Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vNx9jGoYpb.exe

Overview

General Information

Sample name:vNx9jGoYpb.exe
renamed because original name is a hash value
Original sample name:f508cbf0d02ffbc85b07ada57b869239fa840e7a4b66234384cf97981ad48ccd.exe
Analysis ID:1466967
MD5:d482d79a7d37a4c18c8c3273f5d8eed1
SHA1:f3bba44877555fd96cb89430e1bc04193b324965
SHA256:f508cbf0d02ffbc85b07ada57b869239fa840e7a4b66234384cf97981ad48ccd
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RedLine Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • vNx9jGoYpb.exe (PID: 6000 cmdline: "C:\Users\user\Desktop\vNx9jGoYpb.exe" MD5: D482D79A7D37A4C18C8C3273F5D8EED1)
    • RegAsm.exe (PID: 2700 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • WerFault.exe (PID: 4440 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6000 -s 308 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "94.228.166.68:80", "Bot Id": "@kolnausgb", "Message": "Click Close to exit the program. Error code: 1142", "Authorization Header": "ec115238af12754cb0b0480ec782f2ef"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000002.00000002.2195672440.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000002.00000002.2198036610.0000000002FD0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: vNx9jGoYpb.exe PID: 6000JoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Click to see the 2 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              2.2.RegAsm.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                1.2.vNx9jGoYpb.exe.e00000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  Timestamp:07/03/24-15:54:07.024325
                  SID:2046045
                  Source Port:49705
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:07/03/24-15:54:15.837322
                  SID:2043231
                  Source Port:49705
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:07/03/24-15:54:07.229078
                  SID:2043234
                  Source Port:80
                  Destination Port:49705
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "94.228.166.68:80", "Bot Id": "@kolnausgb", "Message": "Click Close to exit the program. Error code: 1142", "Authorization Header": "ec115238af12754cb0b0480ec782f2ef"}
                  Multi AV Scanner detection for submitted file
                  Source: vNx9jGoYpb.exeReversingLabs: Detection: 95%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: vNx9jGoYpb.exeJoe Sandbox ML: detected
                  Source: vNx9jGoYpb.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: vNx9jGoYpb.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeCode function: 1_2_00E19BD3 FindFirstFileExW,1_2_00E19BD3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then inc dword ptr [ebp-20h]2_2_060E39C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then inc dword ptr [ebp-20h]2_2_060E3C92
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 0A01068Ah2_2_0A0103D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_0A011898
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 0A01692Bh2_2_0A0166F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 0A011152h2_2_0A010D30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 0A0115D2h2_2_0A010D30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 0A013358h2_2_0A013340
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 0A0183BDh2_2_0A01839C

