff0695e2453a1ad
                                • Opcode Fuzzy Hash: 3d751a3a3cd6dd7e0fee05428575dca24a42cbc7875043f7805a2fd7a97bd744
                                • Instruction Fuzzy Hash: 5AF0A072A502309BCB12CB4CC805B4973ACEB08B14F12049AE400E7160C7B0DE00CBD0
                                Function 00148BA9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 23 148ba9-148bb5 24 148c47-148c4a 23->24 25 148c50 24->25 26 148bba-148bcb 24->26 27 148c52-148c56 25->27 28 148bcd-148bd0 26->28 29 148bd8-148bf1 LoadLibraryExW 26->29 30 148bd6 28->30 31 148c70-148c72 28->31 32 148c57-148c67 29->32 33 148bf3-148bfc GetLastError 29->33 35 148c44 30->35 31->27 32->31 34 148c69-148c6a FreeLibrary 32->34 36 148c35-148c42 33->36 37 148bfe-148c10 call 148588 33->37 34->31 35->24 36->35 37->36 40 148c12-148c24 call 148588 37->40 40->36 43 148c26-148c33 LoadLibraryExW 40->43 43->32 43->36
                                APIs
                                • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,4C17592F,?,00148CB6,?,?,?,00000000), ref: 00148C6A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: FreeLibrary
                                • String ID: api-ms-$ext-ms-
                                • API String ID: 3664257935-537541572
                                • Opcode ID: b3542599b605de98dd707b47f42744647e3b923e97f6ad497cf5da197ee7fc30
                                • Instruction ID: c578edc18ff3b03603eae97beaf9b28074bc518c8f199956df218b28b7a07148
                                • Opcode Fuzzy Hash: b3542599b605de98dd707b47f42744647e3b923e97f6ad497cf5da197ee7fc30
                                • Instruction Fuzzy Hash: 2F212071A03116ABCB229B65DCC4EDE3758DB527A4F250211E906E76E0DF70ED41C6F0
                                Function 0010C181 Relevance: 7.6, APIs: 5, Instructions: 119COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • ___security_init_cookie.LIBCMT ref: 0010C181
                                  • Part of subcall function 0010CE11: ___get_entropy.LIBCMT ref: 0010CE2B
                                • ___scrt_release_startup_lock.LIBCMT ref: 0010C21D
                                • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 0010C231
                                • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 0010C257
                                • ___scrt_uninitialize_crt.LIBCMT ref: 0010C2A0
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ___scrt_is_nonwritable_in_current_image$___get_entropy___scrt_release_startup_lock___scrt_uninitialize_crt___security_init_cookie
                                • String ID:
                                • API String ID: 2539496024-0
                                • Opcode ID: d829cf3f033c54b868bc76c48d519f80edafece658f0f9345a4a60d0dba04987
                                • Instruction ID: 91eb2930c325db3ab3b1bfc478bf841bb6b3137171f354dcc94bfe1999bc166e
                                • Opcode Fuzzy Hash: d829cf3f033c54b868bc76c48d519f80edafece658f0f9345a4a60d0dba04987
                                • Instruction Fuzzy Hash: 03310532544A419BDB247BB4EC12A9D77629F65B60F200629F0C17B5E3DFE248418ED5
                                Function 00167D70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetCurrentThreadId.KERNEL32 ref: 00167DCD
                                  • Part of subcall function 000EC042: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000), ref: 000EC04E
                                  • Part of subcall function 000EC042: GetExitCodeThread.KERNEL32(?,?), ref: 000EC067
                                  • Part of subcall function 000EC042: CloseHandle.KERNEL32(?), ref: 000EC079
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Thread$CloseCodeCurrentExitHandleObjectSingleWait
                                • String ID: Success created.$Success destroyed.$jjj
                                • API String ID: 3356992203-3362827742
                                • Opcode ID: aa68981cb21b3cf368eb77ffdd605407f99ae4119e7bb1f0247c549b35a3be8f
                                • Instruction ID: 59dd34924963748a320050584f8a37c2e3b1e8405c849e422d9d74461181b425
                                • Opcode Fuzzy Hash: aa68981cb21b3cf368eb77ffdd605407f99ae4119e7bb1f0247c549b35a3be8f
                                • Instruction Fuzzy Hash: 6211C871741341BEE7303BB59D07F9B36659F60B46F504828F688BA1C3FBB298248B65
                                Function 0011AEBA Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 244 11aeba-11aec5 245 11aec7-11aeda call 13a7d9 call 136be1 244->245 246 11aedb-11aeee call 11ad7d 244->246 251 11aef0-11af0d CreateThread 246->251 252 11af1c 246->252 254 11af2b-11af30 251->254 255 11af0f-11af1b GetLastError call 13a77f 251->255 256 11af1e-11af2a call 11acb1 252->256 260 11af32-11af35 254->260 261 11af37-11af3b 254->261 255->252 260->261 261->256
                                APIs
                                • CreateThread.KERNELBASE(?,00000001,Function_0003AC01,00000000,?,?), ref: 0011AF03
                                • GetLastError.KERNEL32(?,?,?,000EC117,00000000,00000000,00000001,?,00000000,?,?,?,000EBFAD,00000000,Function_0000BEFE,?), ref: 0011AF0F
                                • __dosmaperr.LIBCMT ref: 0011AF16
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateErrorLastThread__dosmaperr
                                • String ID:
                                • API String ID: 2744730728-0
                                • Opcode ID: fd291f3e4ed447e6504f18ba982ffd15fc6edb184af4e95727e277c8f2ae40d2
                                • Instruction ID: 5aba779bfea5b60ebcb91241da47c56e8ac79004f7791ba03259d812d8d3e4f9
                                • Opcode Fuzzy Hash: fd291f3e4ed447e6504f18ba982ffd15fc6edb184af4e95727e277c8f2ae40d2
                                • Instruction Fuzzy Hash: F001B1B250220AAFCF199FA0DC06AEE7FA4EF10360F504068F80192150DB71DE81EB92
                                Function 00167B30 Relevance: 3.1, APIs: 2, Instructions: 93memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 264 167b30-167bdf call e8390 call 10c387 call 167540 VirtualAlloc GetUpdateRgn call 1678f0 272 167be4-167c11 call 1671f0 264->272 276 167c13-167c1f 272->276 277 167c3b-167c4d call 10c374 272->277 278 167c31-167c38 call 10c3b7 276->278 279 167c21-167c2f 276->279 278->277 279->278 281 167c4e-167c73 call 136bf1 279->281 287 167c75-167c7c 281->287 288 167c9d-167c9f 281->288 289 167c80 287->289 290 167c85-167c94 call e2b40 289->290 293 167c96-167c99 290->293 293->289 294 167c9b-167c9c 293->294 294->288
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,000004AC,00001000,00000040,?), ref: 00167BC8
                                • GetUpdateRgn.USER32(00000000,00000000,00000000), ref: 00167BD9
                                  • Part of subcall function 001671F0: OffsetRect.USER32(00000000,00000000,00000000), ref: 001672E8
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocOffsetRectUpdateVirtual
                                • String ID:
                                • API String ID: 3922179882-0
                                • Opcode ID: 706101741d5792dce2df4c764ac057b21af8ea345910f6001abd76768bb6df4c
                                • Instruction ID: 37fe393ed0b4524ace464b36ad160a0a13b40992357347f21dee974c02a59368
                                • Opcode Fuzzy Hash: 706101741d5792dce2df4c764ac057b21af8ea345910f6001abd76768bb6df4c
                                • Instruction Fuzzy Hash: D7313971E04208ABD704DF68ED82BADB7B1BF55314F104229F9046B2C1EB70AA918795
                                Function 0011AC01 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetLastError.KERNEL32(00178118,0000000C), ref: 0011AC14
                                • ExitThread.KERNEL32 ref: 0011AC1B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorExitLastThread
                                • String ID:
                                • API String ID: 1611280651-0
                                • Opcode ID: 2affd25fa789b32aecd8646e9d2390260713bd85655848b220fda9af4f558ae5
                                • Instruction ID: 3de97c3f35031475c16ed9160994d73d783f8bcd3bf9c34cd777c06ec8147292
                                • Opcode Fuzzy Hash: 2affd25fa789b32aecd8646e9d2390260713bd85655848b220fda9af4f558ae5
                                • Instruction Fuzzy Hash: DDF0F6B0940200AFDB04BFF0CC0AA6E3B74FF55710F548559F105976A2CF749982CBA2
                                Function 00148C74 Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 314 148c74-148c9c 315 148ca2-148ca4 314->315 316 148c9e-148ca0 314->316 318 148ca6-148ca8 315->318 319 148caa-148cb1 call 148ba9 315->319 317 148cf3-148cf6 316->317 318->317 321 148cb6-148cba 319->321 322 148cbc-148cca GetProcAddress 321->322 323 148cd9-148cf0 321->323 322->323 324 148ccc-148cd7 call 1482f2 322->324 325 148cf2 323->325 324->325 325->317
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d66b49778baef5083da222372bf57a5336b2debfa2c1a1f2694553be317fcac0
                                • Instruction ID: e8cf1a9dc186518bd291f008e66fbb6e94abd0414f96dfc8a59369cb1ec9e8d7
                                • Opcode Fuzzy Hash: d66b49778baef5083da222372bf57a5336b2debfa2c1a1f2694553be317fcac0
                                • Instruction Fuzzy Hash: CF012437301221AFAB169E6DEC90A9F33E6FBC53307258120FA04DB5A4DF35C88197A0

                                Non-executed Functions

                                Function 00113FD4 Relevance: 46.7, APIs: 25, Strings: 1, Instructions: 1201COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • DName::DName.LIBVCRUNTIME ref: 00114022
                                • operator+.LIBVCRUNTIME ref: 0011403C
                                • DName::operator+.LIBCMT ref: 0011416A
                                • DName::operator+.LIBCMT ref: 00114187
                                  • Part of subcall function 001153A0: DName::DName.LIBVCRUNTIME ref: 001153E3
                                • DName::operator+.LIBCMT ref: 0011423B
                                • DName::operator+.LIBCMT ref: 0011424A
                                  • Part of subcall function 00119B20: DName::operator+.LIBCMT ref: 00119B64
                                  • Part of subcall function 00119B20: DName::operator+.LIBCMT ref: 00119B70
                                  • Part of subcall function 00119B20: DName::operator+.LIBCMT ref: 00119BEB
                                  • Part of subcall function 00119B20: DName::operator+=.LIBCMT ref: 00119C2E
                                • DName::operator+.LIBCMT ref: 001141D6
                                  • Part of subcall function 00113D92: DName::operator=.LIBVCRUNTIME ref: 00113DB3
                                  • Part of subcall function 00113D3A: shared_ptr.LIBCMT ref: 00113D56
                                  • Part of subcall function 00115A9C: shared_ptr.LIBCMT ref: 00115B42
                                • DName::operator+.LIBCMT ref: 001147B4
                                • DName::operator+.LIBCMT ref: 001147D0
                                • DName::operator+.LIBCMT ref: 00114A6F
                                  • Part of subcall function 00113C29: DName::operator+.LIBCMT ref: 00113C4A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Name::operator+$NameName::shared_ptr$Name::operator+=Name::operator=operator+
                                • String ID: /
                                • API String ID: 848932493-2043925204
                                • Opcode ID: cb1b6aec53cd822db953ffff0f4f677fa7f801e63b1dcb3a32368e89baca4a8a
                                • Instruction ID: f3352ff7cc49f1701cdcf818e575dec3ea1c2997256bc0a8520e5a575ebc2048
                                • Opcode Fuzzy Hash: cb1b6aec53cd822db953ffff0f4f677fa7f801e63b1dcb3a32368e89baca4a8a
                                • Instruction Fuzzy Hash: 1A927EB2E146199BDB1CDFE8DC95BEE77B4AB18700F044139F512E7284EB68D988CB50
                                Function 0015A00C Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __floor_pentium4
                                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                • API String ID: 4168288129-2761157908
                                • Opcode ID: 205a812008e82010651d69fd7632a18337f48526d1750d95c6725a85a4f11bd5
                                • Instruction ID: 929717159977bb67fbfc72259d633fb448d8391c662df869dcb9fb53b0d4da78
                                • Opcode Fuzzy Hash: 205a812008e82010651d69fd7632a18337f48526d1750d95c6725a85a4f11bd5
                                • Instruction Fuzzy Hash: FED22B71E48228CFDB65CE28DC807EAB7B5EF44305F5542EAD81DAB240E774AE858F41
                                Function 00157701 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoW.KERNEL32(?,2000000B,00157A1F,00000002,00000000,?,?,?,00157A1F,?,00000000), ref: 0015779A
                                • GetLocaleInfoW.KERNEL32(?,20001004,00157A1F,00000002,00000000,?,?,?,00157A1F,?,00000000), ref: 001577C3
                                • GetACP.KERNEL32(?,?,00157A1F,?,00000000), ref: 001577D8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: InfoLocale
                                • String ID: ACP$OCP
                                • API String ID: 2299586839-711371036
                                • Opcode ID: d2819e539ba63351031d31432db972a3cc059f8110c3b75f721d343e3a9a1b82
                                • Instruction ID: b552aa50c0db899c2fb38b45e885b9998a76093f528bff930cd8360160ff0795
                                • Opcode Fuzzy Hash: d2819e539ba63351031d31432db972a3cc059f8110c3b75f721d343e3a9a1b82
                                • Instruction Fuzzy Hash: 2E21B326608104EBDB358F24FD0BA9772A7AB58B56F668424ED29DF580F732DD48C350
                                Function 001578D6 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0014A1E8: GetLastError.KERNEL32(?,?,0011AC26,00178118,0000000C), ref: 0014A1EC
                                  • Part of subcall function 0014A1E8: SetLastError.KERNEL32(00000000), ref: 0014A28E
                                • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 001579E2
                                • IsValidCodePage.KERNEL32(00000000), ref: 00157A2B
                                • IsValidLocale.KERNEL32(?,00000001), ref: 00157A3A
                                • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00157A82
                                • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00157AA1
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                • String ID:
                                • API String ID: 415426439-0
                                • Opcode ID: 1ae8422910128026ac9fa34a6d1817f0095105b1044b12840ff51cb134f96725
                                • Instruction ID: db09f9609c0de9e5ce2c0cbd403c3306fc132132de8d7948db88393911a434c4
                                • Opcode Fuzzy Hash: 1ae8422910128026ac9fa34a6d1817f0095105b1044b12840ff51cb134f96725
                                • Instruction Fuzzy Hash: C551A071A04205EFDF10DFA4EC42AAE73B8BF19316F040529ED25EB1D0EB709A48CB61
                                Function 00156F54 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0014A1E8: GetLastError.KERNEL32(?,?,0011AC26,00178118,0000000C), ref: 0014A1EC
                                  • Part of subcall function 0014A1E8: SetLastError.KERNEL32(00000000), ref: 0014A28E
                                • GetACP.KERNEL32(?,?,?,?,?,?,001468CB,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00157015
                                • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,001468CB,?,?,?,00000055,?,-00000050,?,?), ref: 00157040
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 001571A3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$CodeInfoLocalePageValid
                                • String ID: utf8
                                • API String ID: 607553120-905460609
                                • Opcode ID: b78af936abcb0b8b2b132572e25a02e193c9715481a2994ff8df95b44ad98a97
                                • Instruction ID: cc12ab8e0aae4636838528a784d04deb436bc7155fb7e3cb7166e4fbd1a05cbd
                                • Opcode Fuzzy Hash: b78af936abcb0b8b2b132572e25a02e193c9715481a2994ff8df95b44ad98a97
                                • Instruction Fuzzy Hash: 1B71F271A04602EADB24AB34DC86EA673A8EF15702F54442AFD25DF1C1FB70ED49C7A0
                                Function 0014A9E4 Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: _strrchr
                                • String ID:
                                • API String ID: 3213747228-0
                                • Opcode ID: da1da04466b900b41095eb494a391f24e2040cb7ba2ea0d27411f8f0d746fb28
                                • Instruction ID: 868719c0d9c80129e4a027eeddc80055b1b69f8f90d27c1089147422e676797f
                                • Opcode Fuzzy Hash: da1da04466b900b41095eb494a391f24e2040cb7ba2ea0d27411f8f0d746fb28
                                • Instruction Fuzzy Hash: B2B1A972E842459FDB15CF68C8D17FEBBE5EF59300F66816AE804AB251D3349D01CBA2
                                Function 00152EFA Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 00152FEA
                                • FindNextFileW.KERNEL32(00000000,?), ref: 001530DE
                                • FindClose.KERNEL32(00000000), ref: 0015311D
                                • FindClose.KERNEL32(00000000), ref: 00153150
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$CloseFile$FirstNext
                                • String ID:
                                • API String ID: 1164774033-0
                                • Opcode ID: cde8ff0b082e11178b63e090e4f02f83325a77885d422cf143db9c4cd0a83b0f
                                • Instruction ID: 917905cc734be0528c312924eb15978dabd32ad4cf230ac8472fb373ff1d6ac1
                                • Opcode Fuzzy Hash: cde8ff0b082e11178b63e090e4f02f83325a77885d422cf143db9c4cd0a83b0f
                                • Instruction Fuzzy Hash: 1971F672904168DFDF31AF34DC89AAEB7B9EB46341F1441D9E8289B251EB314E898F50
                                Function 0015317F Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 0015321A
                                • FindNextFileW.KERNEL32(00000000,?), ref: 00153295
                                • FindClose.KERNEL32(00000000), ref: 001532B7
                                • FindClose.KERNEL32(00000000), ref: 001532DA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$CloseFile$FirstNext
                                • String ID:
                                • API String ID: 1164774033-0
                                • Opcode ID: e7f5202292275c91a5c9dcf86e6d4b35130ab9d16061eab9005f802304def7bf
                                • Instruction ID: 64020f7e4be76711720a39e24507b60f99a771de5ba9c38a6bf160ff097fb610
                                • Opcode Fuzzy Hash: e7f5202292275c91a5c9dcf86e6d4b35130ab9d16061eab9005f802304def7bf
                                • Instruction Fuzzy Hash: C441B972900619EFDB20EF64DC89ABAB778EF85346F104195EC25DB140EB709F888F60
                                Function 0010CEEF Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                Download Yara Rule
                                APIs
                                • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 0010CEFB
                                • IsDebuggerPresent.KERNEL32 ref: 0010CFC7
                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0010CFE0
                                • UnhandledExceptionFilter.KERNEL32(?), ref: 0010CFEA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                • String ID:
                                • API String ID: 254469556-0
                                • Opcode ID: dda6e734ceea9f3a517af7c94eda4f067767c00efd4e0c5ff7bdaeb3f0f3f6a6
                                • Instruction ID: d064c63ad6f96fe96ca31dc047e67bbe5a4cc9850fe52d7fd10aa66d56be482a
                                • Opcode Fuzzy Hash: dda6e734ceea9f3a517af7c94eda4f067767c00efd4e0c5ff7bdaeb3f0f3f6a6
                                • Instruction Fuzzy Hash: 6631E375D01219DBDF20DFA4DD897CDBBB8AF18300F1041AAE50DAB290EBB19A85CF45
                                Function 000EE9AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoEx.KERNEL32(!x-sys-default-locale,20000001,?,00000002), ref: 000EE9C3
                                • FormatMessageA.KERNEL32(00001300,00000000,?,?,?,00000000,00000000), ref: 000EE9EA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: FormatInfoLocaleMessage
                                • String ID: !x-sys-default-locale
                                • API String ID: 4235545615-2729719199
                                • Opcode ID: 02f7db61023e7981eb007790c1db314577bfdd3d6fedc967c1a0b10616440a28
                                • Instruction ID: 69e9dbd5b8c953bb18a8a78d99d6ae4ac87bda5680db36b0f09ad8498b7f2430
                                • Opcode Fuzzy Hash: 02f7db61023e7981eb007790c1db314577bfdd3d6fedc967c1a0b10616440a28
                                • Instruction Fuzzy Hash: 9DF030B6510158FFEB149B95DC0ADEA76ECEB09750F104115F606E6051E6F0AE449760
                                Function 00157385 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0014A1E8: GetLastError.KERNEL32(?,?,0011AC26,00178118,0000000C), ref: 0014A1EC
                                  • Part of subcall function 0014A1E8: SetLastError.KERNEL32(00000000), ref: 0014A28E
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001573D9
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00157423
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001574E9
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: InfoLocale$ErrorLast
                                • String ID:
                                • API String ID: 661929714-0
                                • Opcode ID: 6aea93813c8371297987e1feda8579839c8a9b17c8cd8a95e075ddf49fde7c0f
                                • Instruction ID: e78963d5eabe251b1502256421c1a41ad2bf5636728d197e1f4d732a850e2ebc
                                • Opcode Fuzzy Hash: 6aea93813c8371297987e1feda8579839c8a9b17c8cd8a95e075ddf49fde7c0f
                                • Instruction Fuzzy Hash: 39616C71918207DBDB299F24EC82BBA77A8EF14302F104169ED26CA6C1F774DD89CB50
                                Function 001369C1 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000010), ref: 00136AB9
                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000010), ref: 00136AC3
                                • UnhandledExceptionFilter.KERNEL32(00177EF0,?,?,?,?,?,00000010), ref: 00136AD0
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                • String ID:
                                • API String ID: 3906539128-0
                                • Opcode ID: c20a6d0d3e3e6b4bf3b9e930c56db319a3b59018353769aa19d86e113274df56
                                • Instruction ID: 7c91602683f3c6e8f126e5fa6df66ad61dc553b9b1cd6f74ef14689c49a75c56
                                • Opcode Fuzzy Hash: c20a6d0d3e3e6b4bf3b9e930c56db319a3b59018353769aa19d86e113274df56
                                • Instruction Fuzzy Hash: A831A574901218ABCB21DF64DD8978DBBB8BF18314F5086DAE41CA7291EB749F85CF44
                                Function 0013F4E0 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 88554fab2a861b58216585fa88a552d66bcc3b325aa0be243bc6fdf01ca1c5b8
                                • Instruction ID: def7adc7d75b7323fec7d5a10089e57bd3aadce12e4f7b02cfcbe82093799041
                                • Opcode Fuzzy Hash: 88554fab2a861b58216585fa88a552d66bcc3b325aa0be243bc6fdf01ca1c5b8
                                • Instruction Fuzzy Hash: 15F13071E012199FDF18CFA9D890AADB7B1FF88314F15826DE819A7390D730AD46CB90
                                Function 000E3770 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: %$+
                                • API String ID: 0-2626897407
                                • Opcode ID: b5249258fe7c62704bf8639fad03edde092941f9b45b9621a4519649a936334b
                                • Instruction ID: 01e8688410495e3965caba3f27e7e56811cd2d328bb63fb831d9129dc1bab7e7
                                • Opcode Fuzzy Hash: b5249258fe7c62704bf8639fad03edde092941f9b45b9621a4519649a936334b
                                • Instruction Fuzzy Hash: C4F1CF729083809FC725DF29C845A6FBBF5BFC9700F044A2DF985AB251D731EA448B92
                                Function 00158CE3 Relevance: 2.8, APIs: 1, Instructions: 1260COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __floor_pentium4
                                • String ID:
                                • API String ID: 4168288129-0
                                • Opcode ID: 722aeb35f774e099bc98a1d3ceae07e98fb352c697732fa8cbcf63e9a72fbbc2
                                • Instruction ID: a560b7a61e703fe758a783ac1a67ca96d459db459e9085631a918c9c0c2939b1
                                • Opcode Fuzzy Hash: 722aeb35f774e099bc98a1d3ceae07e98fb352c697732fa8cbcf63e9a72fbbc2
                                • Instruction Fuzzy Hash: 30B25D71E04629CFDB69CE28DD407EAB3B5EB48306F1541EAD81DEB240E774AE858F41
                                Function 00152067 Relevance: 1.9, APIs: 1, Instructions: 410timeCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,001524AC,00000000,00000000,00000000), ref: 0015236B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: InformationTimeZone
                                • String ID:
                                • API String ID: 565725191-0
                                • Opcode ID: 5ad5cb20e39a92a9755d86c9fbd669ca8be8bffe62105a77cece43de1ab2bfc5
                                • Instruction ID: 74954853672443790fb828c88a776fd621351e25a722db33d7b80d10dac7edb4
                                • Opcode Fuzzy Hash: 5ad5cb20e39a92a9755d86c9fbd669ca8be8bffe62105a77cece43de1ab2bfc5
                                • Instruction Fuzzy Hash: E6D12472A00115EBDB11AB64DC82ABE7BB9EF55711F10445AFD21AF2D1EB708E84CB90
                                Function 0014C2FF Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000000), ref: 0014C52C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExceptionRaise
                                • String ID:
                                • API String ID: 3997070919-0
                                • Opcode ID: 9cb69c685c329f62320bb8c9f528d7a81356c1cc5efbf59e971cccdca8046ac8
                                • Instruction ID: 3aebb3b2ab2523c02b1599a4e238126949da721a4df5a64b1d9eedcde0663218
                                • Opcode Fuzzy Hash: 9cb69c685c329f62320bb8c9f528d7a81356c1cc5efbf59e971cccdca8046ac8
                                • Instruction Fuzzy Hash: FBB14D71211609CFD758CF2CC496BA97BA0FF45364F298658E899CF2B1C735E982CB80
                                Function 0010CBB5 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                Download Yara Rule
                                APIs
                                • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0010CBCB
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: FeaturePresentProcessor
                                • String ID:
                                • API String ID: 2325560087-0
                                • Opcode ID: 78153dc1cdef3ec2e2642cec9f8fef2895e81fcfed185f3fb500d19911c10e6e
                                • Instruction ID: 8e7a8e6fafb30028f1e0abe127734b1c5c42a7cf56d129d96f8e1ca618d8db58
                                • Opcode Fuzzy Hash: 78153dc1cdef3ec2e2642cec9f8fef2895e81fcfed185f3fb500d19911c10e6e
                                • Instruction Fuzzy Hash: 81516171A01205CFEB19CFA8D985BAEBBF0FB44354F148669D449EB690D3B4D984CF90
                                Function 0012E5A5 Relevance: 1.6, Strings: 1, Instructions: 392COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: 747f56b717b2db006a536f1169f5ffdae95fd29f51a5c3b9df5ccaa26c912489
                                • Instruction ID: 01255e0ddb52ea6d0dbad3665c041e72bfb5533e8fe72b461d9cef63c082e649
                                • Opcode Fuzzy Hash: 747f56b717b2db006a536f1169f5ffdae95fd29f51a5c3b9df5ccaa26c912489
                                • Instruction Fuzzy Hash: D9E1DE74A006258FCB28CF28E490ABEB7F1FF59314F24465ED4969B291D730EDA2CB51
                                Function 0012E184 Relevance: 1.6, Strings: 1, Instructions: 388COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: 7753c2a04a94a38739cb3f38d168715e618cf58954ba1c7b9caa48d7e5833163
                                • Instruction ID: 913c7d2bcb8b8da63353c00e68e4e0602139edd700536cc886aa7ae79516f044
                                • Opcode Fuzzy Hash: 7753c2a04a94a38739cb3f38d168715e618cf58954ba1c7b9caa48d7e5833163
                                • Instruction Fuzzy Hash: 74E1BC34A00625CFCB28CF68E580AAEB7F1FF49314F284A5DE4569B290D730ED66CB51
                                Function 0012E9D5 Relevance: 1.6, Strings: 1, Instructions: 388COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: 3d7cd01860fd737fe3e53385e14ab9bdb169cb82f2057d18d2f67053f5c77539
                                • Instruction ID: 2a440eb567a18a4d52bfe1a0f8f264ae51ef38cc0a84bc84c690540c22f67169
                                • Opcode Fuzzy Hash: 3d7cd01860fd737fe3e53385e14ab9bdb169cb82f2057d18d2f67053f5c77539
                                • Instruction Fuzzy Hash: DCE1BE706006298FCB28CFA8E580AAEB7F1FF59314F24865DD45A9B290D730ED66CF51
                                Function 0012D01B Relevance: 1.6, Strings: 1, Instructions: 348COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: 2554a2996a93bbdbe02087a1a38eabe6fcc9e0c00b313489e52f66e29ab7679e
                                • Instruction ID: fbf84cac94dba7ce03d3042e5c333a572694379089c7a22775cfc4cc11e79509
                                • Opcode Fuzzy Hash: 2554a2996a93bbdbe02087a1a38eabe6fcc9e0c00b313489e52f66e29ab7679e
                                • Instruction Fuzzy Hash: 9AC1E5B0A006668FDB28CF68F490A7EB7B1BF55304F24461DE4529B7A1C731EC66CB52
                                Function 0012CC8D Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: d79c0121542e8ad17397f8661a9d410f52ef62ed5b8c973a58c68dfdc876d1f3
                                • Instruction ID: 194a03bd524dcd82615172d5808b2233e044eb882d1511941a0097b0e5767ac2
                                • Opcode Fuzzy Hash: d79c0121542e8ad17397f8661a9d410f52ef62ed5b8c973a58c68dfdc876d1f3
                                • Instruction Fuzzy Hash: 6AC1E17090066A8FCB38CF68E5906BEBBB2BF15310F244629D646D7291C730AD66CBD1
                                Function 0012D3B8 Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: d883e041cdea190907ff03435fd8f21010d55ee3f4822d09492dad388fea3472
                                • Instruction ID: a82f9d80dca875c8c7726ef33a1a9ad9af96bf07ecb8d969a5690ec2fb97f60c
                                • Opcode Fuzzy Hash: d883e041cdea190907ff03435fd8f21010d55ee3f4822d09492dad388fea3472
                                • Instruction Fuzzy Hash: 2FC10070A006A58FCB28DF68F494ABEBBF1BF05308F24461DD49697691C770EC66CB91
                                Function 001575D8 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0014A1E8: GetLastError.KERNEL32(?,?,0011AC26,00178118,0000000C), ref: 0014A1EC
                                  • Part of subcall function 0014A1E8: SetLastError.KERNEL32(00000000), ref: 0014A28E
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0015762C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$InfoLocale
                                • String ID:
                                • API String ID: 3736152602-0
                                • Opcode ID: b05e65371a257af142133f4e29bbeaa96196fd60527fd053b6ac4935dd29020b
                                • Instruction ID: 3f5e37612a81cdb90496243e4dd22270166fc6238d78c05e2a7dc314a5e3bd2b
                                • Opcode Fuzzy Hash: b05e65371a257af142133f4e29bbeaa96196fd60527fd053b6ac4935dd29020b
                                • Instruction Fuzzy Hash: B321C571609606EFEB289B29EC52EBA73A8EF54311F10407AFD15DA181EB74DD48CB90
                                Function 0012DAAB Relevance: 1.6, Strings: 1, Instructions: 326COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: 14573ec4aa0962ee1127e08b85ff050e718db2313e0e007483f103dc528e3e76
                                • Instruction ID: ad782e0d1405971c7ba65b95fd14c7da7642bca67ba12a80259d093a425380ce
                                • Opcode Fuzzy Hash: 14573ec4aa0962ee1127e08b85ff050e718db2313e0e007483f103dc528e3e76
                                • Instruction Fuzzy Hash: D2B1DE70A0062A8FCB38DFA8F490ABEB7F1AF56310F15491DD496A7290D730AD66CB51
                                Function 0012D746 Relevance: 1.6, Strings: 1, Instructions: 322COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: 9ef2cd1434d11f5fec055adef870c1faff01fe5598b073e5feb23ff470d709af
                                • Instruction ID: 697db0a2129e2ed73f00ebc52956f54505e288096644e147722cee3d94c58ecb
                                • Opcode Fuzzy Hash: 9ef2cd1434d11f5fec055adef870c1faff01fe5598b073e5feb23ff470d709af
                                • Instruction Fuzzy Hash: 44B1BF70A0062A9FCF28DFA8F580ABEB7F1BF54304F14491DE496A7690D730AD66CB51
                                Function 0012DE1F Relevance: 1.6, Strings: 1, Instructions: 322COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: 63aa49c76839761355cef7bee43ff8d5fe2801b7f9f9783d51e3a735bbc2effb
                                • Instruction ID: d52bb0cba4e3689c56b3fd06399280f3acdc9c913abbefde106bb6fbd660e1db
                                • Opcode Fuzzy Hash: 63aa49c76839761355cef7bee43ff8d5fe2801b7f9f9783d51e3a735bbc2effb
                                • Instruction Fuzzy Hash: 77B1F270A0062A8FCB38DF68F981ABEB7F1AF64300F11451DE456EB290D730AD66CB55
                                Function 0012C5EE Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: e90e3564bf0661bcc0105d81f8b137c8d91f61b2618116904cf9096240d80fde
                                • Instruction ID: 47756add42b4d9dcd1b69c5112d8915ea1928abd6095d7c832965071f814dd70
                                • Opcode Fuzzy Hash: e90e3564bf0661bcc0105d81f8b137c8d91f61b2618116904cf9096240d80fde
                                • Instruction Fuzzy Hash: AEB1123090062A8BCF38CF68E891ABEB7B1EF11304F14561AD696A7390DB30D965CFC1
                                Function 0012C2A6 Relevance: 1.6, Strings: 1, Instructions: 314COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: 8260df1ddd78992a052441a2d33f84c978ddaf7a317b1a172535467cf8894a8c
                                • Instruction ID: dc7f72b9e0ab855475c019418113b0729cfd608b9400bddcc87f898f74ee0e53
                                • Opcode Fuzzy Hash: 8260df1ddd78992a052441a2d33f84c978ddaf7a317b1a172535467cf8894a8c
                                • Instruction Fuzzy Hash: B7B1F470A0076A8BCB28CF68E4656BFB7B1BF45300F144A1AD656E7291C731ED62CBD1
                                Function 0012C945 Relevance: 1.6, Strings: 1, Instructions: 314COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: 3a2e474f367cf3b0b7d33025c25e966eee8d02ae506f4736cb389447ddaff0ac
                                • Instruction ID: 340abcd58d466a1674e4854e146a58f7f591f65906a32b3e3e654634fc56c7e3
                                • Opcode Fuzzy Hash: 3a2e474f367cf3b0b7d33025c25e966eee8d02ae506f4736cb389447ddaff0ac
                                • Instruction Fuzzy Hash: 2EB14770900A2A8BCF38CF68E4916BEB7B1EF15344F14061ED656E7290E731AD61CBD1
                                Function 0015725F Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0014A1E8: GetLastError.KERNEL32(?,?,0011AC26,00178118,0000000C), ref: 0014A1EC
                                  • Part of subcall function 0014A1E8: SetLastError.KERNEL32(00000000), ref: 0014A28E
                                • EnumSystemLocalesW.KERNEL32(00157385,00000001,00000000,?,-00000050,?,001579B6,00000000,?,?,?,00000055,?), ref: 001572D1
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$EnumLocalesSystem
                                • String ID:
                                • API String ID: 2417226690-0
                                • Opcode ID: 8c232aab0b91a5633cd1b0180b1a7c7aaa0145f084a5c9c7fb3d68c451e30f2f
                                • Instruction ID: a39e7da5e02ef9361475888b1d2e9888c20b96398c65e89b7e7eb6b1c07991f4
                                • Opcode Fuzzy Hash: 8c232aab0b91a5633cd1b0180b1a7c7aaa0145f084a5c9c7fb3d68c451e30f2f
                                • Instruction Fuzzy Hash: 8B1129372043019FDB189F39D89267AB791FF80369F18442DED968BA80D7717946C740
                                Function 00152799 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                • IsDebuggerPresent.KERNEL32 ref: 001527A0
                                  • Part of subcall function 0015EA8B: OutputDebugStringW.KERNEL32(00000000,?,?,?,?), ref: 0015EAE1
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: DebugDebuggerOutputPresentString
                                • String ID:
                                • API String ID: 4086329628-0
                                • Opcode ID: 2c76bc7a75ad8a7fdd2129a00a5aadf29866c67e2509750449ad15d0cfa2d022
                                • Instruction ID: 63e6038c6449c699d87de7811120e00ce0dd8d3b7d590d1fdc1e5b24bd564807
                                • Opcode Fuzzy Hash: 2c76bc7a75ad8a7fdd2129a00a5aadf29866c67e2509750449ad15d0cfa2d022
                                • Instruction Fuzzy Hash: CEF08133045215EADE216EA09C42EAB3789AF37762F254411FD349E092CB31C905A1B2
                                Function 00157807 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0014A1E8: GetLastError.KERNEL32(?,?,0011AC26,00178118,0000000C), ref: 0014A1EC
                                  • Part of subcall function 0014A1E8: SetLastError.KERNEL32(00000000), ref: 0014A28E
                                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00157682,00000000,00000000,?), ref: 00157833
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$InfoLocale
                                • String ID:
                                • API String ID: 3736152602-0
                                • Opcode ID: 134c8963eeca3366b2b64ba087c5372628ac34f2c2dc7344b2562ff95031f9d6
                                • Instruction ID: 0467573e2e97a5625d05da97160f12239c18c5df6481826c8e8256ed46789d40
                                • Opcode Fuzzy Hash: 134c8963eeca3366b2b64ba087c5372628ac34f2c2dc7344b2562ff95031f9d6
                                • Instruction Fuzzy Hash: 90F0F432A14212FFDB285A219C0BBBA7768EF40765F154428ED26A72C0EB70FE45C690
                                Function 0015714F Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0014A1E8: GetLastError.KERNEL32(?,?,0011AC26,00178118,0000000C), ref: 0014A1EC
                                  • Part of subcall function 0014A1E8: SetLastError.KERNEL32(00000000), ref: 0014A28E
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 001571A3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$InfoLocale
                                • String ID: utf8
                                • API String ID: 3736152602-905460609
                                • Opcode ID: 3fee56bd5bce25048fee1b057de5ff38dc727d0501a238c717b625555c4ed43f
                                • Instruction ID: f219f24f26533ed424a1a161963f3bf89e0149cefb0593bb90c6b6e1da8f7c22
                                • Opcode Fuzzy Hash: 3fee56bd5bce25048fee1b057de5ff38dc727d0501a238c717b625555c4ed43f
                                • Instruction Fuzzy Hash: 80F0C832650105EBD714AF34DC46EBE33A8EF55711F110179FA16DB281EB78AD49C790
                                Function 001572FA Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0014A1E8: GetLastError.KERNEL32(?,?,0011AC26,00178118,0000000C), ref: 0014A1EC
                                  • Part of subcall function 0014A1E8: SetLastError.KERNEL32(00000000), ref: 0014A28E
                                • EnumSystemLocalesW.KERNEL32(001575D8,00000001,?,?,-00000050,?,0015797A,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00157344
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$EnumLocalesSystem
                                • String ID:
                                • API String ID: 2417226690-0
                                • Opcode ID: 6fac74fe80d5838a4d01d113319b854f8390350990d7421557a1e8ef9db7977c
                                • Instruction ID: 7e6c8d8931ba6641c8fdfa499ae58e4aca623dcbafd2645ab082f04a785826f5
                                • Opcode Fuzzy Hash: 6fac74fe80d5838a4d01d113319b854f8390350990d7421557a1e8ef9db7977c
                                • Instruction Fuzzy Hash: A9F022322043049FCB245F34AC82A7A7B90FF81329B09842CFE058B680D7B1AC02D750
                                Function 00148672 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00136CD0: EnterCriticalSection.KERNEL32(?,?,00149A2C,?,001786F8,00000008,00149E1F,?,?,?), ref: 00136CDF
                                • EnumSystemLocalesW.KERNEL32(0014865F,00000001,00178698,0000000C,00148F9F,00000000), ref: 001486AA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalEnterEnumLocalesSectionSystem
                                • String ID:
                                • API String ID: 1272433827-0
                                • Opcode ID: a5c72efd8dad9bf2b2673331a1e56f9d9ff5acd92512e41f375938275f492172
                                • Instruction ID: d0ad1e3746daa900710e6562041c446f1dbc55d29a0782182f373bf2cc9748bb
                                • Opcode Fuzzy Hash: a5c72efd8dad9bf2b2673331a1e56f9d9ff5acd92512e41f375938275f492172
                                • Instruction Fuzzy Hash: DDF03772A00201EFDB00EF98E842B9C7BB0FB59721F10852AF5149B2E1CBB98980CF44
                                Function 0010B80D Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoEx.KERNEL32(?,00000022,00000000,00000002,?,?,00108FEF,00000000,?,00000004,001079DE,?,00000004,00107FE5,00000000,00000000), ref: 0010B826
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: InfoLocale
                                • String ID:
                                • API String ID: 2299586839-0
                                • Opcode ID: 503d2539d5156e1d1cd4db9408229b4bd3289f1d4da532125724eb0d285fd510
                                • Instruction ID: b8a551b14442e613fcd726b1af67146cba94f526b56efe19edb1626fde32a68f
                                • Opcode Fuzzy Hash: 503d2539d5156e1d1cd4db9408229b4bd3289f1d4da532125724eb0d285fd510
                                • Instruction Fuzzy Hash: EEE09236294204A6D7099BBC9D4FF6A369CDB0170AF10864AF142D50E1CFE8CB409151
                                Function 001571F6 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0014A1E8: GetLastError.KERNEL32(?,?,0011AC26,00178118,0000000C), ref: 0014A1EC
                                  • Part of subcall function 0014A1E8: SetLastError.KERNEL32(00000000), ref: 0014A28E
                                • EnumSystemLocalesW.KERNEL32(0015714F,00000001,?,?,?,001579D8,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0015722D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$EnumLocalesSystem
                                • String ID:
                                • API String ID: 2417226690-0
                                • Opcode ID: af1ee458f521119b3ca5d6bea182b10aecafb56e1337a8ebf1942b6171e41e25
                                • Instruction ID: afab488e1309f7fbf0c851034b78e70b29235aafdf3c3be1b77395bd3d919808
                                • Opcode Fuzzy Hash: af1ee458f521119b3ca5d6bea182b10aecafb56e1337a8ebf1942b6171e41e25
                                • Instruction Fuzzy Hash: 2BF0E53630020597CB05AF35EC4666ABF95EFC2725F4A4059FF298F690C7719987C790
                                Function 0014912E Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,001476BB,?,20001004,00000000,00000002,?,?,00146A33), ref: 00149162
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: InfoLocale
                                • String ID:
                                • API String ID: 2299586839-0
                                • Opcode ID: 4ff32db4a922a0db831401025ea1d2cfd524602542ac35a024d34450f708ae62
                                • Instruction ID: a0892b3f3ea7aa5481d8fbbb185d4190735753d625f89aca30190e5ed6533428
                                • Opcode Fuzzy Hash: 4ff32db4a922a0db831401025ea1d2cfd524602542ac35a024d34450f708ae62
                                • Instruction Fuzzy Hash: 74E01A31500618BBCF122F61DC09AAF3F1AAB84B60F054110FD05662718B718921AA95
                                Function 00148803 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                Download Yara Rule
                                APIs
                                • EnumSystemLocalesW.KERNEL32(Function_0006865F,00000001), ref: 0014881D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: EnumLocalesSystem
                                • String ID:
                                • API String ID: 2099609381-0
                                • Opcode ID: 0ab45ecfc16cffbc55de0f589ffc0069322b43fe36382a7ace163a62d9d0b254
                                • Instruction ID: c0670bf83c2b9dba59d8e55628ccdd1548037ea7c15b5fb9b34af65d21d4271d
                                • Opcode Fuzzy Hash: 0ab45ecfc16cffbc55de0f589ffc0069322b43fe36382a7ace163a62d9d0b254
                                • Instruction Fuzzy Hash: 86D0C931548305AFDB04AF51FC4AD183F66F781750B20092AF90C46AB1DFF6A8D1CA88
                                Function 0010D07F Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                Download Yara Rule
                                APIs
                                • SetUnhandledExceptionFilter.KERNEL32(Function_0002D08E,0010C174), ref: 0010D084
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExceptionFilterUnhandled
                                • String ID:
                                • API String ID: 3192549508-0
                                • Opcode ID: 7ad49db64516f895ffe88f4ffe369de92ea093e65f30a977ee57cd97e9f04746
                                • Instruction ID: 516695f930df9a2799338d5ac94229b3406986a9038c248393f0fedf63247e3a
                                • Opcode Fuzzy Hash: 7ad49db64516f895ffe88f4ffe369de92ea093e65f30a977ee57cd97e9f04746
                                • Instruction Fuzzy Hash:
                                Function 00142595 Relevance: .7, Instructions: 655COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocHeap
                                • String ID:
                                • API String ID: 4292702814-0
                                • Opcode ID: bb43d45be5e09e650bd98d7837c3faac526adc4de985947fbf36a808a616297c
                                • Instruction ID: b03c39b5b9a17cff3d990fa63f62105bae472fc124cce97810aba7e63dcc769f
                                • Opcode Fuzzy Hash: bb43d45be5e09e650bd98d7837c3faac526adc4de985947fbf36a808a616297c