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.5:49705 -> 94.228.166.68:80
                  Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.5:49705 -> 94.228.166.68:80
                  Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 94.228.166.68:80 -> 192.168.2.5:49705
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 94.228.166.68:80
                  Source: Joe Sandbox ViewASN Name: PRANET-ASRU PRANET-ASRU
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                  Source: global trafficDNS traffic detected: DNS query: api.ip.sb
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2198036610.0000000002E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3ResponseD
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                  Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
                  Source: RegAsm.exe, 00000002.00000002.2198036610.000000000320F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2201389491.0000000003E83000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2201389491.0000000003E9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb
                  Source: vNx9jGoYpb.exe, 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2195672440.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                  Source: RegAsm.exe, 00000002.00000002.2198036610.000000000320F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2201389491.0000000003E83000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2201389491.0000000003E9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: RegAsm.exe, 00000002.00000002.2198036610.000000000320F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2201389491.0000000003E83000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2201389491.0000000003E9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: RegAsm.exe, 00000002.00000002.2198036610.000000000320F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2201389491.0000000003E83000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2201389491.0000000003E9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: RegAsm.exe, 00000002.00000002.2198036610.000000000320F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2201389491.0000000003E83000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2201389491.0000000003E9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: RegAsm.exe, 00000002.00000002.2201389491.0000000003E83000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2201389491.0000000003E9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: RegAsm.exe, 00000002.00000002.2198036610.000000000320F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabS
                  Source: RegAsm.exe, 00000002.00000002.2198036610.000000000320F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2201389491.0000000003E83000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2201389491.0000000003E9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: RegAsm.exe, 00000002.00000002.2198036610.000000000320F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2201389491.0000000003E83000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2201389491.0000000003E9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: RegAsm.exe, 00000002.00000002.2198036610.000000000320F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2201389491.0000000003E83000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2201389491.0000000003E9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeCode function: 1_2_00E228F01_2_00E228F0
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeCode function: 1_2_00E18D091_2_00E18D09
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0518DC742_2_0518DC74
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_060E0F282_2_060E0F28
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_060E6F302_2_060E6F30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_060E78002_2_060E7800
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_060E0F182_2_060E0F18
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_060EEA172_2_060EEA17
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_060EEA282_2_060EEA28
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_060E6BE82_2_060E6BE8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_060FEA182_2_060FEA18
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_060F43C02_2_060F43C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_060F18312_2_060F1831
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_060F18402_2_060F1840
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0A012A582_2_0A012A58
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0A013B682_2_0A013B68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0A0103D82_2_0A0103D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0A0118982_2_0A011898
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0A01B1582_2_0A01B158
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0A0136002_2_0A013600
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0A0176F02_2_0A0176F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0A0124182_2_0A012418
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0A0184502_2_0A018450
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0A0144B02_2_0A0144B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0A010D302_2_0A010D30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0A0118892_2_0A011889
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0A014FF02_2_0A014FF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0A0124082_2_0A012408
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0A0184402_2_0A018440
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0A010D1F2_2_0A010D1F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0A0135F02_2_0A0135F0
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeCode function: String function: 00E0A150 appears 49 times
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6000 -s 308
                  Source: vNx9jGoYpb.exe, 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameQualm.exe8 vs vNx9jGoYpb.exe
                  Source: vNx9jGoYpb.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/6@1/1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\SystemCacheJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6000
                  Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\2ba73232-3b91-43e5-88f8-0c91d7c56ec4Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: vNx9jGoYpb.exeReversingLabs: Detection: 95%
                  Source: unknownProcess created: C:\Users\user\Desktop\vNx9jGoYpb.exe "C:\Users\user\Desktop\vNx9jGoYpb.exe"
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6000 -s 308
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: vNx9jGoYpb.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: vNx9jGoYpb.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeCode function: 1_2_00E09A6C push ecx; ret 1_2_00E09A7F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_060E37F8 push es; retf 2_2_060E3800
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_060F1661 push es; ret 2_2_060F1670
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_060FDEB0 push es; ret 2_2_060FDEC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_060F9C79 push es; ret 2_2_060F9C7C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_060F9CD9 push es; retf 2_2_060F9CDC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_060F2292 push es; ret 2_2_060F22A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_060F4321 push es; ret 2_2_060F4330
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_060F4362 push es; ret 2_2_060F4370
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_060FE8B2 push es; retn 0004h2_2_060FE8C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2B20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2CA0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 4CA0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 770Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 3431Jump to behavior
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeAPI coverage: 6.7 %
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7192Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2436Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 748Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeCode function: 1_2_00E19BD3 FindFirstFileExW,1_2_00E19BD3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: RegAsm.exe, 00000002.00000002.2201389491.000000000411E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                  Source: RegAsm.exe, 00000002.00000002.2201389491.000000000411E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                  Source: Amcache.hve.5.drBinary or memory string: VMware
                  Source: RegAsm.exe, 00000002.00000002.2201389491.000000000411E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                  Source: RegAsm.exe, 00000002.00000002.2201389491.00000000040AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                  Source: RegAsm.exe, 00000002.00000002.2201389491.00000000040AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                  Source: RegAsm.exe, 00000002.00000002.2201389491.00000000040AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                  Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: RegAsm.exe, 00000002.00000002.2201389491.00000000040AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                  Source: RegAsm.exe, 00000002.00000002.2201389491.000000000411E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                  Source: RegAsm.exe, 00000002.00000002.2201389491.000000000411E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                  Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: RegAsm.exe, 00000002.00000002.2201389491.00000000040AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                  Source: RegAsm.exe, 00000002.00000002.2201389491.000000000411E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                  Source: RegAsm.exe, 00000002.00000002.2201389491.000000000411E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                  Source: Amcache.hve.5.drBinary or memory string: vmci.sys
                  Source: RegAsm.exe, 00000002.00000002.2201389491.00000000040AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                  Source: RegAsm.exe, 00000002.00000002.2201389491.00000000040AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                  Source: RegAsm.exe, 00000002.00000002.2201389491.00000000040AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                  Source: RegAsm.exe, 00000002.00000002.2201389491.00000000040AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                  Source: RegAsm.exe, 00000002.00000002.2201389491.000000000411E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                  Source: RegAsm.exe, 00000002.00000002.2201389491.00000000040AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                  Source: Amcache.hve.5.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: RegAsm.exe, 00000002.00000002.2201389491.00000000040AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                  Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
                  Source: RegAsm.exe, 00000002.00000002.2207127231.00000000055B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
                  Source: RegAsm.exe, 00000002.00000002.2201389491.000000000411E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                  Source: RegAsm.exe, 00000002.00000002.2201389491.000000000411E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                  Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: RegAsm.exe, 00000002.00000002.2201389491.00000000040AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                  Source: RegAsm.exe, 00000002.00000002.2201389491.000000000411E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                  Source: RegAsm.exe, 00000002.00000002.2201389491.00000000040AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                  Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: RegAsm.exe, 00000002.00000002.2201389491.00000000040AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                  Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
                  Source: RegAsm.exe, 00000002.00000002.2201389491.000000000411E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                  Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
                  Source: RegAsm.exe, 00000002.00000002.2201389491.00000000040AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                  Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: RegAsm.exe, 00000002.00000002.2201389491.000000000411E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                  Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: RegAsm.exe, 00000002.00000002.2201389491.000000000411E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                  Source: RegAsm.exe, 00000002.00000002.2201389491.00000000040AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                  Source: RegAsm.exe, 00000002.00000002.2201389491.000000000411E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                  Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: RegAsm.exe, 00000002.00000002.2201389491.000000000411E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                  Source: RegAsm.exe, 00000002.00000002.2201389491.000000000411E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                  Source: RegAsm.exe, 00000002.00000002.2201389491.00000000040AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                  Source: RegAsm.exe, 00000002.00000002.2201389491.00000000040AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                  Source: RegAsm.exe, 00000002.00000002.2201389491.000000000411E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                  Source: RegAsm.exe, 00000002.00000002.2201389491.00000000040AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                  Source: RegAsm.exe, 00000002.00000002.2201389491.00000000040AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                  Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: RegAsm.exe, 00000002.00000002.2201389491.00000000040AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                  Source: RegAsm.exe, 00000002.00000002.2201389491.00000000040AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                  Source: RegAsm.exe, 00000002.00000002.2201389491.00000000040AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                  Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: RegAsm.exe, 00000002.00000002.2201389491.000000000411E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                  Source: RegAsm.exe, 00000002.00000002.2201389491.00000000040AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                  Source: RegAsm.exe, 00000002.00000002.2201389491.00000000040AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                  Source: RegAsm.exe, 00000002.00000002.2201389491.000000000411E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                  Source: RegAsm.exe, 00000002.00000002.2201389491.00000000040AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                  Source: RegAsm.exe, 00000002.00000002.2201389491.00000000040AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                  Source: RegAsm.exe, 00000002.00000002.2201389491.000000000411E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                  Source: Amcache.hve.5.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                  Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
                  Source: RegAsm.exe, 00000002.00000002.2201389491.00000000040AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                  Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: RegAsm.exe, 00000002.00000002.2201389491.000000000411E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                  Source: RegAsm.exe, 00000002.00000002.2201389491.00000000040AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                  Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: RegAsm.exe, 00000002.00000002.2201389491.00000000040AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                  Source: RegAsm.exe, 00000002.00000002.2201389491.000000000411E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                  Source: RegAsm.exe, 00000002.00000002.2201389491.000000000411E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                  Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: RegAsm.exe, 00000002.00000002.2201389491.000000000411E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                  Source: RegAsm.exe, 00000002.00000002.2201389491.000000000411E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                  Source: RegAsm.exe, 00000002.00000002.2201389491.000000000411E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                  Source: RegAsm.exe, 00000002.00000002.2201389491.000000000411E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                  Source: RegAsm.exe, 00000002.00000002.2201389491.000000000411E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                  Source: RegAsm.exe, 00000002.00000002.2201389491.000000000411E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                  Source: RegAsm.exe, 00000002.00000002.2201389491.00000000040AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                  Source: RegAsm.exe, 00000002.00000002.2201389491.000000000411E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeAPI call chain: ExitProcess graph end nodegraph_1-17023
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_060E8548 LdrInitializeThunk,2_2_060E8548
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeCode function: 1_2_00E0DE43 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00E0DE43
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeCode function: 1_2_00E151C2 mov eax, dword ptr fs:[00000030h]1_2_00E151C2
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeCode function: 1_2_00E11F18 mov ecx, dword ptr fs:[00000030h]1_2_00E11F18
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeCode function: 1_2_00E1D31C GetProcessHeap,1_2_00E1D31C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeCode function: 1_2_00E0A082 SetUnhandledExceptionFilter,1_2_00E0A082
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeCode function: 1_2_00E0A1E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00E0A1E0
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeCode function: 1_2_00E0DE43 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00E0DE43
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeCode function: 1_2_00E09F26 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00E09F26
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Allocates memory in foreign processes
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                  Contains functionality to inject code into remote processes
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeCode function: 1_2_013E018D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,1_2_013E018D
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000Jump to behavior
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44E000Jump to behavior
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B79008Jump to behavior
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeCode function: 1_2_00E09C45 cpuid 1_2_00E09C45
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,1_2_00E1D0BA
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeCode function: EnumSystemLocalesW,1_2_00E1C9F8
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeCode function: GetLocaleInfoW,1_2_00E1C951
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeCode function: EnumSystemLocalesW,1_2_00E1CADE
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeCode function: EnumSystemLocalesW,1_2_00E1CA43
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeCode function: EnumSystemLocalesW,1_2_00E14A45
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,1_2_00E1CB69
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeCode function: GetLocaleInfoW,1_2_00E1CDBC
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,1_2_00E1CEE5
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeCode function: GetLocaleInfoW,1_2_00E1CFEB
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeCode function: GetLocaleInfoW,1_2_00E14F6B
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,1_2_00E1C756
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\vNx9jGoYpb.exeCode function: 1_2_00E0944C GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,1_2_00E0944C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.vNx9jGoYpb.exe.e00000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2195672440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vNx9jGoYpb.exe PID: 6000, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2700, type: MEMORYSTR
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002FD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $]q2C:\Users\user\AppData\Roaming\Electrum\wallets\*
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002FB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002FD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLR]q
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002FD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLR]q
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusE#
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Could not find a part of the path 'C:\Users\user\AppData\Roaming\binance'.Data\Local\ProtonVPN'.ROWSER PROFILE NAME\Local Storage\leveldb'.chdcondbcbdnbeeppgdph'.
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002FD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $]q&%localappdata%\Coinomi\Coinomi\walletsLR]q
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002FD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $]q6C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                  Source: RegAsm.exe, 00000002.00000002.2198036610.0000000002FD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $]q%appdata%`,]qdC:\Users\user\AppData\Roaming`,]qdC:\Users\user\AppData\Roaming\Ledger Live
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Tries to steal Crypto Currency Wallets
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\binance\Jump to behavior
                  Source: Yara matchFile source: 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2198036610.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2700, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.vNx9jGoYpb.exe.e00000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2195672440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vNx9jGoYpb.exe PID: 6000, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2700, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		411
                  Process Injection                  		1
                  Masquerading                  		1
                  OS Credential Dumping                  		1
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		LSASS Memory261
                  Security Software Discovery                  		Remote Desktop Protocol3
                  Data from Local System                  		1
                  Non-Application Layer Protocol                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)251
                  Virtualization/Sandbox Evasion                  		Security Account Manager1
                  Process Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive11
                  Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
                  Process Injection                  		NTDS251
                  Virtualization/Sandbox Evasion                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets1
                  Application Window Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                  Obfuscated Files or Information                  		Cached Domain Credentials1
                  File and Directory Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  DLL Side-Loading                  		DCSync134
                  System Information Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  vNx9jGoYpb.exe96%ReversingLabsWin32.Trojan.RedLine
                  vNx9jGoYpb.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://tempuri.org/0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  https://api.ip.sb/ip0%URL Reputationsafe
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%Avira URL Cloudsafe
                  https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                  https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                  94.228.166.68:800%Avira URL Cloudsafe
                  https://www.ecosia.org/newtab/0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%URL Reputationsafe
                  http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%URL Reputationsafe
                  http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%Avira URL Cloudsafe
                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                  http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%Avira URL Cloudsafe
                  http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/04/sc0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                  http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%Avira URL Cloudsafe
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/04/trust0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/Renew0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey0%Avira URL Cloudsafe
                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID0%Avira URL Cloudsafe
                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.00%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey0%Avira URL Cloudsafe
                  http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA10%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2006/02/addressingidentity0%Avira URL Cloudsafe
                  https://duckduckgo.com/chrome_newtabS0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id3ResponseD0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id23Response0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  api.ip.sb
                  		unknown
                  		unknownfalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    94.228.166.68:80true
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/sc/sctRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/chrome_newtabRegAsm.exe, 00000002.00000002.2201389491.0000000003E83000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2201389491.0000000003E9F000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/ac/?q=RegAsm.exe, 00000002.00000002.2198036610.000000000320F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2201389491.0000000003E83000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2201389491.0000000003E9F000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id23ResponseDRegAsm.exe, 00000002.00000002.2198036610.0000000002E62000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id12ResponseRegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id2ResponseRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id21ResponseRegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id9RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id8RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id5RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id4RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id7RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id6RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id19ResponseRegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceRegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/faultRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsatRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id15ResponseRegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id6ResponseRegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.ip.sb/ipvNx9jGoYpb.exe, 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2195672440.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/scRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id1ResponseDRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id9ResponseRegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegAsm.exe, 00000002.00000002.2198036610.000000000320F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2201389491.0000000003E83000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2201389491.0000000003E9F000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id20RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id21RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id22RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id23RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id24RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id24ResponseRegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.ecosia.org/newtab/RegAsm.exe, 00000002.00000002.2198036610.000000000320F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2201389491.0000000003E83000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2201389491.0000000003E9F000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id1ResponseRegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedRegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/08/addressingRegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/trustRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id10RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id11RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id12RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id16ResponseRegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id13RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id14RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id15RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id16RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/NonceRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id17RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id18RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id5ResponseRegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id19RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsRegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id10ResponseRegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RenewRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id8ResponseRegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2006/02/addressingidentityRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/soap/envelope/RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1RegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=RegAsm.exe, 00000002.00000002.2198036610.000000000320F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2201389491.0000000003E83000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2201389491.0000000003E9F000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trustRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://duckduckgo.com/chrome_newtabSRegAsm.exe, 00000002.00000002.2198036610.000000000320F000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/RollbackRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id3ResponseDRegAsm.exe, 00000002.00000002.2198036610.0000000002E62000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id23ResponseRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2198036610.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTRegAsm.exe, 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    94.228.166.68
                    		unknownRussian Federation
                    		48467PRANET-ASRUtrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1466967
                    Start date and time:2024-07-03 15:53:09 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 5m 12s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:10
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:vNx9jGoYpb.exe
                    renamed because original name is a hash value
                    Original Sample Name:f508cbf0d02ffbc85b07ada57b869239fa840e7a4b66234384cf97981ad48ccd.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@4/6@1/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 122
                    • Number of non-executed functions: 58
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 104.26.13.31, 104.26.12.31, 172.67.75.172, 52.168.117.173
                    • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, api.ip.sb.cdn.cloudflare.net, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                    • VT rate limit hit for: vNx9jGoYpb.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    09:54:13API Interceptor21x Sleep call for process: RegAsm.exe modified
                    09:54:19API Interceptor1x Sleep call for process: WerFault.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    94.228.166.68fOsCO13KRs.exeGet hashmaliciousRedLineBrowse
                      xFk6x2mrd7.exeGet hashmaliciousRedLineBrowse
                        qHYHgANDmm.exeGet hashmaliciousRedLine, XmrigBrowse