                                • Instruction Fuzzy Hash: B9328F74A0021ADFCB28CF98C9D1ABEB7B5EF54314F644168EC45A7325D731AE85CB90
                                Function 0013C98E Relevance: .5, Instructions: 481COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 08d4b56033493dafe0d7567553a62ac83950dacc2dffd73a22fc0696624db6d9
                                • Instruction ID: 2ea82d43e3960d7ab16eb049bc9ef30f7aa1949f8e8d4d4047d3c9a7d1b2a67c
                                • Opcode Fuzzy Hash: 08d4b56033493dafe0d7567553a62ac83950dacc2dffd73a22fc0696624db6d9
                                • Instruction Fuzzy Hash: 6F123E71A002299FDB29CF58CC80BAAB7B9BF45704F4541EAD949FB245E7709E81CF81
                                Function 0013FE50 Relevance: .4, Instructions: 386COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b4c4f17bdd905b2af498e07a4498459fbb4720ab2e2918c74313a94495b16fa2
                                • Instruction ID: 9b22632f23cd29d4025f6bbb20b4b1edfccd2dfc9f26f97a86d61c1d131b4af1
                                • Opcode Fuzzy Hash: b4c4f17bdd905b2af498e07a4498459fbb4720ab2e2918c74313a94495b16fa2
                                • Instruction Fuzzy Hash: 0BE18171A002288FDB26DF59CC80BAAB7B8FF4A704F1541EAD949A7255D7709F81CF81
                                Function 000F1550 Relevance: .3, Instructions: 278COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 87dae5e6672ab82db632177590081f178983e00490e4b6f2e1a656b534732178
                                • Instruction ID: c5a5d6e1f2d94c8a0a17134cb46387cc328d4a3feadb760d2e7919697fc9ca29
                                • Opcode Fuzzy Hash: 87dae5e6672ab82db632177590081f178983e00490e4b6f2e1a656b534732178
                                • Instruction Fuzzy Hash: D6B1BE71D1125D8BDB51CFB8C5912EDF7F1AFA9310F29C35AE824B7610EB31A9818B40
                                Function 0013FA10 Relevance: .3, Instructions: 259COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 610334dfded04345a509008652cba30fa47baae02919843961492d9328037166
                                • Instruction ID: 0959019d1a7dd0848a3b795d534be994767d4667beab4165221b8fd3c06ad4a4
                                • Opcode Fuzzy Hash: 610334dfded04345a509008652cba30fa47baae02919843961492d9328037166
                                • Instruction Fuzzy Hash: 99A12E76E402298BCB24DF18C891BEDB7B5FB89304F1541EEDD09AB245D7719E868F80
                                Function 0013D461 Relevance: .2, Instructions: 158COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6ae62b88f01cb4a4f6514a758ad5d2aa8a52e993fd2c7fac2ce4aaa76944c7f0
                                • Instruction ID: 9358f8d9589d395e3193c90caf90df2b831fe96453ec671c6fe8f2a1523ee033
                                • Opcode Fuzzy Hash: 6ae62b88f01cb4a4f6514a758ad5d2aa8a52e993fd2c7fac2ce4aaa76944c7f0
                                • Instruction Fuzzy Hash: 47517471E00219AFDF14CF99D941AEEBBB2FF88314F19805DE415AB241D734AE50CB90
                                Function 0010EC10 Relevance: .1, Instructions: 76COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                • Instruction ID: a4738ee574d353efc1d7d3a62d1ad52bfad0e3e07a18d1d26849fc7108c2ffe6
                                • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                • Instruction Fuzzy Hash: 77112EB720104183F618862FC7F46B7A7D5EBC9321B2D4B7AD0C28B7D4D3A3A945A900
                                Function 0014A73F Relevance: .0, Instructions: 40COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 68588883dd96290b5e24af23d5bdc4e9b04feb4ca8eb645f3b2039da574cbc72
                                • Instruction ID: f9a3d1529d6e68a657020ad82fe843ffd140c9b615e469474d1c9cc6662cd87e
                                • Opcode Fuzzy Hash: 68588883dd96290b5e24af23d5bdc4e9b04feb4ca8eb645f3b2039da574cbc72
                                • Instruction Fuzzy Hash: B3F090326842209BC73ADA5CCA49B5873B8EF05B11F53419AE211EB6A0D3A2DE00C7C1
                                Function 0014A565 Relevance: .0, Instructions: 38COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5d237891fd1e40ebc79e82efadb964f6e1c080de100e5c28022008363006f905
                                • Instruction ID: 6c763f07b632b06608d03c0a668c752fc378897f32cf5b53d3a424220709642a
                                • Opcode Fuzzy Hash: 5d237891fd1e40ebc79e82efadb964f6e1c080de100e5c28022008363006f905
                                • Instruction Fuzzy Hash: 5EF01D32684205EFC71ACA6CC659B1977E8EF05705FA244A4A616DF6A0D7B0DE40CA42
                                Function 0014A6CA Relevance: .0, Instructions: 29COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9168fdd8804e221c5c9145c7515e38d9aeaac0af290570f582c2d3f326aa4ced
                                • Instruction ID: 06d56b2f4d92c1ffc9a209102707f780b377caebb82b993755f371c620f83429
                                • Opcode Fuzzy Hash: 9168fdd8804e221c5c9145c7515e38d9aeaac0af290570f582c2d3f326aa4ced
                                • Instruction Fuzzy Hash: B9F03972A94224EBCB26CB4CD845B8973BDEB44B55F620096F501E76A1D7B0EE40CBD1
                                Function 0014A4DF Relevance: .0, Instructions: 26COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 743b8df73bbecb6cfe9009cb3f4bd183f1b0861f1861fa392353fe24821af7f2
                                • Instruction ID: df89bcf4bdeb964cd7e99bce129a14039d9db17c69c5c4fcb2c590d27f130d06
                                • Opcode Fuzzy Hash: 743b8df73bbecb6cfe9009cb3f4bd183f1b0861f1861fa392353fe24821af7f2
                                • Instruction Fuzzy Hash: B2E06536604204EFCB05CF68CA44E0AB7E8EF48748F6148A8E409DB6A0E774EE40CB40
                                Function 0014A522 Relevance: .0, Instructions: 26COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e4f3b754888e3278a4bea328a4efc6f2bdfd1cb569636c4bb3fb552de1671067
                                • Instruction ID: 36d4613d9a6bb2e5304d150ab3911fc00e50366259504719132856f658c6a284
                                • Opcode Fuzzy Hash: e4f3b754888e3278a4bea328a4efc6f2bdfd1cb569636c4bb3fb552de1671067
                                • Instruction Fuzzy Hash: 56E06532A04204EFCB05CF68C644F49B7E9EB48744F6140A8E409DBAA0E774DE40CB50
                                Function 0014A70E Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d9d4e2dfcbfd14504dd5c583896d366168cbc076de7f7db6caaae018fb7c7fb6
                                • Instruction ID: 13dfbd51462cd33389b24538b3c09919d616cfc262bdee0b074abd72ff64d37a
                                • Opcode Fuzzy Hash: d9d4e2dfcbfd14504dd5c583896d366168cbc076de7f7db6caaae018fb7c7fb6
                                • Instruction Fuzzy Hash: 12E08C72911228EBCB25DBDCC90598AF3FCEB44B01B52009AF501D3120C371DE00C7D0
                                Function 0014A5C0 Relevance: .0, Instructions: 18COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a167dba0b7fe516a20e84a041e270c8a941c5198453821c7edd0995884e7b0c9
                                • Instruction ID: 94483c420dc05901b9c43195d83ef5ec372a346935842c83cd178f621d4dc924
                                • Opcode Fuzzy Hash: a167dba0b7fe516a20e84a041e270c8a941c5198453821c7edd0995884e7b0c9
                                • Instruction Fuzzy Hash: 59E0E235905248EFCB04DFA8C549A4EB7F9EB48755F6188A4E405D7261D738EE84DA00
                                Function 001457D9 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c90b54524ff4a66a353ae9917df2b8be735c315749e427826934948b66141c99
                                • Instruction ID: 52228de8e33bf6bbe28618701656ac6d20f8776d0233ff842bb8a9ff78c8fa0d
                                • Opcode Fuzzy Hash: c90b54524ff4a66a353ae9917df2b8be735c315749e427826934948b66141c99
                                • Instruction Fuzzy Hash: 2CC08C3D280D8087CF29CA1882753A833AAA7A27C3FC0149CC4130BA63C71E9C82D701
                                Function 00116DBC Relevance: 19.8, APIs: 13, Instructions: 332COMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1308 116dbc-116dcf 1309 116dd5-116dd7 1308->1309 1310 11714e-11715b call 113c54 1308->1310 1311 116dd9-116ddb 1309->1311 1312 116ddd-116ddf 1309->1312 1320 11715e 1310->1320 1311->1312 1314 116de5-116df5 1311->1314 1312->1314 1316 11714a-11714c 1312->1316 1317 116df7-116dfb 1314->1317 1318 116e1d-116e1f 1314->1318 1319 117140-117148 call 1138b5 1316->1319 1317->1310 1322 116e01-116e11 1317->1322 1318->1316 1323 116e25-116e28 1318->1323 1319->1320 1321 117161-117165 1320->1321 1325 116e13-116e16 1322->1325 1326 116e18-116e1b 1322->1326 1323->1316 1327 116e2e-116e31 1323->1327 1325->1326 1325->1327 1326->1327 1327->1316 1329 116e37-116e52 1327->1329 1330 116e58-116e5b 1329->1330 1331 116f3f-116f42 1329->1331 1334 116e61-116e9e call 113813 call 113c98 1330->1334 1335 116efe-116eff 1330->1335 1332 116fc2-116fd1 1331->1332 1333 116f44-116f53 1331->1333 1338 116fd3-116ff3 call 115a9c call 113c98 1332->1338 1339 116ff5-116fff call 115a9c call 113f22 1332->1339 1336 116fb3-116fbd call 1153a0 call 113f22 1333->1336 1337 116f55-116f83 call 1153a0 call 113c29 call 113c98 1333->1337 1370 116ed1-116ef0 call 1138b5 call 113c98 1334->1370 1371 116ea0-116ecf call 1183b4 call 113c29 call 113c98 1334->1371 1341 116f05-116f09 1335->1341 1336->1332 1337->1332 1365 117004-117008 1338->1365 1339->1365 1347 116f96-116fae call 1138b5 call 113c98 1341->1347 1348 116f0f-116f11 1341->1348 1347->1320 1348->1316 1355 116f17-116f2c 1348->1355 1362 116f85-116f94 call 119394 call 113f22 1355->1362 1363 116f2e-116f3c call 119394 1355->1363 1362->1331 1363->1331 1373 117034-117044 call 1172a0 1365->1373 1374 11700a-117031 call 113c29 call 113cba 1365->1374 1398 116ef3-116efc 1370->1398 1371->1398 1394 117046-11704b 1373->1394 1395 11704d 1373->1395 1374->1373 1399 11704f-117094 call 118385 call 114fe9 call 113c29 call 113cba call 113d92 1394->1399 1395->1399 1398->1341 1411 117096-117098 1399->1411 1412 1170ac-1170b8 1399->1412 1411->1412 1413 11709a-1170a6 call 113d92 1411->1413 1414 1170cb-1170d5 call 11826c call 113f22 1412->1414 1415 1170ba-1170c9 call 11826c call 113d92 1412->1415 1413->1412 1425 1170da-1170fd call 11732a call 113d92 1414->1425 1415->1425 1430 117110-11711a call 1193c3 call 113f22 1425->1430 1431 1170ff-11710e call 1193c3 call 113d92 1425->1431 1439 11711f-117121 1430->1439 1431->1439 1440 117123-11713c 1439->1440 1441 11713e 1439->1441 1440->1321 1441->1319
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Name::operator+$NameName::$Decorator::getReturnTypeoperator+
                                • String ID:
                                • API String ID: 2932655852-0
                                • Opcode ID: 928988e62df659a662af8f8b00f3af34057cd3a1fc1ad61c40ed6d3e8ae46d99
                                • Instruction ID: 78478f6a6e6e060c3bcff4fd7a60f8fdca6d792e724d14aa59892be0073fafa8
                                • Opcode Fuzzy Hash: 928988e62df659a662af8f8b00f3af34057cd3a1fc1ad61c40ed6d3e8ae46d99
                                • Instruction Fuzzy Hash: E6C18075904209AFCB0CEFA4D896EEE7BB4AF19300F14417AF516A7291EB709AC5CB50
                                Function 001183B4 Relevance: 19.8, APIs: 13, Instructions: 305COMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1442 1183b4-1183ca 1443 1183cc-1183d5 1442->1443 1444 118704-11870d 1443->1444 1445 1183db-1183dd 1443->1445 1447 118720-118725 1444->1447 1448 11870f-118711 1444->1448 1445->1444 1446 1183e3-1183ea 1445->1446 1449 1183f9-1183fc 1446->1449 1450 1183ec-1183f3 1446->1450 1453 118730-118768 call 1138b5 call 113c76 call 113c98 1447->1453 1454 118727-11872e call 113b92 1447->1454 1451 118713-11871e 1448->1451 1452 11876b-118771 1448->1452 1455 118450-118458 1449->1455 1456 1183fe-118431 call 113813 call 113c98 1449->1456 1450->1449 1450->1452 1451->1452 1453->1452 1454->1452 1462 1186d2-1186df call 119c74 1455->1462 1463 11845e-11846d 1455->1463 1456->1455 1488 118433-11844d call 113c29 1456->1488 1477 1186e2 1462->1477 1467 118473-118476 1463->1467 1468 1186b5-1186d0 call 119c74 1463->1468 1469 11865c-1186a8 call 113793 call 113813 call 113c98 1467->1469 1470 11847c-11847f 1467->1470 1468->1477 1505 1186fa-1186fe 1469->1505 1520 1186aa-1186b3 call 113ee2 1469->1520 1475 118485-118489 1470->1475 1476 1185c9-1185cf 1470->1476 1475->1469 1482 11848f-118492 1475->1482 1484 1185d1-1185d5 1476->1484 1485 118623-118657 call 1163f1 call 113c29 call 113cba 1476->1485 1483 1186e5-1186e9 call 113c98 1477->1483 1489 118588-1185c4 call 119c74 call 113cba call 113c98 1482->1489 1490 118498-11849b 1482->1490 1498 1186ee-1186f7 1483->1498 1484->1485 1492 1185d7-118612 call 1173cc call 113c98 1484->1492 1485->1483 1488->1455 1489->1498 1496 11849d-1184aa call 1171ff 1490->1496 1497 1184af-1184bc 1490->1497 1492->1505 1524 118618-11861e 1492->1524 1496->1483 1508 1184c1-1184d6 call 119c74 1497->1508 1498->1505 1505->1443 1505->1444 1526 118524-11852c 1508->1526 1527 1184d8-1184da 1508->1527 1520->1505 1524->1505 1529 11852d-118532 1526->1529 1531 11851c-118522 1527->1531 1532 1184dc-11851a call 113d3a call 113c98 1527->1532 1533 118534-11853c 1529->1533 1534 118578-118583 1529->1534 1531->1529 1532->1529 1533->1508 1536 11853e-118540 1533->1536 1534->1505 1536->1534 1538 118542-118573 call 113c29 call 113cba 1536->1538 1538->1524
                                APIs
                                • DName::operator+.LIBCMT ref: 0011841F
                                • DName::operator+.LIBCMT ref: 00118562
                                  • Part of subcall function 00113D3A: shared_ptr.LIBCMT ref: 00113D56
                                • DName::operator+.LIBCMT ref: 0011850D
                                • DName::operator+.LIBCMT ref: 001185AE
                                • DName::operator+.LIBCMT ref: 001185BD
                                • DName::operator+.LIBCMT ref: 001186E9
                                • DName::operator=.LIBVCRUNTIME ref: 00118729
                                • DName::DName.LIBVCRUNTIME ref: 00118733
                                • DName::operator+.LIBCMT ref: 00118750
                                • DName::operator+.LIBCMT ref: 0011875C
                                  • Part of subcall function 00119C74: Replicator::operator[].LIBCMT ref: 00119CB1
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]shared_ptr
                                • String ID:
                                • API String ID: 1043660730-0
                                • Opcode ID: ff543c1d84cb57114ad7f24e2dec37dcd8074e896a4c01faadaa5b7cabbbcfd3
                                • Instruction ID: 414028e3d73d475215c8110ccba16cd9f70e8367aedc832542bb74b96b6a0492
                                • Opcode Fuzzy Hash: ff543c1d84cb57114ad7f24e2dec37dcd8074e896a4c01faadaa5b7cabbbcfd3
                                • Instruction Fuzzy Hash: E5C1BEB1900208DFDB18DFA4C855BEEBBF9AB15304F14846EF15AA72C1EB709A84CF50
                                Function 000E59E0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 136COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000E59ED
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000E5A07
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000E5A28
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000E5A54
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000E5A89
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000E5AC6
                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000E5B17
                                • __Getctype.LIBCPMT ref: 000E5B2E
                                • std::_Facet_Register.LIBCPMT ref: 000E5B47
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000E5B60
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::~_$Lockit::_$Facet_GetctypeLocinfo::_Locinfo_ctorRegister
                                • String ID: bad locale name
                                • API String ID: 1407599034-1405518554
                                • Opcode ID: abc0e2cd6008f76bb2ed803de53ee8a89a5e2857b69796882cba3cfb5927fd79
                                • Instruction ID: 846918209c9a280f4a0fed0646e6edf49f335525a019d04e50ac46339b7a5577
                                • Opcode Fuzzy Hash: abc0e2cd6008f76bb2ed803de53ee8a89a5e2857b69796882cba3cfb5927fd79
                                • Instruction Fuzzy Hash: AD41F2716043809FC751DF59D880B9BB7E0EF90714F08492DF989A7252DB31E949CB93
                                Function 000E5F70 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 133COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000E5F7D
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000E5F97
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000E5FB8
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000E5FE4
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000E6019
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000E6056
                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000E60A7
                                • std::_Facet_Register.LIBCPMT ref: 000E60C6
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000E60DF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::~_$Lockit::_$Facet_Locinfo::_Locinfo_ctorRegister
                                • String ID: bad locale name
                                • API String ID: 3434717313-1405518554
                                • Opcode ID: f7dbae003bc443fb7c9b1f7ae3f7995a742fd300988a21c96b87545d077ef100
                                • Instruction ID: effe9b548e8954de0c57893eaad642364dc3638ddd6fde80152167b4a7ad041e
                                • Opcode Fuzzy Hash: f7dbae003bc443fb7c9b1f7ae3f7995a742fd300988a21c96b87545d077ef100
                                • Instruction Fuzzy Hash: 5C41E4716043D09FCB51DF59D881B9BBBE0EF90750F14081DF889AB252DB72E949CBA2
                                Function 0011544F Relevance: 16.9, APIs: 11, Instructions: 359COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: shared_ptr$operator+$Name::operator+Name::operator=
                                • String ID:
                                • API String ID: 1464150960-0
                                • Opcode ID: e4dfb6911d9f603d97befa3c9b419606753313f5643ac6afea195c4de1d15e24
                                • Instruction ID: 87a41a42cfa6158d3d46826bb394ba984bd8e1b436d0d387634082544829361e
                                • Opcode Fuzzy Hash: e4dfb6911d9f603d97befa3c9b419606753313f5643ac6afea195c4de1d15e24
                                • Instruction Fuzzy Hash: 5FE16AB1C0460ADFCB0CDF95D999AFEBBB6AB84304F51812AD422A7280D77457C9CF91
                                Function 00119C74 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 185COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • Replicator::operator[].LIBCMT ref: 00119CB1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Replicator::operator[]
                                • String ID: @$generic-type-$template-parameter-
                                • API String ID: 3676697650-1320211309
                                • Opcode ID: 0760601b35d6be6aaade0194c90420ad12065f04a4a73bf177ca03ea0e0a1fa8
                                • Instruction ID: 9c6c8d9c42bf967a6d6bddd85a60c165569f83cb20e669ea6bbb618a44e489a0
                                • Opcode Fuzzy Hash: 0760601b35d6be6aaade0194c90420ad12065f04a4a73bf177ca03ea0e0a1fa8
                                • Instruction Fuzzy Hash: 8A61D371D04209DFDB08DFA4D851BEEBBB8AF19310F144029E625B7291EB749A85CFA1
                                Function 00135B65 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 487COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __aulldiv
                                • String ID: :$f$f$f$p$p$p
                                • API String ID: 3732870572-1434680307
                                • Opcode ID: 53faec21a0f61ad56f913964f669a59e52bd3e7363a596dc7a2b68de40648e67
                                • Instruction ID: 1b754fc4f30cd7fc61bb45d7f4e5d6779e614f5055b333cd87afca902796b8dd
                                • Opcode Fuzzy Hash: 53faec21a0f61ad56f913964f669a59e52bd3e7363a596dc7a2b68de40648e67
                                • Instruction Fuzzy Hash: 22029F75900218AADF38CFA4C8696EDB7B7FF40B14FA4C119E415BB285D7708E84CB65
                                Function 00102600 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 00102607
                                  • Part of subcall function 000F9020: __EH_prolog3.LIBCMT ref: 000F9027
                                  • Part of subcall function 000F9020: std::_Lockit::_Lockit.LIBCPMT ref: 000F9031
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: H_prolog3$LockitLockit::_std::_
                                • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                • API String ID: 2181796688-2891247106
                                • Opcode ID: 28b41e4c6de35f9ef054d9e9c465e180cd1a4fc9bb21b8682afa7fc9629428f3
                                • Instruction ID: f1f6f0abf4aa9e36ee90c205dbb779b638ccb984243529811bbb5a512f3a4bfc
                                • Opcode Fuzzy Hash: 28b41e4c6de35f9ef054d9e9c465e180cd1a4fc9bb21b8682afa7fc9629428f3
                                • Instruction Fuzzy Hash: 57C1807650010EABCF19DFA8CD59DFA7BFCEB19304F15411AFA82A3291D7B09A10DB60
                                Function 001029F0 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 001029F7
                                  • Part of subcall function 000F90B5: __EH_prolog3.LIBCMT ref: 000F90BC
                                  • Part of subcall function 000F90B5: std::_Lockit::_Lockit.LIBCPMT ref: 000F90C6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: H_prolog3$LockitLockit::_std::_
                                • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                • API String ID: 2181796688-2891247106
                                • Opcode ID: 8f51a14eb7172de698ce93bf753d3c306f25c69368c416a2c746fa643c3e68ba
                                • Instruction ID: 4514564add94782c7b630231d6b510bcfd715f66d72fbc80131a5d83481feb94
                                • Opcode Fuzzy Hash: 8f51a14eb7172de698ce93bf753d3c306f25c69368c416a2c746fa643c3e68ba
                                • Instruction Fuzzy Hash: 24C19F7250010AABDB19DF98CD69DFE7BBCAF05304F114119FA86A3691D7B0DE10DB60
                                Function 00109CE7 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 00109CEE
                                  • Part of subcall function 000E59E0: std::_Lockit::_Lockit.LIBCPMT ref: 000E59ED
                                  • Part of subcall function 000E59E0: std::_Lockit::_Lockit.LIBCPMT ref: 000E5A07
                                  • Part of subcall function 000E59E0: std::_Lockit::~_Lockit.LIBCPMT ref: 000E5A28
                                  • Part of subcall function 000E59E0: std::_Lockit::~_Lockit.LIBCPMT ref: 000E5A54
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                • API String ID: 1383202999-2891247106
                                • Opcode ID: 76355026cf799d6065306c921018b74f23ff9ac9353b3bb854406bf1ef796f57
                                • Instruction ID: 7b6917ae71d0d20bf59dc039c0dfc2aa3c24f46058f690c76c810c1b9b1a940c
                                • Opcode Fuzzy Hash: 76355026cf799d6065306c921018b74f23ff9ac9353b3bb854406bf1ef796f57
                                • Instruction Fuzzy Hash: BBC1727254020EAFCB18DF58C965DFE7BA8AF15300F154219F682E61D6D7B1DE10CB61
                                Function 001122B6 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • type_info::operator==.LIBVCRUNTIME ref: 001123D5
                                • ___TypeMatch.LIBVCRUNTIME ref: 001124E3
                                • CatchIt.LIBVCRUNTIME ref: 00112534
                                • _UnwindNestedFrames.LIBCMT ref: 00112635
                                • CallUnexpected.LIBVCRUNTIME ref: 00112650
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                • String ID: csm$csm$csm
                                • API String ID: 4119006552-393685449
                                • Opcode ID: d30a161a967b4baca8a9d693320c79863aa9fcf312fed4a5bff67c585ca77953
                                • Instruction ID: cb5633a9b15fa260d87cb6236d656a8eaff2df4269edf8189ff284665cfddfe3
                                • Opcode Fuzzy Hash: d30a161a967b4baca8a9d693320c79863aa9fcf312fed4a5bff67c585ca77953
                                • Instruction Fuzzy Hash: 96B17B7180020AEFCF1DDFA4D8819EEBBB5FF18314F14416AE9106B252D735DAA2CB91
                                Function 000E7220 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 120COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000E7272
                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000E72C7
                                • Concurrency::cancel_current_task.LIBCPMT ref: 000E7391
                                • Concurrency::cancel_current_task.LIBCPMT ref: 000E7396
                                • Concurrency::cancel_current_task.LIBCPMT ref: 000E739B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Concurrency::cancel_current_task$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                • String ID: bad locale name$false$true
                                • API String ID: 164343898-1062449267
                                • Opcode ID: 88ce6e8f3f83e932fc6f8e49ca148234a718c9bb34edf9570d47d75efcdf5f3f
                                • Instruction ID: 2b30743ae4bc860faa38262f669b13ad0a5e63a222fe6225fc30f38dae2b31ac
                                • Opcode Fuzzy Hash: 88ce6e8f3f83e932fc6f8e49ca148234a718c9bb34edf9570d47d75efcdf5f3f
                                • Instruction Fuzzy Hash: C841AE701093809FD760EFB9C941B8BBBE4AF94700F04491DF58CAB292D7B5D588CBA2
                                Function 0010B49B Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0010B4A1
                                • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 0010B4AF
                                • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 0010B4C0
                                • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 0010B4D1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$HandleModule
                                • String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
                                • API String ID: 667068680-1247241052
                                • Opcode ID: 879045c0d74bc13576903da1122693746f30f218b5b4c8a039ec3f701e3f8ecc
                                • Instruction ID: 9bcf053e0ee48a40aca82d9f4b1d7ee0761e0a9ee4f435310217211aac13c8ff
                                • Opcode Fuzzy Hash: 879045c0d74bc13576903da1122693746f30f218b5b4c8a039ec3f701e3f8ecc
                                • Instruction Fuzzy Hash: B4E0EC32581220AFC300AF74BC0DC4B3EA8EF197113448916F501E2A60DFF444948FA6
                                Function 00118EBB Relevance: 13.8, APIs: 9, Instructions: 297COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • DName::operator+.LIBCMT ref: 00118F91
                                • UnDecorator::getSignedDimension.LIBCMT ref: 00118F9C
                                • UnDecorator::getSignedDimension.LIBCMT ref: 00119088
                                • UnDecorator::getSignedDimension.LIBCMT ref: 001190A5
                                • UnDecorator::getSignedDimension.LIBCMT ref: 001190C2
                                • DName::operator+.LIBCMT ref: 001190D7
                                • UnDecorator::getSignedDimension.LIBCMT ref: 001190F1
                                • DName::operator+.LIBCMT ref: 001191C6
                                  • Part of subcall function 00114E74: DName::DName.LIBVCRUNTIME ref: 00114ED2
                                • DName::DName.LIBVCRUNTIME ref: 0011923D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Decorator::getDimensionSigned$Name::operator+$NameName::
                                • String ID:
                                • API String ID: 3679549980-0
                                • Opcode ID: 745a178abbbb333bb72153075f35fc965d8fce1c777e5dc2bcc9adf2a65b6063
                                • Instruction ID: a00f9566af0f057875cb3473c94367e8836c0c7faebb61581c87c296bd0ae498
                                • Opcode Fuzzy Hash: 745a178abbbb333bb72153075f35fc965d8fce1c777e5dc2bcc9adf2a65b6063
                                • Instruction Fuzzy Hash: 3591C571C0420AAACB1CEFB4D969AFE7779AF15300F608139F122B6185DF74DAC58B91
                                Function 0014FA6B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID: 0-3907804496
                                • Opcode ID: 16d3f0f3d4d6cd0324fb43c5e951a11286d5b23748f25decb6f50683f537cf13
                                • Instruction ID: 4bcbb0369874afcf6f8016b298a398be3a894b0680dd707309740a3cb10cfc92
                                • Opcode Fuzzy Hash: 16d3f0f3d4d6cd0324fb43c5e951a11286d5b23748f25decb6f50683f537cf13
                                • Instruction Fuzzy Hash: 3FB1F170E0424AAFDB15DF99C880BADBBB1AF59310F14816DE905AB3A1C7B19D43CF61
                                Function 000FE3C0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 73COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: MaklocchrMaklocstr$H_prolog3_
                                • String ID: false$true
                                • API String ID: 2404127365-2658103896
                                • Opcode ID: 330a00d42174acbb28134d80c8a31a3c4dc3f1dc2b4c07fccd3feb0ca0e99cca
                                • Instruction ID: 2a480e1e3c9e3d1cb418429f5468395113678bfee5a8c64e4cf5d42e242b71f8
                                • Opcode Fuzzy Hash: 330a00d42174acbb28134d80c8a31a3c4dc3f1dc2b4c07fccd3feb0ca0e99cca
                                • Instruction Fuzzy Hash: 85217AB1C00388AEDF14EFA5C8859AEB7B8AF45700F00845AF945AF256EB74E500DB60
                                Function 00115203 Relevance: 10.7, APIs: 7, Instructions: 151COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • DName::operator+.LIBCMT ref: 00115291
                                • DName::operator+.LIBCMT ref: 001152E4
                                  • Part of subcall function 00113D3A: shared_ptr.LIBCMT ref: 00113D56
                                  • Part of subcall function 00113C29: DName::operator+.LIBCMT ref: 00113C4A
                                • DName::operator+.LIBCMT ref: 001152D5
                                • DName::operator+.LIBCMT ref: 00115335
                                • DName::operator+.LIBCMT ref: 00115342
                                • DName::operator+.LIBCMT ref: 00115389
                                • DName::operator+.LIBCMT ref: 00115396
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Name::operator+$shared_ptr
                                • String ID:
                                • API String ID: 1037112749-0
                                • Opcode ID: 7b3d77d3d9c0596011ee7c3b18e0b654ac4aefc9fd395be19454c6e51960fc21
                                • Instruction ID: 042828139eec442f2be49499bc161fb68fdc0e29f4ae2e4d4c484173c59a900f
                                • Opcode Fuzzy Hash: 7b3d77d3d9c0596011ee7c3b18e0b654ac4aefc9fd395be19454c6e51960fc21
                                • Instruction Fuzzy Hash: D9517372904218EBDF1DDFA4C845EEEBBB9BB58340F04406AF515B7181EB709A84CBA0
                                Function 00111A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                Download Yara Rule
                                APIs
                                • _ValidateLocalCookies.LIBCMT ref: 00111AB7
                                • ___except_validate_context_record.LIBVCRUNTIME ref: 00111ABF
                                • _ValidateLocalCookies.LIBCMT ref: 00111B48
                                • __IsNonwritableInCurrentImage.LIBCMT ref: 00111B73
                                • _ValidateLocalCookies.LIBCMT ref: 00111BC8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                • String ID: csm
                                • API String ID: 1170836740-1018135373
                                • Opcode ID: c2b5e0ef1785f89a287c24f013624c8b273b8bb2738b90227b738ea57611ce87
                                • Instruction ID: fa716585d2ca5867cf0a3bf751a7190bb564bf09bfe1a882fd9ef1a22879380b
                                • Opcode Fuzzy Hash: c2b5e0ef1785f89a287c24f013624c8b273b8bb2738b90227b738ea57611ce87
                                • Instruction Fuzzy Hash: 4441B330A00208ABCF18DF68C885ADEBBB5BF45314F148065E9156B352E735EA95CF95
                                Function 000E7880 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 113COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: false$ios_base::badbit set$true
                                • API String ID: 0-1679644946
                                • Opcode ID: 2392070dfcd9f7f5bcd32664a9cc368e95b8015a025f832b1989a2b7c0695894
                                • Instruction ID: 663a8953018b91613dc8e885a8be9ec73588ab612fb9d652a45fcd1a9b80a44f
                                • Opcode Fuzzy Hash: 2392070dfcd9f7f5bcd32664a9cc368e95b8015a025f832b1989a2b7c0695894
                                • Instruction Fuzzy Hash: 503129356053805FD310DFA8D941797BFE4AF95304F08886DE5C98B712D7B2D449CBA2
                                Function 000E7AA0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104COMMONLIBRARYCODE
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: false$ios_base::badbit set$true
                                • API String ID: 0-1679644946
                                • Opcode ID: 34d1f10b9982d1bbf2d54ebf35a95b2e5f18c5043f3c2dab2b94d8e6e0192039
                                • Instruction ID: 1da526aed476040d834d3e3c09a5eb9931e28b3975477c5b31e11b6ba047b2c6
                                • Opcode Fuzzy Hash: 34d1f10b9982d1bbf2d54ebf35a95b2e5f18c5043f3c2dab2b94d8e6e0192039
                                • Instruction Fuzzy Hash: 103146351043805FD320EFB598417A7BFE49F52304F08856DE8CA5B752D7B69489C7A2
                                Function 000FE2E7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Maklocstr$GetvalsH_prolog3_
                                • String ID: false$true
                                • API String ID: 1611767717-2658103896
                                • Opcode ID: 547a92f6bd7f0824939921393e45764315462783b2a600e2d9b7c749481187e8
                                • Instruction ID: f09edc8e9f52d887a9e81dded9e5debf6793fcb14d921e44571d4fbfeaa9c77d
                                • Opcode Fuzzy Hash: 547a92f6bd7f0824939921393e45764315462783b2a600e2d9b7c749481187e8
                                • Instruction Fuzzy Hash: 12218372D00348AEDF14EFE5D889ADF7BB8AF04710F008556F909AF152DBB19604CBA1
                                Function 00160808 Relevance: 9.2, APIs: 6, Instructions: 248COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __freea$Info
                                • String ID:
                                • API String ID: 541289543-0
                                • Opcode ID: 6ecd4b092086f321d27e3dace3b42f0e5bf69108ef9f9a02f680121c1352a18b
                                • Instruction ID: 4862a54424e1959c645086b15442eafaba9213206a0743e8ddbca67cc66602b0
                                • Opcode Fuzzy Hash: 6ecd4b092086f321d27e3dace3b42f0e5bf69108ef9f9a02f680121c1352a18b
                                • Instruction Fuzzy Hash: E071C772E00306ABDF22DE94CC41FAF77BAAF4D354F194059E915A7282E7759C108790
                                Function 0010BD8E Relevance: 9.2, APIs: 6, Instructions: 225COMMON
                                Download Yara Rule
                                APIs
                                • GetCPInfo.KERNEL32(?,?), ref: 0010BE19
                                • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 0010BEA5
                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0010BF10
                                • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 0010BF2C
                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0010BF8F
                                • CompareStringEx.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0010BFAC
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide$CompareInfoString
                                • String ID:
                                • API String ID: 2984826149-0
                                • Opcode ID: 5830941efaf3d0d0a19ab343697d6a3f4098f87b1b8bfb734e0d6702527f9c09
                                • Instruction ID: b1f6595fff2c58e17ccba421be9f176d79d2096ade489605189958097a6e0932
                                • Opcode Fuzzy Hash: 5830941efaf3d0d0a19ab343697d6a3f4098f87b1b8bfb734e0d6702527f9c09
                                • Instruction Fuzzy Hash: A871C13290825AABDF209FA4CCC5BEEBBB6AF05714F190155E994B71D1D7B08C44CBA0
                                Function 000EEA67 Relevance: 9.2, APIs: 6, Instructions: 175COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 000EEAB0
                                • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 000EEB1B
                                • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000EEB38
                                • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 000EEB77
                                • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000EEBD6
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 000EEBF9
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiStringWide
                                • String ID:
                                • API String ID: 2829165498-0
                                • Opcode ID: 4422182cfd639143c543f73863f43ab8cf1c06f922671efe14061ea328a07086
                                • Instruction ID: e6c77bd85051c3ef5c366d295d1f80b3a81c737ae8140dd8c6c24ec6bb2f1e21
                                • Opcode Fuzzy Hash: 4422182cfd639143c543f73863f43ab8cf1c06f922671efe14061ea328a07086
                                • Instruction Fuzzy Hash: D651BE7250028EAFEF209F66CC45FAB7BB9FF44740F244529F906A6190DB709C91CBA0
                                Function 00119B20 Relevance: 9.1, APIs: 6, Instructions: 119COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • DName::operator+.LIBCMT ref: 00119B64
                                • DName::operator+.LIBCMT ref: 00119B70
                                  • Part of subcall function 00113D3A: shared_ptr.LIBCMT ref: 00113D56
                                • DName::operator+=.LIBCMT ref: 00119C2E
                                  • Part of subcall function 001183B4: DName::operator+.LIBCMT ref: 0011841F
                                  • Part of subcall function 001183B4: DName::operator+.LIBCMT ref: 001186E9
                                  • Part of subcall function 00113C29: DName::operator+.LIBCMT ref: 00113C4A
                                • DName::operator+.LIBCMT ref: 00119BEB
                                  • Part of subcall function 00113D92: DName::operator=.LIBVCRUNTIME ref: 00113DB3
                                • DName::DName.LIBVCRUNTIME ref: 00119C52
                                • DName::operator+.LIBCMT ref: 00119C5E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Name::operator+$NameName::Name::operator+=Name::operator=shared_ptr
                                • String ID:
                                • API String ID: 2795783184-0
                                • Opcode ID: 904cfaf46ccbbaa23bb4b596bb280681cf8e6a5c5ca9e8b1475e3e2cad0bc285
                                • Instruction ID: 7b9f813a69788ee2a90e287db5c8a7aff68dbd387680ae0923adc3ee6733b098
                                • Opcode Fuzzy Hash: 904cfaf46ccbbaa23bb4b596bb280681cf8e6a5c5ca9e8b1475e3e2cad0bc285
                                • Instruction Fuzzy Hash: D441CAB0A04244AFDB1CDFB4DCA5BDE7FE9AB15300F404469F1A9A7285D774AAC4CB90
                                Function 000E69D0 Relevance: 9.1, APIs: 6, Instructions: 97COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000E69DD
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000E69FB
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000E6A1C
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000E6A6C
                                • std::_Facet_Register.LIBCPMT ref: 000E6A96
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000E6AAF
                                  • Part of subcall function 000E1FE0: ___std_exception_copy.LIBVCRUNTIME ref: 000E201C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::~_$Lockit::_$Facet_Register___std_exception_copy
                                • String ID:
                                • API String ID: 728164013-0
                                • Opcode ID: 0d392f37b043abbe9dc6aa555481c5e8c2115de4178fc1ad571a8e1502035e71
                                • Instruction ID: b8c958b1f8e50648529674a49b69661ad292025cf6b50f0ed8693bd2cf0fef21
                                • Opcode Fuzzy Hash: 0d392f37b043abbe9dc6aa555481c5e8c2115de4178fc1ad571a8e1502035e71
                                • Instruction Fuzzy Hash: B131D4729002909FCB11DF15F8809AAB7A0FB90360F19856DF84577262DB36ED49CBD2
                                Function 00118772 Relevance: 9.1, APIs: 6, Instructions: 94COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00119C74: Replicator::operator[].LIBCMT ref: 00119CB1
                                • DName::operator=.LIBVCRUNTIME ref: 0011881E
                                  • Part of subcall function 001183B4: DName::operator+.LIBCMT ref: 0011841F
                                  • Part of subcall function 001183B4: DName::operator+.LIBCMT ref: 001186E9
                                • DName::operator+.LIBCMT ref: 001187D8
                                • DName::operator+.LIBCMT ref: 001187E4
                                • DName::DName.LIBVCRUNTIME ref: 00118828
                                • DName::operator+.LIBCMT ref: 00118845
                                • DName::operator+.LIBCMT ref: 00118851
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]
                                • String ID:
                                • API String ID: 955152517-0
                                • Opcode ID: ef8f814974b5aa9c533411b3ca2aeb79b784a596607b3aa152d1f99f00ca899e
                                • Instruction ID: bd9eb8bee5fbaa654c5a4a6233ed4982570e8926874581a15d6d4fbaca5af592
                                • Opcode Fuzzy Hash: ef8f814974b5aa9c533411b3ca2aeb79b784a596607b3aa152d1f99f00ca899e
                                • Instruction Fuzzy Hash: A931CFB1A04204DFCB1CDF64C855AEEBBF8AF69300F14C46DE596A7390EB709984CB64
                                Function 00111F48 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,?,00111F3F,0010E9DD,0010D0D2), ref: 00111F56
                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00111F64
                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00111F7D
                                • SetLastError.KERNEL32(00000000,00111F3F,0010E9DD,0010D0D2), ref: 00111FCF
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastValue___vcrt_
                                • String ID:
                                • API String ID: 3852720340-0
                                • Opcode ID: ddc17d917e77d1212331fa8e1f1c6aca2570e4001ad331230dd8ff117073cc32
                                • Instruction ID: f75fb861af0626c426dd508b8b7eab8121ab2d0300fecc40700fde0675c1ebc6
                                • Opcode Fuzzy Hash: ddc17d917e77d1212331fa8e1f1c6aca2570e4001ad331230dd8ff117073cc32
                                • Instruction Fuzzy Hash: F301D43220D2237EA72C2F786C85EDE6E96FF513B47240739F614454E1EF614CCAA146
                                Function 000FE120 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Mpunct$GetvalsH_prolog3
                                • String ID: $+xv
                                • API String ID: 2204710431-1686923651
                                • Opcode ID: 41702b058d8af29d905d514cb823a420450de092654dedc5ea8c8deaa39ba40c
                                • Instruction ID: 5debc22093d6b39f258b5c66abdb79a34ec0044bff793915d79afac87df04990
                                • Opcode Fuzzy Hash: 41702b058d8af29d905d514cb823a420450de092654dedc5ea8c8deaa39ba40c
                                • Instruction Fuzzy Hash: 9821AEB1804B966ED721DF75C89077BBEE8BB08700F044A1AA599C7E42D734E601CB90
                                Function 001457FB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,4C17592F,?,?,00000000,0016647A,000000FF,?,00145782,00000002,?,00145756,00136DAA), ref: 00145830
                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00145842
                                • FreeLibrary.KERNEL32(00000000,?,?,00000000,0016647A,000000FF,?,00145782,00000002,?,00145756,00136DAA), ref: 00145864
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressFreeHandleLibraryModuleProc
                                • String ID: CorExitProcess$mscoree.dll
                                • API String ID: 4061214504-1276376045
                                • Opcode ID: 206771b832d80b3e42158bf6a193889184c2d8563102c5163bc503613b04b8ab
                                • Instruction ID: 5d9b2c7d5756fb8ba0d70f4abd74c4c329710730a501e6ab24d8a220af93fde5
                                • Opcode Fuzzy Hash: 206771b832d80b3e42158bf6a193889184c2d8563102c5163bc503613b04b8ab
                                • Instruction Fuzzy Hash: 9E01FE71544619EFCB118F51CC05FBEBBB9FB44B15F004629F811A26E0DFB89940CB90
                                Function 00148D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,00148D26), ref: 00148D7C
                                • GetLastError.KERNEL32(?,00148D26), ref: 00148D86
                                • LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00148DC4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoad$ErrorLast
                                • String ID: api-ms-$ext-ms-
                                • API String ID: 3177248105-537541572
                                • Opcode ID: 8b43cefe552d3a85457e560f570bcf298c853a9a3de3db9efb711a74ce221a27
                                • Instruction ID: 2146cc061754b6200a5462711553933357f84ba5baac6e0bf09547376bfee0aa
                                • Opcode Fuzzy Hash: 8b43cefe552d3a85457e560f570bcf298c853a9a3de3db9efb711a74ce221a27
                                • Instruction Fuzzy Hash: 78F03771A41205BBDF102B61DC06B5D3E659B11B44F144020FA0CA84F2EFB1D965D544
                                Function 000FEBD7 Relevance: 7.9, APIs: 5, Instructions: 433COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 000FEBDE
                                • ctype.LIBCPMT ref: 000FEC25
                                  • Part of subcall function 000FE257: __Getctype.LIBCPMT ref: 000FE266
                                  • Part of subcall function 000F9274: __EH_prolog3.LIBCMT ref: 000F927B