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          PRANET-ASRUfOsCO13KRs.exeGet hashmaliciousRedLineBrowse
                          • 94.228.166.68
                          xFk6x2mrd7.exeGet hashmaliciousRedLineBrowse
                          • 94.228.166.68
                          qHYHgANDmm.exeGet hashmaliciousRedLine, XmrigBrowse
                          • 94.228.166.68
                          1Vkf7silOj.exeGet hashmaliciousLummaC, Amadey, Mars Stealer, PureLog Stealer, RedLine, SmokeLoader, StealcBrowse
                          • 94.228.166.74
                          iYhvVk2ZzV.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                          • 94.228.166.75
                          T4LJO0xbse.exeGet hashmaliciousQuasarBrowse
                          • 94.228.166.40
                          K3wj3nqr6c.exeGet hashmaliciousAmadeyBrowse
                          • 94.228.166.74
                          setup.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLineBrowse
                          • 94.228.166.74
                          CS32G1VhXR.exeGet hashmaliciousQuasarBrowse
                          • 94.228.166.40
                          ZXZMRvEA9M.elfGet hashmaliciousMiraiBrowse
                          • 185.46.45.224

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vNx9jGoYpb.exe_1a36ee1e8d866438ce0365ff4a967e6bec3e399_7a62e937_2c513ef4-d8d7-415e-8458-44fe6a175ed7\Report.wer

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):0.7037447162233627
                          Encrypted:false
                          SSDEEP:96:E7FDkzrY2YsthqYoVyDqdQXIDcQic6zmcETcw3r+HbHg/PB6HeaOy1FhZAX/d5Fn:GRkzr7YTG0cfmJEjG1zuiFgZ24IO8b
                          MD5:BD6A07CE3627F2234FB970A7296B78F5
                          SHA1:8FFB86666E78A81970B0B2E135C06C552F72E4BF
                          SHA-256:383FD0B8ACFB04A0666BD753DCB46E0BACFED6BA7730369BDE15EAB6B9291E15
                          SHA-512:0B52750AAD37EA8175F09E25182F2370224DBD90D79DEF18CF98DC0BBC1CD0D41BDF3A05A84D895B4DFF87CF663A206EC82CCD171E76277F22EF06AEBE8D670D
                          Malicious:true
                          Reputation:low
                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.4.8.8.4.4.2.6.4.5.4.9.8.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.4.8.8.4.4.4.6.1.4.2.3.9.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.c.5.1.3.e.f.4.-.d.8.d.7.-.4.1.5.e.-.8.4.5.8.-.4.4.f.e.6.a.1.7.5.e.d.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.3.e.a.2.c.8.1.-.5.a.f.4.-.4.5.0.9.-.8.c.6.0.-.6.1.1.8.a.0.4.8.1.4.3.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.v.N.x.9.j.G.o.Y.p.b...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.7.0.-.0.0.0.1.-.0.0.1.4.-.9.b.0.f.-.d.c.7.3.5.0.c.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.0.f.c.d.7.b.e.2.3.e.1.e.3.4.2.f.2.9.5.2.8.c.1.5.5.d.9.3.4.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.f.3.b.b.a.4.4.8.7.7.5.5.5.f.d.9.6.c.b.8.9.4.3.0.e.1.b.c.0.4.1.9.3.b.3.2.4.9.6.5.!.v.N.x.9.j.G.o.Y.p.b...e.x.e.....T.a.r.g.e.t.A.p.p.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC60.tmp.dmp