                                  • Part of subcall function 000F9274: std::_Lockit::_Lockit.LIBCPMT ref: 000F9285
                                  • Part of subcall function 000F939E: __EH_prolog3.LIBCMT ref: 000F93A5
                                  • Part of subcall function 000F939E: std::_Lockit::_Lockit.LIBCPMT ref: 000F93AF
                                  • Part of subcall function 000F955D: __EH_prolog3.LIBCMT ref: 000F9564
                                  • Part of subcall function 000F955D: std::_Lockit::_Lockit.LIBCPMT ref: 000F956E
                                  • Part of subcall function 000F955D: std::_Lockit::~_Lockit.LIBCPMT ref: 000F95DF
                                  • Part of subcall function 000F94C8: __EH_prolog3.LIBCMT ref: 000F94CF
                                  • Part of subcall function 000F94C8: std::_Lockit::_Lockit.LIBCPMT ref: 000F94D9
                                  • Part of subcall function 000ED91A: __EH_prolog3.LIBCMT ref: 000ED921
                                  • Part of subcall function 000ED91A: std::_Lockit::_Lockit.LIBCPMT ref: 000ED92B
                                  • Part of subcall function 000ED91A: std::_Lockit::~_Lockit.LIBCPMT ref: 000ED9D2
                                • numpunct.LIBCPMT ref: 000FEFD3
                                  • Part of subcall function 000FA2FC: __EH_prolog3.LIBCMT ref: 000FA303
                                  • Part of subcall function 000F9A9A: __EH_prolog3.LIBCMT ref: 000F9AA1
                                  • Part of subcall function 000F9A9A: std::_Lockit::_Lockit.LIBCPMT ref: 000F9AAB
                                  • Part of subcall function 000F9A9A: std::_Lockit::~_Lockit.LIBCPMT ref: 000F9B1C
                                  • Part of subcall function 000F9BC4: __EH_prolog3.LIBCMT ref: 000F9BCB
                                  • Part of subcall function 000F9BC4: std::_Lockit::_Lockit.LIBCPMT ref: 000F9BD5
                                  • Part of subcall function 000F9BC4: std::_Lockit::~_Lockit.LIBCPMT ref: 000F9C46
                                  • Part of subcall function 000ED91A: Concurrency::cancel_current_task.LIBCPMT ref: 000ED9DD
                                  • Part of subcall function 000F8DCC: __EH_prolog3.LIBCMT ref: 000F8DD3
                                  • Part of subcall function 000F8DCC: std::_Lockit::_Lockit.LIBCPMT ref: 000F8DDD
                                  • Part of subcall function 000F8DCC: std::_Lockit::~_Lockit.LIBCPMT ref: 000F8E4E
                                • __Getcoll.LIBCPMT ref: 000FED99
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • codecvt.LIBCPMT ref: 000FF084
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Lockitstd::_$H_prolog3$Lockit::_$Lockit::~_$Concurrency::cancel_current_taskGetcollGetctypecodecvtctypenumpunct
                                • String ID:
                                • API String ID: 778957219-0
                                • Opcode ID: c626d991a10178abd1b8af6c74db779f0ced27923c42cc3420e7630919d31d18
                                • Instruction ID: 612ac3c269d49e4f6ac42de1923ab6bfda7a7bbf54e3dfcdabacc0745b43a643
                                • Opcode Fuzzy Hash: c626d991a10178abd1b8af6c74db779f0ced27923c42cc3420e7630919d31d18
                                • Instruction Fuzzy Hash: 91E1F47180038AAFDB216F64CD02ABF7AA5EF51350F14452DFA587B6A3DB718D00ABD1
                                Function 000FF0B3 Relevance: 7.9, APIs: 5, Instructions: 433COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 000FF0BA
                                • ctype.LIBCPMT ref: 000FF101
                                  • Part of subcall function 000FE290: __Getctype.LIBCPMT ref: 000FE29F
                                  • Part of subcall function 000F9309: __EH_prolog3.LIBCMT ref: 000F9310
                                  • Part of subcall function 000F9309: std::_Lockit::_Lockit.LIBCPMT ref: 000F931A
                                  • Part of subcall function 000F9433: __EH_prolog3.LIBCMT ref: 000F943A
                                  • Part of subcall function 000F9433: std::_Lockit::_Lockit.LIBCPMT ref: 000F9444
                                  • Part of subcall function 000F9687: __EH_prolog3.LIBCMT ref: 000F968E
                                  • Part of subcall function 000F9687: std::_Lockit::_Lockit.LIBCPMT ref: 000F9698
                                  • Part of subcall function 000F9687: std::_Lockit::~_Lockit.LIBCPMT ref: 000F9709
                                  • Part of subcall function 000F95F2: __EH_prolog3.LIBCMT ref: 000F95F9
                                  • Part of subcall function 000F95F2: std::_Lockit::_Lockit.LIBCPMT ref: 000F9603
                                  • Part of subcall function 000F95F2: std::_Lockit::~_Lockit.LIBCPMT ref: 000F9674
                                  • Part of subcall function 000ED91A: __EH_prolog3.LIBCMT ref: 000ED921
                                  • Part of subcall function 000ED91A: std::_Lockit::_Lockit.LIBCPMT ref: 000ED92B
                                  • Part of subcall function 000ED91A: std::_Lockit::~_Lockit.LIBCPMT ref: 000ED9D2
                                • numpunct.LIBCPMT ref: 000FF4AF
                                  • Part of subcall function 000FA32F: __EH_prolog3.LIBCMT ref: 000FA336
                                  • Part of subcall function 000F9B2F: __EH_prolog3.LIBCMT ref: 000F9B36
                                  • Part of subcall function 000F9B2F: std::_Lockit::_Lockit.LIBCPMT ref: 000F9B40
                                  • Part of subcall function 000F9B2F: std::_Lockit::~_Lockit.LIBCPMT ref: 000F9BB1
                                  • Part of subcall function 000F9C59: __EH_prolog3.LIBCMT ref: 000F9C60
                                  • Part of subcall function 000F9C59: std::_Lockit::_Lockit.LIBCPMT ref: 000F9C6A
                                  • Part of subcall function 000F9C59: std::_Lockit::~_Lockit.LIBCPMT ref: 000F9CDB
                                  • Part of subcall function 000ED91A: Concurrency::cancel_current_task.LIBCPMT ref: 000ED9DD
                                  • Part of subcall function 000F8E61: __EH_prolog3.LIBCMT ref: 000F8E68
                                  • Part of subcall function 000F8E61: std::_Lockit::_Lockit.LIBCPMT ref: 000F8E72
                                  • Part of subcall function 000F8E61: std::_Lockit::~_Lockit.LIBCPMT ref: 000F8EE3
                                • __Getcoll.LIBCPMT ref: 000FF275
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • codecvt.LIBCPMT ref: 000FF560
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Lockitstd::_$H_prolog3$Lockit::_$Lockit::~_$Concurrency::cancel_current_taskGetcollGetctypecodecvtctypenumpunct
                                • String ID:
                                • API String ID: 778957219-0
                                • Opcode ID: 121a5527cbe0d5abe761a46fa83ebab3d00ceeed5f879612354401b6f7f3af8e
                                • Instruction ID: ed9acb264554fc9ce3cdc1e2239887d7d380d268d66f364b481cd3571ea4eaab
                                • Opcode Fuzzy Hash: 121a5527cbe0d5abe761a46fa83ebab3d00ceeed5f879612354401b6f7f3af8e
                                • Instruction Fuzzy Hash: A5E1F67290021FAFDB216F658C02ABF7AA5EF51350F10453DFA587B692EB718E00A7D1
                                Function 00117D84 Relevance: 7.7, APIs: 5, Instructions: 178COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: operator+shared_ptr$NameName::
                                • String ID:
                                • API String ID: 2894330373-0
                                • Opcode ID: 520703d976fff048b3c3672f1443dad19ea576b52533488262b17de0541cd8dd
                                • Instruction ID: 199c2d661ecfc78470e1ecee9f414c4935631b3e7f48145cb89740aa7e975b06
                                • Opcode Fuzzy Hash: 520703d976fff048b3c3672f1443dad19ea576b52533488262b17de0541cd8dd
                                • Instruction Fuzzy Hash: 36614A7180810AEECB1CDFA8D8459FA7FB5EB06304F1485A9E4299B391D7729AC5CF90
                                Function 000EEDA2 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetCurrentThreadId.KERNEL32 ref: 000EEDB6
                                • AcquireSRWLockExclusive.KERNEL32(?,?,000EBF1B,?), ref: 000EEDD5
                                • AcquireSRWLockExclusive.KERNEL32(?,?,?,?,000EBF1B,?), ref: 000EEE03
                                • TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,000EBF1B,?), ref: 000EEE5E
                                • TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,000EBF1B,?), ref: 000EEE75
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AcquireExclusiveLock$CurrentThread
                                • String ID:
                                • API String ID: 66001078-0
                                • Opcode ID: ea46334aa49da8a5707a180cbdb0e36dc776bfef3641f7d9a0e72a8374b6c034
                                • Instruction ID: 377384d54865d1a2ee407af846a74119ce745674bffafc73b7a8bf706f891298
                                • Opcode Fuzzy Hash: ea46334aa49da8a5707a180cbdb0e36dc776bfef3641f7d9a0e72a8374b6c034
                                • Instruction Fuzzy Hash: 53414B319006CADFCB24DF66C8859AAB3F5FF58310B104A2AE456E7B50E730F984CB90
                                Function 000E9DAA Relevance: 7.6, APIs: 5, Instructions: 65COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 000E9DB1
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000E9DBB
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • codecvt.LIBCPMT ref: 000E9DF5
                                • std::_Facet_Register.LIBCPMT ref: 000E9E0C
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000E9E2C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                • String ID:
                                • API String ID: 712880209-0
                                • Opcode ID: fcb66dcf28bcd34fbbb5c6a2ce0feebac3ec98c63733e18772b5127cc02c3223
                                • Instruction ID: f7d844683c5ce1ab8f4cb8749e9fbc74ac1ebde1caf9175a39f6a5f4209d456f
                                • Opcode Fuzzy Hash: fcb66dcf28bcd34fbbb5c6a2ce0feebac3ec98c63733e18772b5127cc02c3223
                                • Instruction Fuzzy Hash: 3011D372A00265AFCF15EB95D942AEEB7A9AF54710F140109F901BB392CFB09E01CBD1
                                Function 000F8DCC Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 000F8DD3
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000F8DDD
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • codecvt.LIBCPMT ref: 000F8E17
                                • std::_Facet_Register.LIBCPMT ref: 000F8E2E
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000F8E4E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                • String ID:
                                • API String ID: 712880209-0
                                • Opcode ID: 2c347dbcbe86d319279de75aea08312f8d24e7f73a3abb42efd7b101ecf42d56
                                • Instruction ID: f08afe935b8ffc6e294a5fe7d9298cbf38939d965248065740864a10de23ecab
                                • Opcode Fuzzy Hash: 2c347dbcbe86d319279de75aea08312f8d24e7f73a3abb42efd7b101ecf42d56
                                • Instruction Fuzzy Hash: B801CC769001599FCB15EBA4C841AFEBBA5AF94720F248509E511BB2A2CFB09E05DB81
                                Function 000F8E61 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 000F8E68
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000F8E72
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • codecvt.LIBCPMT ref: 000F8EAC
                                • std::_Facet_Register.LIBCPMT ref: 000F8EC3
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000F8EE3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                • String ID:
                                • API String ID: 712880209-0
                                • Opcode ID: c92f31aa058e23e73bd6350e2158c08eeb0e65d46869926cd0e48fd402632ad3
                                • Instruction ID: 4275ec376e8788e772323656225789b78f6b8428490995ddfbf039284933673b
                                • Opcode Fuzzy Hash: c92f31aa058e23e73bd6350e2158c08eeb0e65d46869926cd0e48fd402632ad3
                                • Instruction Fuzzy Hash: 0A01C0329002999FCF05EBA4C841AFEB7A6AF90710F244108E6117B6D2CF749E40DBD1
                                Function 00107483 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 0010748A
                                • std::_Lockit::_Lockit.LIBCPMT ref: 00107494
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • messages.LIBCPMT ref: 001074CE
                                • std::_Facet_Register.LIBCPMT ref: 001074E5
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00107505
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                • String ID:
                                • API String ID: 2750803064-0
                                • Opcode ID: 24aa94bc7f26a1c277cc50e8bde78bebce8d10da9676f91835b0a8193518a00d
                                • Instruction ID: 8576da8a670801693b2e9d89a46505be0bb903237269a9c94d2750751051c4ec
                                • Opcode Fuzzy Hash: 24aa94bc7f26a1c277cc50e8bde78bebce8d10da9676f91835b0a8193518a00d
                                • Instruction Fuzzy Hash: 4A01D2329041559FCB06EBA4D906AFEBBA5BF90710F144508F4417B2D2CFB4AE00CBC0
                                Function 000F955D Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 000F9564
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000F956E
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • moneypunct.LIBCPMT ref: 000F95A8
                                • std::_Facet_Register.LIBCPMT ref: 000F95BF
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000F95DF
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                • String ID:
                                • API String ID: 419941038-0
                                • Opcode ID: f9590cd3df56c8b2ac181a7103b4bf3d9a40834e7eca3777d7e60e5d85b2abf9
                                • Instruction ID: d93a256f37d5cda65a132eb5630296b1a852da97f73ceae63c6fc7a3b8090d28
                                • Opcode Fuzzy Hash: f9590cd3df56c8b2ac181a7103b4bf3d9a40834e7eca3777d7e60e5d85b2abf9
                                • Instruction Fuzzy Hash: 8401A9769005599FCF06EBA4D841AFEBBB5AF94B20F244109E911BB292CF74DA01CF81
                                Function 000F95F2 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 000F95F9
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000F9603
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • moneypunct.LIBCPMT ref: 000F963D
                                • std::_Facet_Register.LIBCPMT ref: 000F9654
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000F9674
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                • String ID:
                                • API String ID: 419941038-0
                                • Opcode ID: fa8ba686f7e3aecfa89570ca8aa719986ba1c11d26b46eba7076a2ee39c1575e
                                • Instruction ID: c123db5a25414932cfe80b5a0f8edb05212ec2d019f18c40b4d870f41f2b9e07
                                • Opcode Fuzzy Hash: fa8ba686f7e3aecfa89570ca8aa719986ba1c11d26b46eba7076a2ee39c1575e
                                • Instruction Fuzzy Hash: CF01CC769001599FCF15EBA5D851AFEB7A5AF90310F254109EA01BB2E2CFB09E01DB92
                                Function 00107642 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 00107649
                                • std::_Lockit::_Lockit.LIBCPMT ref: 00107653
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • moneypunct.LIBCPMT ref: 0010768D
                                • std::_Facet_Register.LIBCPMT ref: 001076A4
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 001076C4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                • String ID:
                                • API String ID: 419941038-0
                                • Opcode ID: 98fcb85cf299c98f77caa1211bf13b2a5deee9683e0b3879c932ee9f9ef64ce0
                                • Instruction ID: 7a356d578f076e90431c2eb1683b190a7a24240b23194e96724d238254288037
                                • Opcode Fuzzy Hash: 98fcb85cf299c98f77caa1211bf13b2a5deee9683e0b3879c932ee9f9ef64ce0
                                • Instruction Fuzzy Hash: 8C01C072D005599FCF09EBA4D941AFEB765AF90310F254109E4427B3E2CFB4AE00CB80
                                Function 000F9687 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 000F968E
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000F9698
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • moneypunct.LIBCPMT ref: 000F96D2
                                • std::_Facet_Register.LIBCPMT ref: 000F96E9
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000F9709
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                • String ID:
                                • API String ID: 419941038-0
                                • Opcode ID: 9c12e6fe3a2c00c9dc67ffb165abc91958585bb086c449a3db7546fdc0f99840
                                • Instruction ID: 9209cf5af42750feb24873795a7edbd6905bae33f414b77f7fa495490192cff8
                                • Opcode Fuzzy Hash: 9c12e6fe3a2c00c9dc67ffb165abc91958585bb086c449a3db7546fdc0f99840
                                • Instruction Fuzzy Hash: 2F01C0369002599FCB05EBA5D951AFEB7A5AF94320F240508F501BB2A2CF74DE41CB81
                                Function 001076D7 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 001076DE
                                • std::_Lockit::_Lockit.LIBCPMT ref: 001076E8
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • moneypunct.LIBCPMT ref: 00107722
                                • std::_Facet_Register.LIBCPMT ref: 00107739
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00107759
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                • String ID:
                                • API String ID: 419941038-0
                                • Opcode ID: 10e31cc8ad990907ca7ae255b93af679e1a1d446b33a2dc4e4300f21f973c6d3
                                • Instruction ID: c9ee98a6c058dd78323edaba0b5352cd1f6b0979350230bd39abb3cba5c17216
                                • Opcode Fuzzy Hash: 10e31cc8ad990907ca7ae255b93af679e1a1d446b33a2dc4e4300f21f973c6d3
                                • Instruction Fuzzy Hash: 92010032E002559FCF05EBA4C945AEEB766EF90710F200108E441BB3D2CFB0AA00CB80
                                Function 000F9970 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 000F9977
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000F9981
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • numpunct.LIBCPMT ref: 000F99BB
                                • std::_Facet_Register.LIBCPMT ref: 000F99D2
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000F99F2
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                                • String ID:
                                • API String ID: 743221004-0
                                • Opcode ID: c1638151f96f5897612440973899299932f23b6053fff8ea21425668f15221ec
                                • Instruction ID: 09eaf54690655be94cb86b314672805903da7c69b860efab0ce2a31daa21c33b
                                • Opcode Fuzzy Hash: c1638151f96f5897612440973899299932f23b6053fff8ea21425668f15221ec
                                • Instruction Fuzzy Hash: D501AD369002599FCB05EBA9D882AFEB7B5AF90310F25010DE511BB292DFB49E40DB91
                                Function 000F9A05 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 000F9A0C
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000F9A16
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • numpunct.LIBCPMT ref: 000F9A50
                                • std::_Facet_Register.LIBCPMT ref: 000F9A67
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000F9A87
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                                • String ID:
                                • API String ID: 743221004-0
                                • Opcode ID: 62dfee37fdd4418fb7439dc75ac33c9cd5fe51fc2b3f7b81e1e344e8502f51dc
                                • Instruction ID: 06ecae4336a44fffabd2d73c0a4a5ea92a447570d3ae5fe100523f6aaad99a68
                                • Opcode Fuzzy Hash: 62dfee37fdd4418fb7439dc75ac33c9cd5fe51fc2b3f7b81e1e344e8502f51dc
                                • Instruction Fuzzy Hash: 4E01C0329001599FCB05EBA4D941AFEB7B5AF94710F244509E6117B2A2CFB49E00CBC2
                                Function 000EB626 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 000EB62D
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000EB638
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000EB6A6
                                  • Part of subcall function 000EB7B9: std::locale::_Locimp::_Locimp.LIBCPMT ref: 000EB7D1
                                • std::locale::_Setgloballocale.LIBCPMT ref: 000EB653
                                • _Yarn.LIBCPMT ref: 000EB669
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                • String ID:
                                • API String ID: 1088826258-0
                                • Opcode ID: 943d45f3c7ffadd0255de8c4f57be4933e5cf48db21b2395283529dedeb1f803
                                • Instruction ID: fdae50e7c69066e8d3f1d7b397e04dddcec53da0e0e3ab3eefeefcafab1f4baf
                                • Opcode Fuzzy Hash: 943d45f3c7ffadd0255de8c4f57be4933e5cf48db21b2395283529dedeb1f803
                                • Instruction Fuzzy Hash: BE01D4B56005619FCB0AEB61D8419BE7BA2FF84700B14400DE81167782CF74AE42CFC5
                                Function 00141E9E Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 369COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __freea
                                • String ID: a/p$am/pm
                                • API String ID: 240046367-3206640213
                                • Opcode ID: 3952a66948a6d4d7eb49992086ac6b14dcc99e7efff9b9fd209ab536d2e772eb
                                • Instruction ID: 92215d56c25541899f0c9379c1d7509d096bb5e751756f12345a7ca8d3923ae0
                                • Opcode Fuzzy Hash: 3952a66948a6d4d7eb49992086ac6b14dcc99e7efff9b9fd209ab536d2e772eb
                                • Instruction Fuzzy Hash: 2DC11435A00206DBDB28CF68C899BBAB7B0FF55700FA54159F905AB270D3B59DC1CBA1
                                Function 0011265B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • EncodePointer.KERNEL32(00000000,?), ref: 00112680
                                • CatchIt.LIBVCRUNTIME ref: 00112766
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CatchEncodePointer
                                • String ID: MOC$RCC
                                • API String ID: 1435073870-2084237596
                                • Opcode ID: 7569869a02ebe51f826ae1e25c9d23e1dc11050e761c52fa5af3a791c289ddde
                                • Instruction ID: ae8566e7d86cffe21016a29aaa98913e81531d053b74329afb85e4797b8d9b51
                                • Opcode Fuzzy Hash: 7569869a02ebe51f826ae1e25c9d23e1dc11050e761c52fa5af3a791c289ddde
                                • Instruction Fuzzy Hash: 5C419A7190020AEFCF1ADF94DC81AEEBBB5FF58304F148069F904A72A1D33599A0DB60
                                Function 000E2480 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98COMMON