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Mini DuMP crash report, 14 streams, Wed Jul 3 13:54:03 2024, 0x1205a4 type
                          Category:dropped
                          Size (bytes):47746
                          Entropy (8bit):1.8348823001146963
                          Encrypted:false
                          SSDEEP:192:bO2knRhMTOaiqrtm2mMSA7aVlSBBq9shDRD7mez5so:1IRhMKaiqr8wSSaPSBBq2DRD7mbo
                          MD5:9B73885C15F0CA3BD740F77AA1CE9471
                          SHA1:D02888DA942273B92554ED3686F5FE3D06F7FFEE
                          SHA-256:CF3C66A0E026045921DD4EBA0C4661541CCC199B40A7A4F2C08D4C072EF18CC8
                          SHA-512:1DAA6564CAE2082593F9364D75B8637C60BE332E29C4A363158E25493B66D2F49B67940711CB2A2240E6DD63766A8B07902EA1F2853BDC4DA31E2A68B97B56EB
                          Malicious:false
                          Reputation:low
                          Preview:MDMP..a..... ........W.f........................X...............R#..........T.......8...........T...........................T...........@...............................................................................eJ..............GenuineIntel............T.......p....W.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1B1.tmp.WERInternalMetadata.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):8356
                          Entropy (8bit):3.7014619178035386
                          Encrypted:false
                          SSDEEP:192:R6l7wVeJ3g666YEIMvSUlmgmfQJjei9TprV89btEsf2Pvm:R6lXJw666YERSUlmgmfQJjert3ff
                          MD5:5E605A1C764B06A3C13EDC31570B0747
                          SHA1:F54A9523C32132ED5252C49835046905DBA21CD9
                          SHA-256:CC647131587A8F9FCC41745D5D2049F8E8F270875366FACF823E1398A33BCD62
                          SHA-512:CE1DB88A3CA3A36431E19120805C52440C569ED4F20843C9D14ECAAE78C2FDD525E4C4483E4BDE58ACC37047EF84941178E9D65278D55467E78226D55270850B
                          Malicious:false
                          Reputation:low
                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.0.0.<./.P.i.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERF29C.tmp.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4635
                          Entropy (8bit):4.5144663040551185
                          Encrypted:false
                          SSDEEP:48:cvIwWl8zslJg77aI9CVWpW8VYiYm8M4JeNFG+q8WHi+hwad:uIjf/I7ck7V6JVzJwad
                          MD5:3FAC34151BD2F4D1FB7C24998C3E12FA
                          SHA1:3C0B5ABDD24ACC08E4FD449CCB9ABEE3256CD3C1
                          SHA-256:3D4CE8737E425C32B7435EF8B08BAEC2670EA87B9530EC91543C4A402035352F
                          SHA-512:2773DEE5B581D4BA83C165053FDFCE9A11147278723935783161C9DD0C7ACEB7DA1BF59F15FED9A438CB553881D69915602BA37F3A239EE0ACE7AF8760E450C0
                          Malicious:false
                          Reputation:low
                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="394856" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                          Download File
                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):3094
                          Entropy (8bit):5.33145931749415
                          Encrypted:false
                          SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                          MD5:2A56468A7C0F324A42EA599BF0511FAF
                          SHA1:404B343A86EDEDF5B908D7359EB8AA957D1D4333
                          SHA-256:6398E0BD46082BBC30008BC72A2BA092E0A1269052153D343AA40F935C59957C
                          SHA-512:19B79181C40AA51C7ECEFCD4C9ED42D5BA19EA493AE99654D3A763EA9B21B1ABE5B5739AAC425E461609E1165BCEA749CFB997DE0D35303B4CF2A29BDEF30B17
                          Malicious:false
                          Reputation:high, very likely benign file
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                          C:\Windows\appcompat\Programs\Amcache.hve

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:MS Windows registry file, NT/2000 or above
                          Category:dropped
                          Size (bytes):1835008
                          Entropy (8bit):4.421578242899919
                          Encrypted:false
                          SSDEEP:6144:USvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnND0uhiTw:fvloTMW+EZMM6DFyp03w
                          MD5:E9F9419110CE37BA6D2B3637D3356656
                          SHA1:897FDCA130D74A83B3664026E51AAE7F8A440FAA
                          SHA-256:0B74A154595F2717DD30C7103CCC114B112EC01FC4AAF646C71998BDEBF7EA6D
                          SHA-512:E96B14000155D538AD04F64B82B3FD2DE7FEC916BE1303D6244AF1B1B68415FEC5EDF3A5874EA63E2DFA94F3584A9F73D698FCDFD365084CC2FFFAD285F35B0B
                          Malicious:false
                          Reputation:low
                          Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...uP..................................................................................................................................................................................................................................................................................................................................................A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.63607553463413
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:vNx9jGoYpb.exe
                          File size:504'832 bytes
                          MD5:d482d79a7d37a4c18c8c3273f5d8eed1
                          SHA1:f3bba44877555fd96cb89430e1bc04193b324965
                          SHA256:f508cbf0d02ffbc85b07ada57b869239fa840e7a4b66234384cf97981ad48ccd
                          SHA512:dd5b9a05a98e2020289647d23d93e56ab5b5ecceafa2c1f616d3b19861b2fe1d0ce1a0921a9858f9ba1939d6219f3c10ac1c365ea15d75fa53dbed5bfa43c776
                          SSDEEP:12288:BZkNg8Xo7kMTOZ23kiIeQmXWjt5uOHkCB/Olo8:BWfXC3+m6ukvN
                          TLSH:8AB4F15174C08073E673157105F8EBB96A7DB9600F629DDF63940BBF4F306C19A329AA
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@...@...@.......Q...............V....s..R.......G...@........s.......s..X....p..A....p..A...Rich@...................PE..L..

                          File Icon

                          Icon Hash:00928e8e8686b000

                          Static PE Info

                          General

                          Entrypoint:0x4096e8
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                          Time Stamp:0x667AE194 [Tue Jun 25 15:26:12 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:6
                          OS Version Minor:0
                          File Version Major:6
                          File Version Minor:0
                          Subsystem Version Major:6
                          Subsystem Version Minor:0
                          Import Hash:f136198aaa89a879cedc68aa43887034

                          Entrypoint Preview

                          Instruction
                          call 00007FCA512C2F65h
                          jmp 00007FCA512C2659h
                          push ebp
                          mov ebp, esp
                          jmp 00007FCA512C27EFh
                          push dword ptr [ebp+08h]
                          call 00007FCA512CC8F4h
                          pop ecx
                          test eax, eax
                          je 00007FCA512C27F1h
                          push dword ptr [ebp+08h]
                          call 00007FCA512C80A8h
                          pop ecx
                          test eax, eax
                          je 00007FCA512C27C8h
                          pop ebp
                          ret
                          cmp dword ptr [ebp+08h], FFFFFFFFh
                          je 00007FCA512C327Bh
                          jmp 00007FCA512C3258h
                          push ebp
                          mov ebp, esp
                          push dword ptr [ebp+08h]
                          call 00007FCA512C3287h
                          pop ecx
                          pop ebp
                          ret
                          jmp 00007FCA512C327Fh
                          push ebp
                          mov ebp, esp
                          mov eax, dword ptr [ebp+08h]
                          push esi
                          mov ecx, dword ptr [eax+3Ch]
                          add ecx, eax
                          movzx eax, word ptr [ecx+14h]
                          lea edx, dword ptr [ecx+18h]
                          add edx, eax
                          movzx eax, word ptr [ecx+06h]
                          imul esi, eax, 28h
                          add esi, edx
                          cmp edx, esi
                          je 00007FCA512C27FBh
                          mov ecx, dword ptr [ebp+0Ch]
                          cmp ecx, dword ptr [edx+0Ch]
                          jc 00007FCA512C27ECh
                          mov eax, dword ptr [edx+08h]
                          add eax, dword ptr [edx+0Ch]
                          cmp ecx, eax
                          jc 00007FCA512C27EEh
                          add edx, 28h
                          cmp edx, esi
                          jne 00007FCA512C27CCh
                          xor eax, eax
                          pop esi
                          pop ebp
                          ret
                          mov eax, edx
                          jmp 00007FCA512C27DBh
                          push esi
                          call 00007FCA512C323Ah
                          test eax, eax
                          je 00007FCA512C2802h
                          mov eax, dword ptr fs:[00000018h]
                          mov esi, 0047BC90h
                          mov edx, dword ptr [eax+04h]
                          jmp 00007FCA512C27E6h
                          cmp edx, eax
                          je 00007FCA512C27F2h
                          xor eax, eax
                          mov ecx, edx
                          lock cmpxchg dword ptr [esi], ecx
                          test eax, eax
                          jne 00007FCA512C27D2h
                          xor al, al
                          pop esi
                          ret
                          mov al, 01h
                          pop esi
                          ret
                          push ebp
                          mov ebp, esp
                          cmp dword ptr [ebp+00h], 00000000h

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x2d9ac0x50.rdata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x7d0000x2128.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x2aea80x1c.rdata
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x2af000x18.rdata
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2ade80x40.rdata
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x230000x178.rdata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000x203f20x204009473287c1fe4059f1514c7787f3ece57False0.5629163638565892data6.611692103874533IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .BsS0x220000xd6d0xe002572b8942a979da57343434c1e4e0632False0.6286272321428571data6.282939700332608IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rdata0x230000xb27a0xb400a70f64d7c80ffeeddfb7285a98baa833False0.3773220486111111data4.750154549509226IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .data0x2f0000x4d7940x4c8002fc2b93dbd13b37ad468841543077a78False0.9821569904003268data7.986719830071589IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .reloc0x7d0000x21280x2200f6df81272670eba3816cae105c1f858aFalse0.7370174632352942data6.502574913596294IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Imports

                          DLLImport
                          GDI32.dllPolyline
                          USER32.dllOffsetRect
                          KERNEL32.dllCreateFileW, HeapSize, GetProcessHeap, SetStdHandle, WaitForSingleObject, CreateThread, VirtualAlloc, RaiseException, InitOnceBeginInitialize, InitOnceComplete, CloseHandle, GetCurrentThreadId, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, GetLastError, FreeLibraryWhenCallbackReturns, CreateThreadpoolWork, SubmitThreadpoolWork, CloseThreadpoolWork, GetModuleHandleExW, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, QueryPerformanceCounter, EncodePointer, DecodePointer, MultiByteToWideChar, WideCharToMultiByte, LCMapStringEx, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, GetStringTypeW, GetCPInfo, GetCurrentProcessId, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, SetEnvironmentVariableW, RtlUnwind, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetCommandLineA, GetCommandLineW, HeapFree, HeapAlloc, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, GetFileSizeEx, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW

                          Network Behavior

                          Snort IDS Alerts

                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                          07/03/24-15:54:07.024325TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)4970580192.168.2.594.228.166.68
                          07/03/24-15:54:15.837322TCP2043231ET TROJAN Redline Stealer TCP CnC Activity4970580192.168.2.594.228.166.68
                          07/03/24-15:54:07.229078TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response804970594.228.166.68192.168.2.5

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jul 3, 2024 15:54:06.150033951 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:06.155586004 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:06.155678034 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:06.168623924 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:06.175039053 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:06.988864899 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:07.024324894 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:07.029252052 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:07.229078054 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:07.283124924 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:12.286501884 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:12.291682005 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:12.495115995 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:12.495276928 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:12.495290995 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:12.495352030 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:12.496294022 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:12.496306896 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:12.496355057 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:12.497194052 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:12.497245073 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.950463057 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.955677032 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.955698013 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.955705881 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.955713987 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.955723047 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.955759048 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.955768108 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.955801010 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.955809116 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.955816984 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.955817938 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.955830097 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.955848932 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.955862045 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.955890894 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.960709095 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.960716963 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.960788012 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.960836887 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.960845947 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.960853100 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.960860968 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.960867882 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.960875988 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.960887909 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.960894108 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.960954905 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.960983038 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.960990906 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.961044073 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.965687990 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.965755939 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.965877056 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.965958118 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.965964079 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.966007948 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.966104984 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.966253996 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.966262102 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.966265917 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.966274023 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.966312885 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.966413975 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.971451998 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.971491098 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.971506119 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.971534014 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.971585035 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.971615076 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.971622944 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.971664906 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.971673012 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.971679926 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.971709967 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.971724987 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.971724987 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.971733093 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.971740007 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.971756935 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.971769094 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.971795082 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.971802950 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.971807003 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.971822023 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.971831083 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.971846104 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.971846104 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.971869946 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.971889973 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.971894979 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.971908092 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.971914053 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.971942902 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.971945047 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.971976995 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.971986055 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972018957 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972026110 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972033024 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972157955 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972166061 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972168922 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972172022 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972258091 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972271919 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972279072 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972307920 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972315073 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972321987 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972328901 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972337008 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972346067 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972551107 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972558975 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972565889 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972573042 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972582102 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972585917 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972593069 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972595930 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972603083 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972609997 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972618103 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972625971 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972755909 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.972819090 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.972897053 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972906113 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972913980 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972917080 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972923994 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.972930908 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.976407051 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.976516962 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.976684093 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.976691961 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.976861954 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.976869106 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.976886034 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.976893902 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.976910114 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.977215052 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.977222919 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.977284908 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.977293015 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.977341890 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.977413893 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.977421045 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.977505922 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.977514029 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.977516890 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.977524042 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.977528095 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.977621078 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.977628946 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.977636099 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.977643013 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.977763891 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.977771997 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.977775097 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.977777958 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.977849960 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.977857113 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.977864027 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.977871895 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.977875948 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.977907896 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.977916956 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.977926970 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.978152990 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.978203058 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.978625059 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.978634119 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.978704929 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.978713036 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.978781939 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.978790045 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.978805065 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.978811979 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.978826046 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.978833914 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.978888035 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.978895903 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.979058027 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.979067087 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.979106903 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.979115009 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.979130983 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.979137897 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.979151964 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.979160070 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.979197025 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.979217052 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.979249001 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.979257107 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.979376078 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.979382992 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.979387045 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.979389906 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.979393959 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.979402065 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.981334925 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.981343031 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.981345892 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.981348991 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.981355906 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.981364012 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.981373072 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.981380939 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.981386900 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.981395006 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.981401920 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.981410027 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.981412888 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.981421947 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.981430054 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.981432915 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.981436014 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.981439114 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.981445074 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.981453896 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.981462002 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.981470108 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.981477022 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983108997 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983117104 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983195066 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983201981 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983210087 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983218908 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983234882 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983242035 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983249903 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983257055 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983266115 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983289957 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983299017 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983308077 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983315945 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983375072 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983382940 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983390093 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983397961 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983406067 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983488083 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983495951 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983499050 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.983504057 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983511925 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983519077 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983521938 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983530998 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983537912 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983546972 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983549118 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.983555079 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983601093 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983608961 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983612061 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983618975 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983627081 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983634949 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983643055 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983649969 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983664989 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983673096 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983761072 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983768940 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983772039 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983774900 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983791113 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983803988 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983817101 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983870983 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983879089 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983886003 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983917952 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983926058 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.983961105 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.988522053 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.988529921 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.988543987 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.988552094 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.988564968 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.988573074 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.988624096 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.988640070 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.988693953 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.988703012 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.988771915 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.988780022 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.988782883 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.988791943 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.988799095 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.988846064 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.988852978 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.988854885 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.988859892 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.988868952 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.988876104 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.988903999 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.988903999 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.988912106 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.988979101 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.988986969 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.988991022 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.988997936 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.989001036 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.989007950 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.989087105 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.989095926 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.989103079 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.989106894 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.989114046 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.989120960 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.989170074 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.989178896 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.989182949 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.989186049 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.989192963 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.989200115 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.989207029 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.989221096 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.989228964 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.989234924 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.989360094 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.989368916 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.989372015 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.989408970 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.989463091 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.989470959 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.989485025 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.989491940 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.989510059 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.993808031 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.993895054 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.993901968 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.993911028 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.993917942 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.993926048 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.993953943 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994007111 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.994009972 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994050980 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.994112968 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994122028 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994124889 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994132042 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994141102 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994158030 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994165897 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994174957 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994182110 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994189978 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994231939 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994240046 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994380951 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994388103 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994395018 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994401932 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994417906 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994426012 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994432926 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994440079 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994493008 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994502068 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994556904 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994565010 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994573116 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994580030 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994595051 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994607925 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994617939 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994651079 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994658947 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994797945 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994806051 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994813919 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994824886 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994833946 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994839907 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994843006 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994854927 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994862080 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994870901 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994879007 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994893074 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994900942 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.994909048 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.998972893 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.998981953 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.998987913 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.998996973 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.999059916 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.999068022 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.999126911 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.999181986 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.999190092 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.999205112 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.999217033 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.999238014 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.999243021 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.999250889 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.999290943 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:14.999325037 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.999332905 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.999336004 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.999344110 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:14.999351978 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:15.044756889 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:15.044995070 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:15.045061111 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:15.045061111 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:15.045109987 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:15.049845934 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:15.049977064 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:15.050004005 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:15.050034046 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:15.050043106 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:15.050101995 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:15.050112009 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:15.050178051 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:15.050188065 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:15.050239086 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:15.050249100 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:15.050257921 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:15.050287008 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:15.050414085 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:15.050424099 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:15.050515890 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:15.050524950 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:15.050605059 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:15.050615072 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:15.050699949 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:15.050709009 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:15.094460011 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:15.094589949 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:15.133459091 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:15.836643934 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:15.837321997 CEST4970580192.168.2.594.228.166.68
                          Jul 3, 2024 15:54:15.842201948 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:16.153192997 CEST804970594.228.166.68192.168.2.5
                          Jul 3, 2024 15:54:16.173845053 CEST4970580192.168.2.594.228.166.68

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jul 3, 2024 15:54:12.681226015 CEST5779653192.168.2.51.1.1.1