                                Download Yara Rule
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000E24C9
                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000E251A
                                • __Getctype.LIBCPMT ref: 000E2531
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$GetctypeLocinfo::_Locinfo_ctorLockitLockit::_
                                • String ID: bad locale name
                                • API String ID: 1612978173-1405518554
                                • Opcode ID: 0ab07ab780baba0472a3f90913f711fbaa488d670a132963667b4f8735544b16
                                • Instruction ID: 20f1641db6baf9db8e9f300bac1568e7d0b66612e56fcd6226240d8c39484383
                                • Opcode Fuzzy Hash: 0ab07ab780baba0472a3f90913f711fbaa488d670a132963667b4f8735544b16
                                • Instruction Fuzzy Hash: 2831B1B19083809FD760DF29C94175BBBF8AF94314F144A2DF889B7252D7B1E944CB92
                                Function 000FE055 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 000FE05C
                                  • Part of subcall function 000F5FE3: _Maklocstr.LIBCPMT ref: 000F6003
                                  • Part of subcall function 000F5FE3: _Maklocstr.LIBCPMT ref: 000F6020
                                  • Part of subcall function 000F5FE3: _Maklocstr.LIBCPMT ref: 000F603D
                                • _Mpunct.LIBCPMT ref: 000FE0E9
                                • _Mpunct.LIBCPMT ref: 000FE103
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Maklocstr$Mpunct$H_prolog3
                                • String ID: $+xv
                                • API String ID: 4259326447-1686923651
                                • Opcode ID: c95f2d954fe287e923666b23e9454397235f8379053bd3000298b840d2485af9
                                • Instruction ID: 54c6de4d1fbe853e4c070fd50cc7d3fe7358a5957fce217c4066e3270c3d93a5
                                • Opcode Fuzzy Hash: c95f2d954fe287e923666b23e9454397235f8379053bd3000298b840d2485af9
                                • Instruction Fuzzy Hash: C321A1B1804B966ED721DF74C88077BBEF8AB09300F044A5AE599C7E42EB74E641CB90
                                Function 00108EDC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Mpunct$H_prolog3
                                • String ID: $+xv
                                • API String ID: 4281374311-1686923651
                                • Opcode ID: 2bc65fe07d9eba4741c53a8405e54c5c86d14abafbd6c59b141db156bd3a329d
                                • Instruction ID: ff3dffaf1d1d1ce577e88e539e950004f736710542c126ae16fe49d10a7f5703
                                • Opcode Fuzzy Hash: 2bc65fe07d9eba4741c53a8405e54c5c86d14abafbd6c59b141db156bd3a329d
                                • Instruction Fuzzy Hash: DD218EB1904B966ED725DF75889067BBEF8AB09300F044A5AB0D9C6A82DB74E601CF90
                                Function 0010E936 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                • __is_exception_typeof.LIBVCRUNTIME ref: 0010E9CA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __is_exception_typeof
                                • String ID: MOC$RCC$csm
                                • API String ID: 3140442014-2671469338
                                • Opcode ID: c00f6b53c467c39b2be6ae11c8a4c050a5e68a5e9b9ef3e92b354dc4b01df661
                                • Instruction ID: cd37ef39db5df9f1fb0b1c497dd4ba93742da5973eeb63ba7b5e5700e6dac7c0
                                • Opcode Fuzzy Hash: c00f6b53c467c39b2be6ae11c8a4c050a5e68a5e9b9ef3e92b354dc4b01df661
                                • Instruction Fuzzy Hash: FC11C831914206DFD718EF56C401B99B7E8EF10329F1544AAE484CB2A1D7F4ED85CB91
                                Function 0011A5D6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,0011A4D3,00000000,00000001,001C7074,?,?,?,0011A72A,00000004,InitializeCriticalSectionEx,0016B5DC,InitializeCriticalSectionEx), ref: 0011A5E3
                                • GetLastError.KERNEL32(?,0011A4D3,00000000,00000001,001C7074,?,?,?,0011A72A,00000004,InitializeCriticalSectionEx,0016B5DC,InitializeCriticalSectionEx,00000000,?,0011321D), ref: 0011A5ED
                                • LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,00111BE3), ref: 0011A615
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoad$ErrorLast
                                • String ID: api-ms-
                                • API String ID: 3177248105-2084034818
                                • Opcode ID: bed523bca2ec20c3e4c4caf82b1aa02db6bf89680a7314f99e1d28ef609f6420
                                • Instruction ID: 7dbcdcc31a3edfccf0a667ceb1b1f67535bf8461f060fe1ce66c4f55a6dd0282
                                • Opcode Fuzzy Hash: bed523bca2ec20c3e4c4caf82b1aa02db6bf89680a7314f99e1d28ef609f6420
                                • Instruction Fuzzy Hash: 19E04F30281208BBEF102B61EC06F983F54AF52B40F588031FA0DE84E1EBB1E9E5D949
                                Function 0014D8CE Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetConsoleOutputCP.KERNEL32(4C17592F,00000010,00000000,?), ref: 0014D931
                                  • Part of subcall function 00151776: WideCharToMultiByte.KERNEL32(00000010,00000000,00178218,00000010,00000010,00000010,0014E309,0000FDE9,00178218,?,?,?,0014E002,0000FDE9,00000000,?), ref: 00151822
                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0014DB8C
                                • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0014DBD4
                                • GetLastError.KERNEL32 ref: 0014DC77
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                • String ID:
                                • API String ID: 2112829910-0
                                • Opcode ID: 48a82ed914bc68fa17790124a75113a641ee30043b357727306807fae9831aa8
                                • Instruction ID: 7f83998041de377bfcd0e998b2019f5ef75247035445cfd11fc2fe2c6ff8428b
                                • Opcode Fuzzy Hash: 48a82ed914bc68fa17790124a75113a641ee30043b357727306807fae9831aa8
                                • Instruction Fuzzy Hash: 79D178B5E042599FCF15CFA8E8C0AADBBB5FF09304F18452AE855EB261D770A942CF50
                                Function 001163F1 Relevance: 6.2, APIs: 4, Instructions: 192COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 001163F8
                                • UnDecorator::getSymbolName.LIBCMT ref: 0011648A
                                • DName::operator+.LIBCMT ref: 0011658E
                                • DName::DName.LIBVCRUNTIME ref: 00116631
                                  • Part of subcall function 00113D3A: shared_ptr.LIBCMT ref: 00113D56
                                  • Part of subcall function 00113FD4: DName::DName.LIBVCRUNTIME ref: 00114022
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Name$Name::$Decorator::getH_prolog3Name::operator+Symbolshared_ptr
                                • String ID:
                                • API String ID: 1134295639-0
                                • Opcode ID: a275afcd2f7465440880c0cbc9ffbb7019a75dbd69015f904340417e6b1fa5cd
                                • Instruction ID: 2cdd684ab51f243bf99d91340ee985035a257b40e69ca3cbb47c791504abad62
                                • Opcode Fuzzy Hash: a275afcd2f7465440880c0cbc9ffbb7019a75dbd69015f904340417e6b1fa5cd
                                • Instruction Fuzzy Hash: CE719BB1D04219DFDF08CFA4D881AEEBBB5BF09310F15406AE915AB691D77699C0CFA0
                                Function 00116A90 Relevance: 6.2, APIs: 4, Instructions: 169COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • DName::operator+.LIBCMT ref: 00116BC5
                                  • Part of subcall function 00113989: __aulldvrm.LIBCMT ref: 001139BA
                                • DName::operator+.LIBCMT ref: 00116B26
                                • DName::operator=.LIBVCRUNTIME ref: 00116C0A
                                • DName::DName.LIBVCRUNTIME ref: 00116C3C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Name::operator+$NameName::Name::operator=__aulldvrm
                                • String ID:
                                • API String ID: 2973644308-0
                                • Opcode ID: 5ba426be55348162abd930f8740b2f8fa16a97f5678e0284e3ffdf28397b13d3
                                • Instruction ID: 05058a16e4c826d0f169c9beaeb19a9eeb22b30643c08b5433278b6a99979740
                                • Opcode Fuzzy Hash: 5ba426be55348162abd930f8740b2f8fa16a97f5678e0284e3ffdf28397b13d3
                                • Instruction Fuzzy Hash: ED617DB4D04219DFCB08CF64D881AEEBBB4FB55300F15816AE9556B291D7729AC1CF90
                                Function 0011205F Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AdjustPointer
                                • String ID:
                                • API String ID: 1740715915-0
                                • Opcode ID: 1303f35070c2f2869946fec08bf5e191db5a1564ebb1af5d2d050d428b63f75c
                                • Instruction ID: 41a8c3d68194a169b2cd14ea5e71db003ad587c4f489363139ec3d7e79fbf61a
                                • Opcode Fuzzy Hash: 1303f35070c2f2869946fec08bf5e191db5a1564ebb1af5d2d050d428b63f75c
                                • Instruction Fuzzy Hash: FD51CAB6601606BFDB2CCF50D881BEAB7A4EF54310F24463DEA4647291E771A8E1DB90
                                Function 001167C1 Relevance: 6.1, APIs: 4, Instructions: 131COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • DName::operator+.LIBCMT ref: 001167F4
                                  • Part of subcall function 00113CFE: DName::operator+=.LIBCMT ref: 00113D14
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Name::operator+Name::operator+=
                                • String ID:
                                • API String ID: 382699925-0
                                • Opcode ID: 6f214fe5bd0207ca2b06b837f117b47694f1fb0d152c2fd976fd4e27dbf428c5
                                • Instruction ID: a526bcfc9e95e0074ba0ca1eaee28928acec14a07b15df552282f742dd135259
                                • Opcode Fuzzy Hash: 6f214fe5bd0207ca2b06b837f117b47694f1fb0d152c2fd976fd4e27dbf428c5
                                • Instruction Fuzzy Hash: FF413A71C0420ADFCB08DFA8D995AEEBBB4AF15314F104129E515BB291DB769AC4CB90
                                Function 000EE874 Relevance: 6.1, APIs: 4, Instructions: 88COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 000EE87B
                                  • Part of subcall function 000EB626: __EH_prolog3.LIBCMT ref: 000EB62D
                                  • Part of subcall function 000EB626: std::_Lockit::_Lockit.LIBCPMT ref: 000EB638
                                  • Part of subcall function 000EB626: std::locale::_Setgloballocale.LIBCPMT ref: 000EB653
                                  • Part of subcall function 000EB626: _Yarn.LIBCPMT ref: 000EB669
                                  • Part of subcall function 000EB626: std::_Lockit::~_Lockit.LIBCPMT ref: 000EB6A6
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000EE89F
                                • std::locale::_Setgloballocale.LIBCPMT ref: 000EE8EE
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000EE94E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_Setgloballocalestd::locale::_$Yarn
                                • String ID:
                                • API String ID: 2301162320-0
                                • Opcode ID: 36c4be0a69a101b57527efb67ebf5cc4a47b5972836fc8876eb06bcf6cfb6b8d
                                • Instruction ID: 12e3c0ff40d7124d05dfdf70d13d099a6cf5839eb8c9cdfa43fd4915b0dddc8f
                                • Opcode Fuzzy Hash: 36c4be0a69a101b57527efb67ebf5cc4a47b5972836fc8876eb06bcf6cfb6b8d
                                • Instruction Fuzzy Hash: 99216B316006989FDF44EF69D8C19AE77E4EF49310B044069E956EB293DF70ED42CB90
                                Function 0015297D Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00151776: WideCharToMultiByte.KERNEL32(00000010,00000000,00178218,00000010,00000010,00000010,0014E309,0000FDE9,00178218,?,?,?,0014E002,0000FDE9,00000000,?), ref: 00151822
                                • GetLastError.KERNEL32 ref: 001529E1
                                • __dosmaperr.LIBCMT ref: 001529E8
                                • GetLastError.KERNEL32(?,?,?,?), ref: 00152A22
                                • __dosmaperr.LIBCMT ref: 00152A29
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                • String ID:
                                • API String ID: 1913693674-0
                                • Opcode ID: 6692b22dd59f1096589038df5a3a297d1d49ba6969a26a15e8733143dd65e20d
                                • Instruction ID: 8cd1c2c28d96cb3e7b2159cb0c6b3e861c4d6e0dd88163b224b75b8856fff671
                                • Opcode Fuzzy Hash: 6692b22dd59f1096589038df5a3a297d1d49ba6969a26a15e8733143dd65e20d
                                • Instruction Fuzzy Hash: 20210773200215EFDB20AF61CC8082BB7A9EF66366B008519FC79DB610D771EC44D761
                                Function 00140BD4 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f68ae07f50f1d14e177c47db33d67222ef476797b67aecc6afcce7a22abd3787
                                • Instruction ID: 336916ce9d19d6ce4864188ce8de049f933cbb36eeceb11fb4f36d7046d56bf6
                                • Opcode Fuzzy Hash: f68ae07f50f1d14e177c47db33d67222ef476797b67aecc6afcce7a22abd3787
                                • Instruction Fuzzy Hash: A0210532200205EFCB22AFB6CCC192B77A8EF18364B118654FB69D7531DB31EC409790
                                Function 0015462B Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                Download Yara Rule
                                APIs
                                • GetEnvironmentStringsW.KERNEL32 ref: 00154633
                                  • Part of subcall function 00151776: WideCharToMultiByte.KERNEL32(00000010,00000000,00178218,00000010,00000010,00000010,0014E309,0000FDE9,00178218,?,?,?,0014E002,0000FDE9,00000000,?), ref: 00151822
                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0015466B
                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0015468B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                • String ID:
                                • API String ID: 158306478-0
                                • Opcode ID: 939ed4d2f6081ac4dfee8551775a5f8d36bdbcd59cad82f978a2fcc26d6aae9f
                                • Instruction ID: 4d5b336a663654c30e7e066f9b597173991492bbfd718005e4d2ce6627eb7851
                                • Opcode Fuzzy Hash: 939ed4d2f6081ac4dfee8551775a5f8d36bdbcd59cad82f978a2fcc26d6aae9f
                                • Instruction Fuzzy Hash: D01100F2901105BF662127B19C8EDAF3AACCF973AEB110128FC1199110FF708D8681B9
                                Function 000ED91A Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 000ED921
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000ED92B
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000ED9D2
                                • Concurrency::cancel_current_task.LIBCPMT ref: 000ED9DD
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Lockitstd::_$Concurrency::cancel_current_taskH_prolog3Lockit::_Lockit::~_
                                • String ID:
                                • API String ID: 4244582100-0
                                • Opcode ID: fedd907e4bdd8187d30030f03787dd5448f0a878512ac9ca324d19fade473fe9
                                • Instruction ID: 150cf095cea31aca604088e1e3a0fbe16ee88ad93135e756f3b0b7208ee0288a
                                • Opcode Fuzzy Hash: fedd907e4bdd8187d30030f03787dd5448f0a878512ac9ca324d19fade473fe9
                                • Instruction Fuzzy Hash: 86214C74A106169FCB04DF15CC91AADB7A1FF48710F00855AE866AB7A2CF70ED50CF80
                                Function 000ED6F1 Relevance: 6.1, APIs: 4, Instructions: 59COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 000ED6F8
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000ED702
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • std::_Facet_Register.LIBCPMT ref: 000ED753
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000ED773
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                • String ID:
                                • API String ID: 2854358121-0
                                • Opcode ID: 507a352eb9c655f654367c115228f67c7e852cbb1880a4b68e06a8e51bc3e13d
                                • Instruction ID: cc8e5ddf454dc9c7da5b1a9ecc8e40af2aa12ebb6752d196523669a8450bf66c
                                • Opcode Fuzzy Hash: 507a352eb9c655f654367c115228f67c7e852cbb1880a4b68e06a8e51bc3e13d
                                • Instruction Fuzzy Hash: 83119D76A00254AFCB05EBA9D941AAEBBB5EB54310F10411EF415BB292DBB09E05CBD0
                                Function 0011AE2C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateThread.KERNEL32(00000000,?,0011AB81,00000000,00000004,00000000), ref: 0011AE7B
                                • GetLastError.KERNEL32 ref: 0011AE87
                                • __dosmaperr.LIBCMT ref: 0011AE8E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateErrorLastThread__dosmaperr
                                • String ID:
                                • API String ID: 2744730728-0
                                • Opcode ID: e97572be9b0319265f67e738923d687297535a4bce425c8b2d6ef602ee7a9652
                                • Instruction ID: e47626d1aa91a5be788eb35d46640e2700bdd0035e26367dbf7dad975b6a65be
                                • Opcode Fuzzy Hash: e97572be9b0319265f67e738923d687297535a4bce425c8b2d6ef602ee7a9652
                                • Instruction Fuzzy Hash: 1601F972902604BFCB189BA5DC09BDE7FB9DF91372F604224F524861D0DB70C985D762
                                Function 00150118 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?), ref: 0015012E
                                • GetLastError.KERNEL32(?,?,?,?), ref: 0015013B
                                • SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 00150161
                                • SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 00150187
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: FilePointer$ErrorLast
                                • String ID:
                                • API String ID: 142388799-0
                                • Opcode ID: aca62f8ad600c2383dafa88ee9004eab362f5bf528ab00b193de6cff2fc2806a
                                • Instruction ID: 522fcd5e7872a05bdd9f5c5b894ab6e740d0fc4adf0a406f59cc5995a55a1f07
                                • Opcode Fuzzy Hash: aca62f8ad600c2383dafa88ee9004eab362f5bf528ab00b193de6cff2fc2806a
                                • Instruction Fuzzy Hash: 6C117971800218FFDF119FA5CC889DE3F79EF09361F108644F824AA1A0CB72CA95DBA1
                                Function 000F8EF6 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 000F8EFD
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000F8F07
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • std::_Facet_Register.LIBCPMT ref: 000F8F58
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000F8F78
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                • String ID:
                                • API String ID: 2854358121-0
                                • Opcode ID: 83f60a70cebfef3246d3892790f1fa27a740feed21d145fa37ff429105b00c19
                                • Instruction ID: 55d202c3fe5cdf9924142cda7308475ea57864f5364d1f9deac7cd276c58d862
                                • Opcode Fuzzy Hash: 83f60a70cebfef3246d3892790f1fa27a740feed21d145fa37ff429105b00c19
                                • Instruction Fuzzy Hash: 7801CC32900159AFCF05EBA5C841AFEBBA6AF94710F248119F9117B292CF749E05DFC0
                                Function 000F8F8B Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 000F8F92
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000F8F9C
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • std::_Facet_Register.LIBCPMT ref: 000F8FED
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000F900D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                • String ID:
                                • API String ID: 2854358121-0
                                • Opcode ID: 482b9a9fa0b45354268b63f6a7f056a99a8309ebaeea1c1953f430db0923b294
                                • Instruction ID: bbc045d1d07d3735d6890c60ee5e3bb12c26dadc672dd63328488fdd687d4b82
                                • Opcode Fuzzy Hash: 482b9a9fa0b45354268b63f6a7f056a99a8309ebaeea1c1953f430db0923b294
                                • Instruction Fuzzy Hash: 7001CC369001599FCB05EBA4C885BFEB7A6AF90720F244119F501BB2A2CFB4DE41DB80
                                Function 001073EE Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 001073F5
                                • std::_Lockit::_Lockit.LIBCPMT ref: 001073FF
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • std::_Facet_Register.LIBCPMT ref: 00107450
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00107470
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                • String ID:
                                • API String ID: 2854358121-0
                                • Opcode ID: 5da2997ea6b25feade2fe2a8c55895732663c51c0cbcb6e4df2642322b91c40a
                                • Instruction ID: 29bb5ec4efb12ae37fc21d49e6473aa4164d2d1af2808582e5a0237d7ab20000
                                • Opcode Fuzzy Hash: 5da2997ea6b25feade2fe2a8c55895732663c51c0cbcb6e4df2642322b91c40a
                                • Instruction Fuzzy Hash: 3F01C032E001559FCF05EBA4D901AFEBB65AF94310F144108E451BB3E2CFB0AA01CF95
                                Function 00107518 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 0010751F
                                • std::_Lockit::_Lockit.LIBCPMT ref: 00107529
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • std::_Facet_Register.LIBCPMT ref: 0010757A
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 0010759A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                • String ID:
                                • API String ID: 2854358121-0
                                • Opcode ID: bd068dfbebd1c306a80de5adc4f6795f2bb93169631daa0eb56eb88d9c19b3c5
                                • Instruction ID: 366df79fa893b36b845e7654edd5925168acc2779a8c789beabb5b71a6c1a0c3
                                • Opcode Fuzzy Hash: bd068dfbebd1c306a80de5adc4f6795f2bb93169631daa0eb56eb88d9c19b3c5
                                • Instruction Fuzzy Hash: 5A01C0329002559FCB05EBA4CC41AFEBB66AF94320F240509E4517B2D2CFB0AA00CB90
                                Function 001075AD Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 001075B4
                                • std::_Lockit::_Lockit.LIBCPMT ref: 001075BE
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • std::_Facet_Register.LIBCPMT ref: 0010760F
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 0010762F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                • String ID:
                                • API String ID: 2854358121-0
                                • Opcode ID: be9efe12208a171061cbf21c628a5380e643a5d23fc84f33b7a99e6980d0a0a0
                                • Instruction ID: 40a8f98741d5350ba4535da4985a802c0e65c82a735ee84bc73e30561656a47e