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Jul 3, 2024 15:54:12.681226015 CEST192.168.2.51.1.1.10xca1aStandard query (0)api.ip.sbA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Jul 3, 2024 15:54:12.688406944 CEST1.1.1.1192.168.2.50xca1aNo error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)false

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.54970594.228.166.68802700C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          TimestampBytes transferredDirectionData
                          Jul 3, 2024 15:54:06.168623924 CEST37OUTData Raw: 00 01 00 01 02 02 1b 6e 65 74 2e 74 63 70 3a 2f 2f 39 34 2e 32 32 38 2e 31 36 36 2e 36 38 3a 38 30 2f 03 08 0c
                          Data Ascii: net.tcp://94.228.166.68:80/
                          Jul 3, 2024 15:54:06.988864899 CEST1INData Raw: 0b
                          Data Ascii:
                          Jul 3, 2024 15:54:07.024324894 CEST202OUTData Raw: 06 c7 01 52 1d 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 45 6e 74 69 74 79 2f 49 64 31 1b 6e 65 74 2e 74 63 70 3a 2f 2f 39 34 2e 32 32 38 2e 31 36 36 2e 36 38 3a 38 30 2f 03 49 64 31 13 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e
                          Data Ascii: Rhttp://tempuri.org/Entity/Id1net.tcp://94.228.166.68:80/Id1http://tempuri.org/VsaVD@Authorizationns1 ec115238af12754cb0b0480ec782f2efD[C/n_D,D*DVB
                          Jul 3, 2024 15:54:07.229078054 CEST142INData Raw: 06 8b 01 50 25 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 45 6e 74 69 74 79 2f 49 64 31 52 65 73 70 6f 6e 73 65 0b 49 64 31 52 65 73 70 6f 6e 73 65 13 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 09 49 64 31 52 65 73 75
                          Data Ascii: P%http://tempuri.org/Entity/Id1ResponseId1Responsehttp://tempuri.org/Id1ResultVsaVDD[C/n_DVBB
                          Jul 3, 2024 15:54:12.286501884 CEST154OUTData Raw: 06 97 01 22 1d 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 45 6e 74 69 74 79 2f 49 64 32 03 49 64 32 56 02 0b 01 73 04 0b 01 61 06 56 08 44 0a 1e 00 82 ab 09 40 0d 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 08 03 6e 73 31 99 20 65 63 31
                          Data Ascii: "http://tempuri.org/Entity/Id2Id2VsaVD@Authorizationns1 ec115238af12754cb0b0480ec782f2efDVmn@pMm4D,D*DVB
                          Jul 3, 2024 15:54:12.495115995 CEST1236INData Raw: 06 ff 33 f8 01 25 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 45 6e 74 69 74 79 2f 49 64 32 52 65 73 70 6f 6e 73 65 0b 49 64 32 52 65 73 70 6f 6e 73 65 09 49 64 32 52 65 73 75 6c 74 06 45 6e 74 69 74 79 29 68 74 74 70 3a 2f 2f 77 77
                          Data Ascii: 3%http://tempuri.org/Entity/Id2ResponseId2ResponseId2ResultEntity)http://www.w3.org/2001/XMLSchema-instanceId1Id109http://schemas.microsoft.com/2003/10/Serialization/ArraysstringId11Id12Id13Entity17Id2Id3Entity16Id4Id5Id6I
                          Jul 3, 2024 15:54:12.495276928 CEST1236INData Raw: 46 19 99 2d 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 49 72 69 64 69 75 6d 5c 55 73 65 72 20 44 61 74 61 46 19 99 31 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 37
                          Data Ascii: F-%USERPROFILE%\AppData\Local\Iridium\User DataF1%USERPROFILE%\AppData\Local\7Star\7Star\User DataF1%USERPROFILE%\AppData\Local\CentBrowser\User DataF,%USERPROFILE%\AppData\Local\Chedot\User DataF-%USERPROFILE%\AppData\Local\Vivaldi\
                          Jul 3, 2024 15:54:12.495290995 CEST1236INData Raw: 5c 55 73 65 72 20 44 61 74 61 46 19 99 35 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 53 70 75 74 6e 69 6b 5c 53 70 75 74 6e 69 6b 5c 55 73 65 72 20 44 61 74 61 46 19 99 2e 25 55 53 45 52 50 52 4f 46 49 4c
                          Data Ascii: \User DataF5%USERPROFILE%\AppData\Local\Sputnik\Sputnik\User DataF.%USERPROFILE%\AppData\Local\Nichrome\User DataF4%USERPROFILE%\AppData\Local\CocCoc\Browser\User DataF*%USERPROFILE%\AppData\Local\Uran\User DataF.%USERPROFILE%\AppDat
                          Jul 3, 2024 15:54:12.496294022 CEST1236INData Raw: 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 55 43 42 72 6f 77 73 65 72 5c 55 73 65 72 20 44 61 74 61 5f 69 31 38 6e 46 19 99 2d 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 4d 61 78 74 68 6f
                          Data Ascii: FILE%\AppData\Local\UCBrowser\User Data_i18nF-%USERPROFILE%\AppData\Local\Maxthon\User DataF+%USERPROFILE%\AppData\Local\Blisk\User DataF4%USERPROFILE%\AppData\Local\AOL\AOL Shield\User DataF8%USERPROFILE%\AppData\Local\Baidu\BaiduBrow
                          Jul 3, 2024 15:54:12.496306896 CEST1236INData Raw: 65 73 46 19 99 2c 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 52 6f 61 6d 69 6e 67 5c 53 69 65 6c 6f 5c 70 72 6f 66 69 6c 65 73 46 19 99 2f 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 52 6f 61 6d 69 6e
                          Data Ascii: esF,%USERPROFILE%\AppData\Roaming\Sielo\profilesF/%USERPROFILE%\AppData\Roaming\Waterfox\ProfilesF:%USERPROFILE%\AppData\Roaming\conkeror.mozdev.org\conkerorF0%USERPROFILE%\AppData\Roaming\Netscape\NavigatorF/%USERPROFILE%\AppData\Ro