                                • Opcode Fuzzy Hash: be9efe12208a171061cbf21c628a5380e643a5d23fc84f33b7a99e6980d0a0a0
                                • Instruction Fuzzy Hash: 8401CC729005599FCB05EBA8C901AFEBB66EF94310F244109F8417B2D2CFB1AE02CBD0
                                Function 000F971C Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 000F9723
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000F972D
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • std::_Facet_Register.LIBCPMT ref: 000F977E
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000F979E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                • String ID:
                                • API String ID: 2854358121-0
                                • Opcode ID: 495d9318fe8ba83be89e6b1dc5db56844263219e83cffc8bb4a99bfd5f0054ea
                                • Instruction ID: 8255b3a7c3ed811bb1df3467177cd5aac6365e8b5d2268c867db9cba74776ca7
                                • Opcode Fuzzy Hash: 495d9318fe8ba83be89e6b1dc5db56844263219e83cffc8bb4a99bfd5f0054ea
                                • Instruction Fuzzy Hash: 4001C076A003599FCB05EBA4D951BFEB7A5EF94710F240108F5017B2A2CF74AE01CB81
                                Function 0010776C Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 00107773
                                • std::_Lockit::_Lockit.LIBCPMT ref: 0010777D
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • std::_Facet_Register.LIBCPMT ref: 001077CE
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 001077EE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                • String ID:
                                • API String ID: 2854358121-0
                                • Opcode ID: ff94fe874315bd10a94839c6ab46db7ec46078a45455a74f1db7d86217e56e40
                                • Instruction ID: f41f637d187bc6900b02364635f090eb79c1dbd562e5cf12a33965ddf6aaf15b
                                • Opcode Fuzzy Hash: ff94fe874315bd10a94839c6ab46db7ec46078a45455a74f1db7d86217e56e40
                                • Instruction Fuzzy Hash: 8401C0769002559FCB05EBA4C885AFEBB66AF94320F240508E4517B3E2CFB0AA41CBD0
                                Function 000F97B1 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 000F97B8
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000F97C2
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • std::_Facet_Register.LIBCPMT ref: 000F9813
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000F9833
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                • String ID:
                                • API String ID: 2854358121-0
                                • Opcode ID: 7a765bc5eca6cea11be5c176cc4034c750b826286c28479c50500a49563cf137
                                • Instruction ID: 1eb4e112708d5f5fa71f51de2991a3a89595958b3807310cf30e10fd9dc0981c
                                • Opcode Fuzzy Hash: 7a765bc5eca6cea11be5c176cc4034c750b826286c28479c50500a49563cf137
                                • Instruction Fuzzy Hash: 4901C0329002599FCB05EBA4D841BFEBBA5AF94710F144109E905BB292CF709E01DFC1
                                Function 00107801 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 00107808
                                • std::_Lockit::_Lockit.LIBCPMT ref: 00107812
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • std::_Facet_Register.LIBCPMT ref: 00107863
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00107883
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                • String ID:
                                • API String ID: 2854358121-0
                                • Opcode ID: 9885918083178448ff001f64945215bf68dbd73596e1f9d14f0759611eed4473
                                • Instruction ID: 6b4c826f39743fe861ad0658e82a8442e5aff954bed6ef2cca5d42b5338ecc35
                                • Opcode Fuzzy Hash: 9885918083178448ff001f64945215bf68dbd73596e1f9d14f0759611eed4473
                                • Instruction Fuzzy Hash: 4201C032D00155AFCF09EBA4D805AFEB7A5AF94710F144109E4517B3D2CFB0AA04CB81
                                Function 000F9846 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 000F984D
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000F9857
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • std::_Facet_Register.LIBCPMT ref: 000F98A8
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000F98C8
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                • String ID:
                                • API String ID: 2854358121-0
                                • Opcode ID: 2aa1648900400271c5ac6a73511febe319213898359a8549b3a439e17afdb671
                                • Instruction ID: f91c51956a32c1c0761785f820fe5638ce24c0569384be612964694e3f1406a7
                                • Opcode Fuzzy Hash: 2aa1648900400271c5ac6a73511febe319213898359a8549b3a439e17afdb671
                                • Instruction Fuzzy Hash: 0D01CC36900259DFCF05EBA4D945AFEB7A5EF91320F244109E5017B2E2CF749E02CB91
                                Function 000F98DB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 000F98E2
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000F98EC
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • std::_Facet_Register.LIBCPMT ref: 000F993D
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000F995D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                • String ID:
                                • API String ID: 2854358121-0
                                • Opcode ID: 9640eca0b2e5c8b5a3471faeeb072cf3a8f38eb13805ce200c518ff48e830dfb
                                • Instruction ID: 06428ac7654a7389b689ba5e5239dc4045b8cda05df2d4ca4b110d533077eda3
                                • Opcode Fuzzy Hash: 9640eca0b2e5c8b5a3471faeeb072cf3a8f38eb13805ce200c518ff48e830dfb
                                • Instruction Fuzzy Hash: 5101C032A001599FCB05EBA4C841AFEB7A5FF90710F15010CE5017B292CFB09E01CB81
                                Function 000F9A9A Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 000F9AA1
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000F9AAB
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • std::_Facet_Register.LIBCPMT ref: 000F9AFC
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000F9B1C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                • String ID:
                                • API String ID: 2854358121-0
                                • Opcode ID: 46bd2b8d102faf2d9dcd6acc0f9a772b7f42300b64a6cbfe7cd0dbef706aff31
                                • Instruction ID: abb93f40b4b7e22654cfb7193c6993abbd7d505e8b411e46ca31011e4df4e290
                                • Opcode Fuzzy Hash: 46bd2b8d102faf2d9dcd6acc0f9a772b7f42300b64a6cbfe7cd0dbef706aff31
                                • Instruction Fuzzy Hash: 8601D232A001599FCB15EBA4E901BFEBBA5EF94720F244109E6017B2D2CF749E01DBC1
                                Function 000F9B2F Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 000F9B36
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000F9B40
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • std::_Facet_Register.LIBCPMT ref: 000F9B91
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000F9BB1
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                • String ID:
                                • API String ID: 2854358121-0
                                • Opcode ID: 69e0fa093b2b2b9958c533d4a21a6d26ecb8f63d1f74480a21aa7430654b5c2e
                                • Instruction ID: c66337456c03285e754944db4e01873d27d3d7ba23d195aa2780f9cb2044b21d
                                • Opcode Fuzzy Hash: 69e0fa093b2b2b9958c533d4a21a6d26ecb8f63d1f74480a21aa7430654b5c2e
                                • Instruction Fuzzy Hash: 7201C036A001599FCB06EBA4D901BFEB7A5EF90710F140108E511BB2E2CF749E05DBC1
                                Function 000F9BC4 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 000F9BCB
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000F9BD5
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • std::_Facet_Register.LIBCPMT ref: 000F9C26
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000F9C46
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                • String ID:
                                • API String ID: 2854358121-0
                                • Opcode ID: b11181a80001628ccadc38af2d58a4cd0f1d1d5789cbf00f1fbaa6edcc7fc1dd
                                • Instruction ID: c89ce3b016aabae05fb36807f230e935a2e5e0d7bc3cfd8d815575fb3e89c13b
                                • Opcode Fuzzy Hash: b11181a80001628ccadc38af2d58a4cd0f1d1d5789cbf00f1fbaa6edcc7fc1dd
                                • Instruction Fuzzy Hash: DF01C0729001599FCB05EBA4D941BFEBBA5AF94320F244108E511BB692CF749A40DBC0
                                Function 000F9C59 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 000F9C60
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000F9C6A
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • std::_Facet_Register.LIBCPMT ref: 000F9CBB
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000F9CDB
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                • String ID:
                                • API String ID: 2854358121-0
                                • Opcode ID: cda91ff43b6f90ab5a5cfbe95f29998d2367b96f43609058ce5a71f7a20f3adf
                                • Instruction ID: c3c83c0e25171f2fda40f11e8b861a59087af1ebcda2331c727307e56e56199e
                                • Opcode Fuzzy Hash: cda91ff43b6f90ab5a5cfbe95f29998d2367b96f43609058ce5a71f7a20f3adf
                                • Instruction Fuzzy Hash: 3F01C0769001599FCB09EBA4D901BFEB7A5AF90720F144109E5117B292CF749E05DBD1
                                Function 000F9020 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 000F9027
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000F9031
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • ctype.LIBCPMT ref: 000F906B
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000F90A2
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3ctype
                                • String ID:
                                • API String ID: 3358926169-0
                                • Opcode ID: b720c7c8a419794c97a11b81fb42d9d8232288b7777d30f69f06edecc6bc05b3
                                • Instruction ID: c6478f1b27638956d18a808a39f55a762bab09fd4e9d59d78506fb43c277f63e
                                • Opcode Fuzzy Hash: b720c7c8a419794c97a11b81fb42d9d8232288b7777d30f69f06edecc6bc05b3
                                • Instruction Fuzzy Hash: 35F09A32900219AFCB06EBA1C842BFE7265AFA0320F500508F6107B6D3EF758A04DBC5
                                Function 000F90B5 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 000F90BC
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000F90C6
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • ctype.LIBCPMT ref: 000F9100
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000F9137
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3ctype
                                • String ID:
                                • API String ID: 3358926169-0
                                • Opcode ID: 49cc2328e683533509618b2e7cc5580040c782d53c90129df121e3e7c34b2a05
                                • Instruction ID: 8d4169ae508aae0cc2621f7279d29e58bdce4592f7b47d666b4769e1ad566be7
                                • Opcode Fuzzy Hash: 49cc2328e683533509618b2e7cc5580040c782d53c90129df121e3e7c34b2a05
                                • Instruction Fuzzy Hash: 09F0903290025AAFCB05FBA0C946BFE3365AF90720F500518F6107B5D3DF748A048BC1
                                Function 000F914A Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 000F9151
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000F915B
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • messages.LIBCPMT ref: 000F9195
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000F91CC
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3messages
                                • String ID:
                                • API String ID: 50917705-0
                                • Opcode ID: 09418fcd83cb1447b54dfcb5dee3c53c6fb89d3725c38919d65f0cba7799ea68
                                • Instruction ID: 19a159592dff2c277da8272b654248beb9fb50437f1845660b2926bc6defb7b1
                                • Opcode Fuzzy Hash: 09418fcd83cb1447b54dfcb5dee3c53c6fb89d3725c38919d65f0cba7799ea68
                                • Instruction Fuzzy Hash: C0F09A3290021AABCB06FBA0C946BFE7265AF60720F600218F7117B6D2DF748A059B81
                                Function 000F91DF Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 000F91E6
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000F91F0
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • messages.LIBCPMT ref: 000F922A
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000F9261
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3messages
                                • String ID:
                                • API String ID: 50917705-0
                                • Opcode ID: 08ee838ddb1253ebee7f34a01117fefcc2d215478b53fcc0c1c78572c4e47ba7
                                • Instruction ID: aa90721ed8cc03fd1638ce76a970ad13242a5644845c0ed38028600e4f67f82e
                                • Opcode Fuzzy Hash: 08ee838ddb1253ebee7f34a01117fefcc2d215478b53fcc0c1c78572c4e47ba7
                                • Instruction Fuzzy Hash: 05F09A32900109AFCF4AEBA0D942BFE7269AF60B20F540118FA107B6D2DF749E04CB80
                                Function 0016037B Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                Download Yara Rule
                                APIs
                                • WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 00160395
                                • GetLastError.KERNEL32 ref: 001603A1
                                  • Part of subcall function 0016044A: CloseHandle.KERNEL32(FFFFFFFE,00160494,?,0015BF8F,00000010,00000001,00000010,?,?,0014DCCB,?,00000010,00000000,?,?), ref: 0016045A
                                • ___initconout.LIBCMT ref: 001603B1
                                  • Part of subcall function 0016040C: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0016043B,0015BF7C,?,?,0014DCCB,?,00000010,00000000,?), ref: 0016041F
                                • WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 001603C5
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                • String ID:
                                • API String ID: 2744216297-0
                                • Opcode ID: a1ae0f311dc8a00479c35b5c9cc217d2b53da4e540599181a2688276199f3626
                                • Instruction ID: 57e4f1a60f225d59602ae2c17fd562f893ee1e583a364d60b5c064b9950b80e1
                                • Opcode Fuzzy Hash: a1ae0f311dc8a00479c35b5c9cc217d2b53da4e540599181a2688276199f3626
                                • Instruction Fuzzy Hash: 95F0FE36100601EFCB222B96DC049477FB6FFDD7517114425F65A82930DB71D8A1DB51
                                Function 00160461 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • WriteConsoleW.KERNEL32(00000010,00000000,00178218,00000000,00000010,?,0015BF8F,00000010,00000001,00000010,?,?,0014DCCB,?,00000010,00000000), ref: 00160478
                                • GetLastError.KERNEL32(?,0015BF8F,00000010,00000001,00000010,?,?,0014DCCB,?,00000010,00000000,?,?,?,0014E29A,00000010), ref: 00160484
                                  • Part of subcall function 0016044A: CloseHandle.KERNEL32(FFFFFFFE,00160494,?,0015BF8F,00000010,00000001,00000010,?,?,0014DCCB,?,00000010,00000000,?,?), ref: 0016045A
                                • ___initconout.LIBCMT ref: 00160494
                                  • Part of subcall function 0016040C: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0016043B,0015BF7C,?,?,0014DCCB,?,00000010,00000000,?), ref: 0016041F
                                • WriteConsoleW.KERNEL32(00000010,00000000,00178218,00000000,?,0015BF8F,00000010,00000001,00000010,?,?,0014DCCB,?,00000010,00000000,?), ref: 001604A9
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                • String ID:
                                • API String ID: 2744216297-0
                                • Opcode ID: 78c4e67ee3c3d292308b34c5a4d17dfbc892e18be8e320e08120c2ec39997eea
                                • Instruction ID: 3b056c0c0587a5e209eca558b9d67b98c6eb4c253455ed3f06ea2337c61c5b6a
                                • Opcode Fuzzy Hash: 78c4e67ee3c3d292308b34c5a4d17dfbc892e18be8e320e08120c2ec39997eea
                                • Instruction Fuzzy Hash: 88F01536000229BBCF222F95DC0898A3F66FF593A0B408120FA0996531DBB2C8B0DBD1
                                Function 000F94C8 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 000F94CF
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000F94D9
                                  • Part of subcall function 000E2220: std::_Lockit::_Lockit.LIBCPMT ref: 000E222F
                                  • Part of subcall function 000E2220: std::_Lockit::~_Lockit.LIBCPMT ref: 000E224A
                                • moneypunct.LIBCPMT ref: 000F9513
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 000F954A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3moneypunct
                                • String ID:
                                • API String ID: 3160146232-0
                                • Opcode ID: 4af12f2e542c8565a94f5e892c0d1fe0277e941acd34e532fc9b398a57ddd5f2
                                • Instruction ID: 594d8a9480e1a843d9f63e6637adbbc9dae594ca083866467258817bc5f60508
                                • Opcode Fuzzy Hash: 4af12f2e542c8565a94f5e892c0d1fe0277e941acd34e532fc9b398a57ddd5f2
                                • Instruction Fuzzy Hash: D1F08C32900259EBCF06EBA0C952BFE7669EF60700F400008F6007B2A2CF748A04CB81
                                Function 0013589D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 291COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __aulldiv
                                • String ID: +$-
                                • API String ID: 3732870572-2137968064
                                • Opcode ID: 2aa0a1fdbdad134754cd3774889f26da487012c11bb058aa3aad14e1fe060bdc
                                • Instruction ID: 6ade358f327847915ab372857644a20ceb1583bf115f6c6cb9aa671ba5ca2d2f
                                • Opcode Fuzzy Hash: 2aa0a1fdbdad134754cd3774889f26da487012c11bb058aa3aad14e1fe060bdc
                                • Instruction Fuzzy Hash: 2DA1D430A01658EFDF24CE68C8917FE7BB3EF55B24F148659E8A5AB381D3309901DB50
                                Function 001671F0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243COMMON
                                Download Yara Rule
                                APIs
                                • OffsetRect.USER32(00000000,00000000,00000000), ref: 001672E8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: OffsetRect
                                • String ID: 0$Zatlat
                                • API String ID: 177026234-1547964091
                                • Opcode ID: 5f4b5d456f0efcc65066866f3fabf889f032f180a8273aee139d0d5b2213d0fb
                                • Instruction ID: 27e8409e56b130242d30f73c26c704978a3a0e9ff163c4a03ecc175851e72945
                                • Opcode Fuzzy Hash: 5f4b5d456f0efcc65066866f3fabf889f032f180a8273aee139d0d5b2213d0fb
                                • Instruction Fuzzy Hash: 3E91FF716083805FE300DF25CC99B6FBBE1AFD5318F540A2CF9859B292D7B5D8488B92
                                Function 00105A51 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 193COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: H_prolog3___cftoe
                                • String ID: !%x
                                • API String ID: 855520168-1893981228
                                • Opcode ID: a480a2b13cd68a861235e5544b3bbe3c6b677482e30d215893427b7e02eb5e6a
                                • Instruction ID: 34dd5179a3a295fab2eb6fc17d3cdf276d6f93940e9fa7755b1a348332748107
                                • Opcode Fuzzy Hash: a480a2b13cd68a861235e5544b3bbe3c6b677482e30d215893427b7e02eb5e6a
                                • Instruction Fuzzy Hash: 27717A72D00208AFDF18EFA8E881AEEB7B6EF48304F144529F455A7291EB75AD41CF50
                                Function 00105C6B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 193COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: H_prolog3___cftoe
                                • String ID: !%x
                                • API String ID: 855520168-1893981228
                                • Opcode ID: 49dfab99826265205fcedecf5757529513eaca2110f14d0f58366dab5a8b82b7
                                • Instruction ID: 1b9f7d272726f837b336201d053d3e5a0ec766574637afa179a20046b7bc0d1a
                                • Opcode Fuzzy Hash: 49dfab99826265205fcedecf5757529513eaca2110f14d0f58366dab5a8b82b7
                                • Instruction Fuzzy Hash: 7C716B71D00609AFDF18EFA8D885AEEB7B6EF48300F10411AF455A7291EB75AE41CF50
                                Function 0010B2DB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 183COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __aulldiv
                                • String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
                                • API String ID: 3732870572-1956417402
                                • Opcode ID: e4b9087f2230b7c5b1f93156e5ddf5c8b5931fbec3a1c5a8c825152b036d0153
                                • Instruction ID: 4c80ef4f9a1bd0e8944b132a860f6303020d8822a2ae7d59d9d18e32321dc2ca
                                • Opcode Fuzzy Hash: e4b9087f2230b7c5b1f93156e5ddf5c8b5931fbec3a1c5a8c825152b036d0153
                                • Instruction Fuzzy Hash: 7D51C730A0C259ABDF258EA984D17BEBBF9AF45300F144469E4D2EB2C2D3F49A418B51
                                Function 0010420F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog3_GS.LIBCMT ref: 00104216
                                  • Part of subcall function 000F9020: __EH_prolog3.LIBCMT ref: 000F9027
                                  • Part of subcall function 000F9020: std::_Lockit::_Lockit.LIBCPMT ref: 000F9031
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: H_prolog3H_prolog3_LockitLockit::_std::_
                                • String ID: %.0Lf$0123456789-
                                • API String ID: 79917597-3094241602
                                • Opcode ID: ba2591f3bd48f923f852785f999e1e788a075a6dc1c7c822539be50df01247a3
                                • Instruction ID: 4c2b29fbe6e79040c66460fc603f6c1ca820fdcf8d340d9c334898f43ea40ccd
                                • Opcode Fuzzy Hash: ba2591f3bd48f923f852785f999e1e788a075a6dc1c7c822539be50df01247a3
                                • Instruction Fuzzy Hash: F5418A71A0011DDFCF05EFE4D8819EEBBB5BF08310F10011AFA51AB692DB709A56CB90
                                Function 0010453C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog3_GS.LIBCMT ref: 00104543
                                  • Part of subcall function 000F90B5: __EH_prolog3.LIBCMT ref: 000F90BC
                                  • Part of subcall function 000F90B5: std::_Lockit::_Lockit.LIBCPMT ref: 000F90C6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: H_prolog3H_prolog3_LockitLockit::_std::_