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:1
                          Start time:09:53:58
                          Start date:03/07/2024
                          Path:C:\Users\user\Desktop\vNx9jGoYpb.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\vNx9jGoYpb.exe"
                          Imagebase:0xe00000
                          File size:504'832 bytes
                          MD5 hash:D482D79A7D37A4C18C8C3273F5D8EED1
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:2
                          Start time:09:53:58
                          Start date:03/07/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                          Imagebase:0x9e0000
                          File size:65'440 bytes
                          MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.2195672440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2198036610.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2198036610.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:5
                          Start time:09:54:01
                          Start date:03/07/2024
                          Path:C:\Windows\SysWOW64\WerFault.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6000 -s 308
                          Imagebase:0xf70000
                          File size:483'680 bytes
                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:1.9%
                            Dynamic/Decrypted Code Coverage:0.6%
                            Signature Coverage:3.2%
                            Total number of Nodes:1053
                            Total number of Limit Nodes:4
                            execution_graph 16489 e0e0a0 16492 e144ab 16489->16492 16493 e0e0b8 16492->16493 16494 e144b6 RtlFreeHeap 16492->16494 16494->16493 16495 e144cb GetLastError 16494->16495 16496 e144d8 __dosmaperr 16495->16496 16498 e10fb7 16496->16498 16501 e14311 GetLastError 16498->16501 16500 e10fbc 16500->16493 16502 e1432d 16501->16502 16503 e14327 16501->16503 16507 e14331 SetLastError 16502->16507 16529 e14f29 16502->16529 16524 e14eea 16503->16524 16507->16500 16511 e14377 16513 e14f29 __dosmaperr 6 API calls 16511->16513 16512 e14366 16514 e14f29 __dosmaperr 6 API calls 16512->16514 16515 e14383 16513->16515 16516 e14374 16514->16516 16517 e14387 16515->16517 16518 e1439e 16515->16518 16520 e144ab ___free_lconv_mon 12 API calls 16516->16520 16519 e14f29 __dosmaperr 6 API calls 16517->16519 16541 e13fee 16518->16541 16519->16516 16520->16507 16523 e144ab ___free_lconv_mon 12 API calls 16523->16507 16546 e14cd9 16524->16546 16526 e14f06 16527 e14f21 TlsGetValue 16526->16527 16528 e14f0f 16526->16528 16528->16502 16530 e14cd9 std::_Locinfo::_Locinfo_ctor 5 API calls 16529->16530 16531 e14f45 16530->16531 16532 e14f63 TlsSetValue 16531->16532 16533 e14349 16531->16533 16533->16507 16534 e149db 16533->16534 16540 e149e8 __dosmaperr 16534->16540 16535 e14a28 16537 e10fb7 __strnicoll 13 API calls 16535->16537 16536 e14a13 HeapAlloc 16538 e1435e 16536->16538 16536->16540 16537->16538 16538->16511 16538->16512 16540->16535 16540->16536 16560 e1380e 16540->16560 16574 e13e82 16541->16574 16547 e14d03 std::_Locinfo::_Locinfo_ctor 16546->16547 16548 e14d07 16546->16548 16547->16526 16548->16547 16552 e14c0e 16548->16552 16551 e14d21 GetProcAddress 16551->16547 16558 e14c1f ___vcrt_FlsSetValue 16552->16558 16553 e14cb5 16553->16547 16553->16551 16554 e14c3d LoadLibraryExW 16555 e14c58 GetLastError 16554->16555 16556 e14cbc 16554->16556 16555->16558 16556->16553 16557 e14cce FreeLibrary 16556->16557 16557->16553 16558->16553 16558->16554 16559 e14c8b LoadLibraryExW 16558->16559 16559->16556 16559->16558 16563 e1383b 16560->16563 16564 e13847 ___scrt_is_nonwritable_in_current_image 16563->16564 16569 e0ef59 EnterCriticalSection 16564->16569 16566 e13852 16570 e1388e 16566->16570 16569->16566 16573 e0efa1 LeaveCriticalSection 16570->16573 16572 e13819 16572->16540 16573->16572 16575 e13e8e ___scrt_is_nonwritable_in_current_image 16574->16575 16588 e0ef59 EnterCriticalSection 16575->16588 16577 e13e98 16589 e13ec8 16577->16589 16580 e13f94 16581 e13fa0 ___scrt_is_nonwritable_in_current_image 16580->16581 16593 e0ef59 EnterCriticalSection 16581->16593 16583 e13faa 16594 e14175 16583->16594 16585 e13fc2 16598 e13fe2 16585->16598 16588->16577 16592 e0efa1 LeaveCriticalSection 16589->16592 16591 e13eb6 16591->16580 16592->16591 16593->16583 16595 e141ab __Getctype 16594->16595 16596 e14184 __Getctype 16594->16596 16595->16585 16596->16595 16601 e1bd3d 16596->16601 16715 e0efa1 LeaveCriticalSection 16598->16715 16600 e13fd0 16600->16523 16602 e1bdbd 16601->16602 16605 e1bd53 16601->16605 16603 e1be0b 16602->16603 16606 e144ab ___free_lconv_mon 14 API calls 16602->16606 16669 e1beae 16603->16669 16605->16602 16607 e1bd86 16605->16607 16612 e144ab ___free_lconv_mon 14 API calls 16605->16612 16608 e1bddf 16606->16608 16609 e1bda8 16607->16609 16618 e144ab ___free_lconv_mon 14 API calls 16607->16618 16610 e144ab ___free_lconv_mon 14 API calls 16608->16610 16611 e144ab ___free_lconv_mon 14 API calls 16609->16611 16613 e1bdf2 16610->16613 16614 e1bdb2 16611->16614 16616 e1bd7b 16612->16616 16619 e144ab ___free_lconv_mon 14 API calls 16613->16619 16622 e144ab ___free_lconv_mon 14 API calls 16614->16622 16615 e1be79 16623 e144ab ___free_lconv_mon 14 API calls 16615->16623 16629 e1aff3 16616->16629 16617 e1be19 16617->16615 16627 e144ab 14 API calls ___free_lconv_mon 16617->16627 16620 e1bd9d 16618->16620 16621 e1be00 16619->16621 16657 e1b4a7 16620->16657 16626 e144ab ___free_lconv_mon 14 API calls 16621->16626 16622->16602 16628 e1be7f 16623->16628 16626->16603 16627->16617 16628->16595 16630 e1b004 16629->16630 16656 e1b0ed 16629->16656 16631 e1b015 16630->16631 16632 e144ab ___free_lconv_mon 14 API calls 16630->16632 16633 e1b027 16631->16633 16634 e144ab ___free_lconv_mon 14 API calls 16631->16634 16632->16631 16635 e1b039 16633->16635 16636 e144ab ___free_lconv_mon 14 API calls 16633->16636 16634->16633 16637 e1b04b 16635->16637 16638 e144ab ___free_lconv_mon 14 API calls 16635->16638 16636->16635 16639 e1b05d 16637->16639 16640 e144ab ___free_lconv_mon 14 API calls 16637->16640 16638->16637 16641 e1b06f 16639->16641 16642 e144ab ___free_lconv_mon 14 API calls 16639->16642 16640->16639 16643 e1b081 16641->16643 16644 e144ab ___free_lconv_mon 14 API calls 16641->16644 16642->16641 16645 e1b093 16643->16645 16646 e144ab ___free_lconv_mon 14 API calls 16643->16646 16644->16643 16647 e1b0a5 16645->16647 16648 e144ab ___free_lconv_mon 14 API calls 16645->16648 16646->16645 16649 e1b0b7 16647->16649 16650 e144ab ___free_lconv_mon 14 API calls 16647->16650 16648->16647 16651 e1b0c9 16649->16651 16652 e144ab ___free_lconv_mon 14 API calls 16649->16652 16650->16649 16653 e1b0db 16651->16653 16654 e144ab ___free_lconv_mon 14 API calls 16651->16654 16652->16651 16655 e144ab ___free_lconv_mon 14 API calls 16653->16655 16653->16656 16654->16653 16655->16656 16656->16607 16658 e1b4b4 16657->16658 16668 e1b50c 16657->16668 16659 e1b4c4 16658->16659 16660 e144ab ___free_lconv_mon 14 API calls 16658->16660 16661 e1b4d6 16659->16661 16662 e144ab ___free_lconv_mon 14 API calls 16659->16662 16660->16659 16663 e144ab ___free_lconv_mon 14 API calls 16661->16663 16664 e1b4e8 16661->16664 16662->16661 16663->16664 16665 e1b4fa 16664->16665 16666 e144ab ___free_lconv_mon 14 API calls 16664->16666 16667 e144ab ___free_lconv_mon 14 API calls 16665->16667 16665->16668 16666->16665 16667->16668 16668->16609 16670 e1bebb 16669->16670 16674 e1beda 16669->16674 16670->16674 16675 e1b9c2 16670->16675 16673 e144ab ___free_lconv_mon 14 API calls 16673->16674 16674->16617 16676 e1baa0 16675->16676 16677 e1b9d3 16675->16677 16676->16673 16711 e1b721 16677->16711 16680 e1b721 __Getctype 14 API calls 