                                • String ID: 0123456789-$0123456789-
                                • API String ID: 79917597-2494171821
                                • Opcode ID: 86a57ad252cd912d2528cbbade16db870e083b466b7e96184d28fec286c43ca6
                                • Instruction ID: f96df5a63d73435ad40eeb613285aace0c96123dc9756a490e4a94bab89fc148
                                • Opcode Fuzzy Hash: 86a57ad252cd912d2528cbbade16db870e083b466b7e96184d28fec286c43ca6
                                • Instruction Fuzzy Hash: BC4179B190011DDFCF05EFA4C8919EEBBB5FF08310F100169EA51AB292DB709E5ACB95
                                Function 0010A830 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog3_GS.LIBCMT ref: 0010A837
                                  • Part of subcall function 000E59E0: std::_Lockit::_Lockit.LIBCPMT ref: 000E59ED
                                  • Part of subcall function 000E59E0: std::_Lockit::_Lockit.LIBCPMT ref: 000E5A07
                                  • Part of subcall function 000E59E0: std::_Lockit::~_Lockit.LIBCPMT ref: 000E5A28
                                  • Part of subcall function 000E59E0: std::_Lockit::~_Lockit.LIBCPMT ref: 000E5A54
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3_
                                • String ID: 0123456789-$0123456789-
                                • API String ID: 2088892359-2494171821
                                • Opcode ID: 7547070d5a9d2948753014d8ce94823c07f4930c9de084a617ea8ceb539d15b0
                                • Instruction ID: 56c7750421b0a2ef2d0b3c1488155d4230f222e60e07a82a0853445e21762c7d
                                • Opcode Fuzzy Hash: 7547070d5a9d2948753014d8ce94823c07f4930c9de084a617ea8ceb539d15b0
                                • Instruction Fuzzy Hash: 66418A31E00248EFCF15EFA4D8919EEBBB5AF08310F10405AF951AB292DB74AE16DF51
                                Function 000E73E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
                                Download Yara Rule
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000E7429
                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000E747A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                • String ID: bad locale name
                                • API String ID: 3988782225-1405518554
                                • Opcode ID: f800c327474273ea5a394ab23aad43155b63a0401e264111c52c77b39129bc4e
                                • Instruction ID: 714ab2f5efd4765ece5c99bac09325da91332f1d913cd41d981efcdaca0629c2
                                • Opcode Fuzzy Hash: f800c327474273ea5a394ab23aad43155b63a0401e264111c52c77b39129bc4e
                                • Instruction Fuzzy Hash: 932177B05093819FD750DF29C84074BBFE0AF94714F68885DF588AB292D3B6C909CB92
                                Function 00116CF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: NameName::
                                • String ID: A
                                • API String ID: 1333004437-3554254475
                                • Opcode ID: 8f0dcd789fc8e47b187171eed45d4421fb005dd7f7d18e93f2dab4eb955588d1
                                • Instruction ID: 12772f4d0c56feeac6ae1941eb2cfed45c777c7b821244f9ea713e973c716664
                                • Opcode Fuzzy Hash: 8f0dcd789fc8e47b187171eed45d4421fb005dd7f7d18e93f2dab4eb955588d1
                                • Instruction Fuzzy Hash: 2D21BBB0A04208EFDF0CDFA4E812AEC7BB1EB05304F1480A9F4999B295C7729AC5CF41
                                Function 000E2070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 000E2075
                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000E20BA
                                  • Part of subcall function 000EB724: _Yarn.LIBCPMT ref: 000EB743
                                  • Part of subcall function 000EB724: _Yarn.LIBCPMT ref: 000EB767
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1826479976.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                • Associated: 00000000.00000002.1826463629.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826525864.0000000000168000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.000000000017A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826545692.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1826600339.00000000001C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                • String ID: bad locale name
                                • API String ID: 1908188788-1405518554
                                • Opcode ID: de11f62c5c79b20ed6271bb2b8969536cab3895493ce571ac280c703f930461c
                                • Instruction ID: 73035a92fc1eab9d8de94d180a6c2dd85eeafbeab2aa41c778835ad14dd4980b
                                • Opcode Fuzzy Hash: de11f62c5c79b20ed6271bb2b8969536cab3895493ce571ac280c703f930461c
                                • Instruction Fuzzy Hash: F1F090B0100B809ED370DF3A8401747BEE0AF24300F008E1DD1CAD7A52D374E148CBA5

                                Execution Graph

                                Execution Coverage:7.7%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:52
                                Total number of Limit Nodes:9
                                execution_graph 14667 122d300 DuplicateHandle 14668 122d396 14667->14668 14669 122ad38 14670 122ad47 14669->14670 14673 122ae2f 14669->14673 14681 122ae30 14669->14681 14674 122ae41 14673->14674 14675 122ae64 14673->14675 14674->14675 14689 122b0b8 14674->14689 14693 122b0c8 14674->14693 14675->14670 14676 122ae5c 14676->14675 14677 122b068 GetModuleHandleW 14676->14677 14678 122b095 14677->14678 14678->14670 14682 122ae41 14681->14682 14684 122ae64 14681->14684 14682->14684 14687 122b0b8 LoadLibraryExW 14682->14687 14688 122b0c8 LoadLibraryExW 14682->14688 14683 122ae5c 14683->14684 14685 122b068 GetModuleHandleW 14683->14685 14684->14670 14686 122b095 14685->14686 14686->14670 14687->14683 14688->14683 14690 122b0c8 14689->14690 14692 122b101 14690->14692 14697 122a870 14690->14697 14692->14676 14694 122b0dc 14693->14694 14695 122b101 14694->14695 14696 122a870 LoadLibraryExW 14694->14696 14695->14676 14696->14695 14698 122b2a8 LoadLibraryExW 14697->14698 14700 122b321 14698->14700 14700->14692 14701 122d0b8 14702 122d0fe GetCurrentProcess 14701->14702 14704 122d150 GetCurrentThread 14702->14704 14705 122d149 14702->14705 14706 122d186 14704->14706 14707 122d18d GetCurrentProcess 14704->14707 14705->14704 14706->14707 14710 122d1c3 14707->14710 14708 122d1eb GetCurrentThreadId 14709 122d21c 14708->14709 14710->14708 14711 1224668 14712 1224684 14711->14712 14713 1224696 14712->14713 14715 12247a0 14712->14715 14716 12247c5 14715->14716 14720 12248b0 14716->14720 14724 12248a1 14716->14724 14722 12248d7 14720->14722 14721 12249b4 14721->14721 14722->14721 14728 1224248 14722->14728 14726 12248b0 14724->14726 14725 12249b4 14725->14725 14726->14725 14727 1224248 CreateActCtxA 14726->14727 14727->14725 14729 1225940 CreateActCtxA 14728->14729 14731 1225a03 14729->14731

                                Executed Functions

                                Function 0122D0A8 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 526 122d0a8-122d147 GetCurrentProcess 530 122d150-122d184 GetCurrentThread 526->530 531 122d149-122d14f 526->531 532 122d186-122d18c 530->532 533 122d18d-122d1c1 GetCurrentProcess 530->533 531->530 532->533 535 122d1c3-122d1c9 533->535 536 122d1ca-122d1e5 call 122d289 533->536 535->536 539 122d1eb-122d21a GetCurrentThreadId 536->539 540 122d223-122d285 539->540 541 122d21c-122d222 539->541 541->540
                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 0122D136
                                • GetCurrentThread.KERNEL32 ref: 0122D173
                                • GetCurrentProcess.KERNEL32 ref: 0122D1B0
                                • GetCurrentThreadId.KERNEL32 ref: 0122D209
                                Memory Dump Source
                                • Source File: 00000001.00000002.1784443759.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_1220000_RegAsm.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: 1929fea9ef2acd89a5e66beb6e869b61d09faf932159e485de0bc6568d9a91ac
                                • Instruction ID: 22c9e2dd989d130ec3c480570c22aa094ca4ebcd9d4cb823a2f79215afce2c5d
                                • Opcode Fuzzy Hash: 1929fea9ef2acd89a5e66beb6e869b61d09faf932159e485de0bc6568d9a91ac
                                • Instruction Fuzzy Hash: 335155B09002499FDB48CFAAD648BDEBFF1AF48314F208459D159A73A0DB349884CB65
                                Function 0122D0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 548 122d0b8-122d147 GetCurrentProcess 552 122d150-122d184 GetCurrentThread 548->552 553 122d149-122d14f 548->553 554 122d186-122d18c 552->554 555 122d18d-122d1c1 GetCurrentProcess 552->555 553->552 554->555 557 122d1c3-122d1c9 555->557 558 122d1ca-122d1e5 call 122d289 555->558 557->558 561 122d1eb-122d21a GetCurrentThreadId 558->561 562 122d223-122d285 561->562 563 122d21c-122d222 561->563 563->562
                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 0122D136
                                • GetCurrentThread.KERNEL32 ref: 0122D173
                                • GetCurrentProcess.KERNEL32 ref: 0122D1B0
                                • GetCurrentThreadId.KERNEL32 ref: 0122D209
                                Memory Dump Source
                                • Source File: 00000001.00000002.1784443759.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_1220000_RegAsm.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: 4fa918813dec04093d63664598970235f899c6f4b52aa43cbb26bce77768eb9c
                                • Instruction ID: d5a827441a1ea4d4d16a8fc62f88442e879c38ff68111a6fa6c7e91dc4bcbcaf
                                • Opcode Fuzzy Hash: 4fa918813dec04093d63664598970235f899c6f4b52aa43cbb26bce77768eb9c
                                • Instruction Fuzzy Hash: 6E5155B09002499FDB54CFAAD948BDEBBF1AF88314F20C459E119A73A0CB349884CF65
                                Function 0122AE30 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 593 122ae30-122ae3f 594 122ae41-122ae4e call 1229838 593->594 595 122ae6b-122ae6f 593->595 602 122ae50 594->602 603 122ae64 594->603 596 122ae83-122aec4 595->596 597 122ae71-122ae7b 595->597 604 122aed1-122aedf 596->604 605 122aec6-122aece 596->605 597->596 652 122ae56 call 122b0b8 602->652 653 122ae56 call 122b0c8 602->653 603->595 606 122af03-122af05 604->606 607 122aee1-122aee6 604->607 605->604 610 122af08-122af0f 606->610 611 122aef1 607->611 612 122aee8-122aeef call 122a814 607->612 608 122ae5c-122ae5e 608->603 609 122afa0-122afb7 608->609 624 122afb9-122b018 609->624 613 122af11-122af19 610->613 614 122af1c-122af23 610->614 615 122aef3-122af01 611->615 612->615 613->614 618 122af30-122af39 call 122a824 614->618 619 122af25-122af2d 614->619 615->610 625 122af46-122af4b 618->625 626 122af3b-122af43 618->626 619->618 644 122b01a-122b01c 624->644 627 122af69-122af76 625->627 628 122af4d-122af54 625->628 626->625 633 122af78-122af96 627->633 634 122af99-122af9f 627->634 628->627 630 122af56-122af66 call 122a834 call 122a844 628->630 630->627 633->634 645 122b048-122b060 644->645 646 122b01e-122b046 644->646 647 122b062-122b065 645->647 648 122b068-122b093 GetModuleHandleW 645->648 646->645 647->648 649 122b095-122b09b 648->649 650 122b09c-122b0b0 648->650 649->650 652->608 653->608
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0122B086
                                Memory Dump Source
                                • Source File: 00000001.00000002.1784443759.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_1220000_RegAsm.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 45667b8dd2119ce3ce2936b6b558d7369151ab6cf0883c87421456b0f3f341bc
                                • Instruction ID: e40c76772ec5433338ae5995bfa8ccf72a50337e0799066a4ae10c4e9bbf98ae
                                • Opcode Fuzzy Hash: 45667b8dd2119ce3ce2936b6b558d7369151ab6cf0883c87421456b0f3f341bc
                                • Instruction Fuzzy Hash: 0B818AB0A10B569FDB24DF29C14076ABBF1FF48304F00892ED58AD7A50D779E94ACB90
                                Function 01225935 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 654 1225935-122593c 655 1225944-1225a01 CreateActCtxA 654->655 657 1225a03-1225a09 655->657 658 1225a0a-1225a64 655->658 657->658 665 1225a73-1225a77 658->665 666 1225a66-1225a69 658->666 667 1225a88 665->667 668 1225a79-1225a85 665->668 666->665 670 1225a89 667->670 668->667 670->670
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 012259F1
                                Memory Dump Source
                                • Source File: 00000001.00000002.1784443759.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_1220000_RegAsm.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: 502b03d241495402269997ba8fdca2517d4fbb7808c3ccef9f7763ad1e158678
                                • Instruction ID: f1d35a03614a2b677f06c7881bfb09d0e3739cfb5af6a70cad69491066369ffe
                                • Opcode Fuzzy Hash: 502b03d241495402269997ba8fdca2517d4fbb7808c3ccef9f7763ad1e158678
                                • Instruction Fuzzy Hash: CD41F2B0C10729DEEB24CFA9C984BDDBBB5BF48304F24805AD408BB251DB756989CF90
                                Function 01224248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 671 1224248-1225a01 CreateActCtxA 674 1225a03-1225a09 671->674 675 1225a0a-1225a64 671->675 674->675 682 1225a73-1225a77 675->682 683 1225a66-1225a69 675->683 684 1225a88 682->684 685 1225a79-1225a85 682->685 683->682 687 1225a89 684->687 685->684 687->687
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 012259F1
                                Memory Dump Source
                                • Source File: 00000001.00000002.1784443759.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_1220000_RegAsm.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: fbf70e3d0389f206e0e8d88fcd84f8a2905d022bf522f1febe23ac857b8d25fe
                                • Instruction ID: ae2dcf196eccc9f957d448cc73266ca5b2935148e5dbdee5878c62fecee0b7f5
                                • Opcode Fuzzy Hash: fbf70e3d0389f206e0e8d88fcd84f8a2905d022bf522f1febe23ac857b8d25fe
                                • Instruction Fuzzy Hash: 2C41E0B0D10729DADB24CFA9C885BDEBBB5FF49304F24806AD408AB250DB756985CF90
                                Function 0122D300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 688 122d300-122d394 DuplicateHandle 689 122d396-122d39c 688->689 690 122d39d-122d3ba 688->690 689->690
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0122D387
                                Memory Dump Source
                                • Source File: 00000001.00000002.1784443759.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_1220000_RegAsm.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: d945dff6b6bce03a79ad64eb94df4c3c330d6e691018b48dd4aa0ed6fdfa50bf
                                • Instruction ID: e1ef1186fd5837d03f648271b596f97c76fa5a76a6a0788a07f8c6578e2bea4f
                                • Opcode Fuzzy Hash: d945dff6b6bce03a79ad64eb94df4c3c330d6e691018b48dd4aa0ed6fdfa50bf
                                • Instruction Fuzzy Hash: 5121C2B5900259EFDB10CFAAD984ADEFFF4EB48320F14841AE958A7310D374A954CFA5
                                Function 0122D2F9 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 693 122d2f9-122d394 DuplicateHandle 694 122d396-122d39c 693->694 695 122d39d-122d3ba 693->695 694->695
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0122D387
                                Memory Dump Source
                                • Source File: 00000001.00000002.1784443759.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_1220000_RegAsm.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: f2b2a9369d61f2d3c0fda8c1af320caee3888d940a43883609d81627c544ba80
                                • Instruction ID: d06c185f040b6f841232205889650991fd2f0100726efd706902aa1403a1f875
                                • Opcode Fuzzy Hash: f2b2a9369d61f2d3c0fda8c1af320caee3888d940a43883609d81627c544ba80
                                • Instruction Fuzzy Hash: E321E4B5900259DFDB10CFAAE584ADEBFF4EB48324F14841AE958A3210C374A954CF64
                                Function 0122A870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 698 122a870-122b2e8 700 122b2f0-122b31f LoadLibraryExW 698->700 701 122b2ea-122b2ed 698->701 702 122b321-122b327 700->702 703 122b328-122b345 700->703 701->700 702->703
                                APIs
                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0122B101,00000800,00000000,00000000), ref: 0122B312
                                Memory Dump Source
                                • Source File: 00000001.00000002.1784443759.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_1220000_RegAsm.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: 07a25950e7729b360d3bb5e4cb7fd5801402fd92c60f9913a36404f519697269
                                • Instruction ID: cbc9e3d9a95a8d405e3f91d73a692c021d0d8275115003f4d979b61d20954d12
                                • Opcode Fuzzy Hash: 07a25950e7729b360d3bb5e4cb7fd5801402fd92c60f9913a36404f519697269
                                • Instruction Fuzzy Hash: F41123B6D003599FDB10CF9AD848ADEFBF4EB48320F14842EE919A7210C774A944CFA5
                                Function 0122B2A0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 706 122b2a0-122b2e8 707 122b2f0-122b31f LoadLibraryExW 706->707 708 122b2ea-122b2ed 706->708 709 122b321-122b327 707->709 710 122b328-122b345 707->710 708->707 709->710
                                APIs
                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0122B101,00000800,00000000,00000000), ref: 0122B312
                                Memory Dump Source
                                • Source File: 00000001.00000002.1784443759.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_1220000_RegAsm.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: 4603c0353ee1b2ab4041515c114f26f6c97a7ef85db94a187cbda3a8b8551062
                                • Instruction ID: ff566d4ea5ea91a3922854debd2ce44ec0a38cdbccd80398fc65aca16dfa1e54
                                • Opcode Fuzzy Hash: 4603c0353ee1b2ab4041515c114f26f6c97a7ef85db94a187cbda3a8b8551062
                                • Instruction Fuzzy Hash: 201112B69002599FDB14CF9AD844ADEFBF4EB48320F14842AD969A7210C774A545CFA1
                                Function 0122B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 713 122b020-122b060 714 122b062-122b065 713->714 715 122b068-122b093 GetModuleHandleW 713->715 714->715 716 122b095-122b09b 715->716 717 122b09c-122b0b0 715->717 716->717
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0122B086
                                Memory Dump Source
                                • Source File: 00000001.00000002.1784443759.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_1220000_RegAsm.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 5012afbf38c67a82914afa2f81fa891c059a9749698c2f0aecfb7cb2d23825ce
                                • Instruction ID: 9922935cadb3e298cf1c9dbaa2f85aab3d85ebd29fb2c6a05a9e0e520c95f1b9
                                • Opcode Fuzzy Hash: 5012afbf38c67a82914afa2f81fa891c059a9749698c2f0aecfb7cb2d23825ce
                                • Instruction Fuzzy Hash: FE1102B5C00759CFDB20CF9AD444ADEFBF4AB48224F10841AD569B7210C379A645CFA5
                                Function 011AD3D8 Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.1784233710.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_11ad000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2d3753df2a2006b40020febab19b18a8e6249a338a379fdb2276e61b9e9cb7cc
                                • Instruction ID: 1fc58d054765a3b5a547c54fe7c45d26888a9985d79f367ed3b357aad032e07d
                                • Opcode Fuzzy Hash: 2d3753df2a2006b40020febab19b18a8e6249a338a379fdb2276e61b9e9cb7cc
                                • Instruction Fuzzy Hash: 8E214879100600DFDF09DF48E9C0B56BF65FB84324F60C169D9094BA16C336E446C7A2
                                Function 011BD01C Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.1784260585.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_11bd000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6164595f5e3f5bceed65e34eada8b31af34aa039dd215c85c5c593456d736d73
                                • Instruction ID: 6017f31799407c6576a507737161e2cfbb4120c77742488f2e868e4adf32bdc8
                                • Opcode Fuzzy Hash: 6164595f5e3f5bceed65e34eada8b31af34aa039dd215c85c5c593456d736d73
                                • Instruction Fuzzy Hash: AC213471604200DFCF1DDF58E9C4B66BFA1EB84318F24C5ADD8094B256C33AD447CA62
                                Function 011BD006 Relevance: .1, Instructions: 63COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.1784260585.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_11bd000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d8f2f06ba88f1463f63c2d9cb1f1a6fbc1e71df8cb5db6f02a8fb9df0127ffec
                                • Instruction ID: ec4bd5ee02c1318571e58b743793571b9cea0cdb1e9ceaf98475d5ed4c2496cc
                                • Opcode Fuzzy Hash: d8f2f06ba88f1463f63c2d9cb1f1a6fbc1e71df8cb5db6f02a8fb9df0127ffec
                                • Instruction Fuzzy Hash: B82180755083809FCB06CF64D9D4B11BF71EB46218F28C5DAD8498F267C33A985ACB62
                                Function 011AD3D3 Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.1784233710.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_11ad000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ce69cba98bfff612cefda2c4877fe7df6cc59bd7a6ce96c012d28fad0f514114
                                • Instruction ID: e06694877bef0e9a3595663835ab58bcd23d23a6c895e65d04a0422c1c50ed0d
                                • Opcode Fuzzy Hash: ce69cba98bfff612cefda2c4877fe7df6cc59bd7a6ce96c012d28fad0f514114
                                • Instruction Fuzzy Hash: DB11E176404680CFDF06CF44D9C4B56BF71FB94324F24C6A9D9094BA16C33AE45ACBA2
                                Function 011ADA81 Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.1784233710.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_11ad000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 35f5b98ed9e8b16ef44ad6476ec61f206e4300c8b891a36473b0330249b017e7
                                • Instruction ID: 30e6c7a369cda657796b88050ac41d1c77cd48c9d2b57b544c86199e17ea69df
                                • Opcode Fuzzy Hash: 35f5b98ed9e8b16ef44ad6476ec61f206e4300c8b891a36473b0330249b017e7
                                • Instruction Fuzzy Hash: 58012B3510C7409AFB188A99DE94767FFD8EF41324F08C869ED084E542C778D844C672
                                Function 011ADA80 Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.1784233710.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_11ad000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0b31bc082890168438ff4160cd7758c5b33425fe8cd741d7b123467293f2ba58
                                • Instruction ID: bd9ffcdbe67e4f01e55748a686287ab67aad3c2539f2ac7589a5e4eb33ba955b
                                • Opcode Fuzzy Hash: 0b31bc082890168438ff4160cd7758c5b33425fe8cd741d7b123467293f2ba58
                                • Instruction Fuzzy Hash: 1BF0C2710087849EEB148A1ADDC4B63FFD8EB40734F18C85AED084E682C3789844CA70