16681 e1b9e6 16680->16681 16682 e1b721 __Getctype 14 API calls 16681->16682 16683 e1b9f1 16682->16683 16684 e1b721 __Getctype 14 API calls 16683->16684 16685 e1b9fc 16684->16685 16686 e1b721 __Getctype 14 API calls 16685->16686 16687 e1ba0a 16686->16687 16688 e144ab ___free_lconv_mon 14 API calls 16687->16688 16689 e1ba15 16688->16689 16690 e144ab ___free_lconv_mon 14 API calls 16689->16690 16691 e1ba20 16690->16691 16692 e144ab ___free_lconv_mon 14 API calls 16691->16692 16693 e1ba2b 16692->16693 16694 e1b721 __Getctype 14 API calls 16693->16694 16695 e1ba39 16694->16695 16696 e1b721 __Getctype 14 API calls 16695->16696 16697 e1ba47 16696->16697 16698 e1b721 __Getctype 14 API calls 16697->16698 16699 e1ba58 16698->16699 16700 e1b721 __Getctype 14 API calls 16699->16700 16701 e1ba66 16700->16701 16702 e1b721 __Getctype 14 API calls 16701->16702 16703 e1ba74 16702->16703 16704 e144ab ___free_lconv_mon 14 API calls 16703->16704 16705 e1ba7f 16704->16705 16706 e144ab ___free_lconv_mon 14 API calls 16705->16706 16707 e1ba8a 16706->16707 16708 e144ab ___free_lconv_mon 14 API calls 16707->16708 16709 e1ba95 16708->16709 16710 e144ab ___free_lconv_mon 14 API calls 16709->16710 16710->16676 16714 e1b733 16711->16714 16712 e1b742 16712->16680 16713 e144ab ___free_lconv_mon 14 API calls 16713->16714 16714->16712 16714->16713 16715->16600 17807 13e018d 17810 13e01c5 CreateProcessA VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 17807->17810 17809 13e03a2 WriteProcessMemory 17811 13e03e7 17809->17811 17810->17809 17812 13e03ec WriteProcessMemory 17811->17812 17813 13e0429 WriteProcessMemory Wow64SetThreadContext ResumeThread 17811->17813 17812->17811 16716 e04d90 16719 e045a0 16716->16719 16717 e04d9c 16720 e045b0 Concurrency::cancel_current_task 16719->16720 16721 e045ab 16719->16721 16720->16717 16748 e0a4b0 16720->16748 16725 e228f0 16721->16725 16723 e06496 16751 e096f2 16725->16751 16727 e2290f std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 16728 e22b7a 16727->16728 16731 e229d3 16727->16731 16766 e01d60 16727->16766 16761 e0e04f 16728->16761 16733 e22b70 16731->16733 16734 e22a16 _Yarn 16731->16734 16735 e22a30 16731->16735 16736 e22a05 16731->16736 16732 e22b7f CreateThread WaitForSingleObject 16732->16720 17424 e22ba0 16732->17424 16786 e05360 16733->16786 16734->16728 16739 e22aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 16734->16739 16742 e02010 86 API calls 16734->16742 16745 e01660 86 API calls 16734->16745 16773 e0eb0e 16734->16773 16735->16734 16741 e096f2 std::ios_base::_Init 16 API calls 16735->16741 16736->16733 16737 e22a10 16736->16737 16740 e096f2 std::ios_base::_Init 16 API calls 16737->16740 16739->16728 16743 e22b53 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 16739->16743 16740->16734 16741->16734 16742->16734 16779 e09a3b 16743->16779 16745->16734 16746 e22b6c 16746->16720 16749 e0a4f7 RaiseException 16748->16749 16750 e0a4ca 16748->16750 16749->16723 16750->16749 16754 e096f7 16751->16754 16753 e09711 16753->16727 16754->16753 16755 e1380e std::ios_base::_Init 2 API calls 16754->16755 16757 e09713 std::ios_base::_Init 16754->16757 16822 e0efcf 16754->16822 16755->16754 16756 e0a1b1 std::ios_base::_Init 16758 e0a4b0 std::_Throw_Cpp_error RaiseException 16756->16758 16757->16756 16759 e0a4b0 std::_Throw_Cpp_error RaiseException 16757->16759 16760 e0a1ce 16758->16760 16759->16756 16831 e0df8b 16761->16831 16765 e0e06b 16767 e01db0 16766->16767 16768 e01dec _Yarn 16766->16768 17024 e018a0 16767->17024 16770 e0e04f std::_Throw_Cpp_error 41 API calls 16768->16770 16772 e01e71 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 16768->16772 16771 e01ec6 16770->16771 16772->16727 16774 e0eb21 _Fputc 16773->16774 17274 e0e130 16774->17274 16776 e0eb3b 16777 e0dd7b _Fputc 41 API calls 16776->16777 16778 e0eb48 16777->16778 16778->16734 16780 e09a43 16779->16780 16781 e09a44 IsProcessorFeaturePresent 16779->16781 16780->16746 16783 e0a21d 16781->16783 17423 e0a1e0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 16783->17423 16785 e0a300 16785->16746 16787 e0536b std::ios_base::_Init 16786->16787 16788 e0a4b0 std::_Throw_Cpp_error RaiseException 16787->16788 16789 e0537a 16788->16789 16790 e0a4b0 std::_Throw_Cpp_error RaiseException 16789->16790 16791 e0539a 16790->16791 16792 e02bc0 42 API calls 16791->16792 16793 e053af 16792->16793 16794 e0a4b0 std::_Throw_Cpp_error RaiseException 16793->16794 16795 e053be 16794->16795 16796 e06ffa 12 API calls 16795->16796 16797 e053d4 16796->16797 16798 e053db 16797->16798 16799 e0543c 16797->16799 16801 e05443 16798->16801 16808 e053e5 16798->16808 16800 e07377 std::_Throw_Cpp_error 88 API calls 16799->16800 16802 e07377 std::_Throw_Cpp_error 88 API calls 16801->16802 16803 e0544e 16802->16803 16806 e04ad0 16803->16806 16807 e0545e 16803->16807 16804 e05423 16805 e05433 16804->16805 16809 e0700b ReleaseSRWLockExclusive 16804->16809 16805->16728 16810 e02c40 42 API calls 16806->16810 16814 e05470 88 API calls 16807->16814 16808->16804 16811 e071a6 43 API calls 16808->16811 16809->16805 16812 e04ae0 16810->16812 16811->16808 16813 e0a4b0 std::_Throw_Cpp_error RaiseException 16812->16813 16815 e04aef 16813->16815 16816 e05537 16814->16816 16817 e05470 88 API calls 16816->16817 16819 e0553c 16817->16819 16818 e05544 16818->16728 16819->16818 16820 e04d60 88 API calls 16819->16820 16821 e055af 16820->16821 16823 e153d2 16822->16823 16824 e15410 16823->16824 16825 e153e4 __dosmaperr 16823->16825 16826 e153fb HeapAlloc 16823->16826 16827 e10fb7 __strnicoll 14 API calls 16824->16827 16825->16824 16825->16826 16830 e1380e std::ios_base::_Init 2 API calls 16825->16830 16826->16825 16828 e1540e 16826->16828 16829 e15415 16827->16829 16828->16829 16829->16754 16830->16825 16832 e0df9d _Fputc 16831->16832 16841 e0dfc2 16832->16841 16834 e0dfb5 16852 e0dd7b 16834->16852 16837 e0e06c IsProcessorFeaturePresent 16838 e0e078 16837->16838 16839 e0de43 __FrameHandler3::FrameUnwindToState 8 API calls 16838->16839 16840 e0e08d GetCurrentProcess TerminateProcess 16839->16840 16840->16765 16842 e0dfd2 16841->16842 16843 e0dfd9 16841->16843 16858 e0dde0 GetLastError 16842->16858 16848 e0dfe7 16843->16848 16862 e0ddb7 16843->16862 16846 e0e00e 16847 e0e06c __Getctype 11 API calls 16846->16847 16846->16848 16849 e0e03e 16847->16849 16848->16834 16850 e0df8b __strnicoll 41 API calls 16849->16850 16851 e0e04b 16850->16851 16851->16834 16853 e0dd87 16852->16853 16855 e0dd9e 16853->16855 16887 e0de26 16853->16887 16856 e0de26 _Fputc 41 API calls 16855->16856 16857 e0ddb1 16855->16857 16856->16857 16857->16837 16859 e0ddf9 16858->16859 16865 e143c2 16859->16865 16863 e0ddc2 GetLastError SetLastError 16862->16863 16864 e0dddb 16862->16864 16863->16846 16864->16846 16866 e143d5 16865->16866 16867 e143db 16865->16867 16869 e14eea __dosmaperr 6 API calls 16866->16869 16868 e14f29 __dosmaperr 6 API calls 16867->16868 16872 e0de11 SetLastError 16867->16872 16870 e143f5 16868->16870 16869->16867 16871 e149db __dosmaperr 14 API calls 16870->16871 16870->16872 16873 e14405 16871->16873 16872->16843 16874 e14422 16873->16874 16875 e1440d 16873->16875 16876 e14f29 __dosmaperr 6 API calls 16874->16876 16877 e14f29 __dosmaperr 6 API calls 16875->16877 16878 e1442e 16876->16878 16879 e14419 16877->16879 16880 e14441 16878->16880 16881 e14432 16878->16881 16884 e144ab ___free_lconv_mon 14 API calls 16879->16884 16883 e13fee __dosmaperr 14 API calls 16880->16883 16882 e14f29 __dosmaperr 6 API calls 16881->16882 16882->16879 16885 e1444c 16883->16885 16884->16872 16886 e144ab ___free_lconv_mon 14 API calls 16885->16886 16886->16872 16888 e0de30 16887->16888 16889 e0de39 16887->16889 16890 e0dde0 _Fputc 16 API calls 16888->16890 16889->16855 16891 e0de35 16890->16891 16891->16889 16894 e0e0bb 16891->16894 16905 e145b3 16894->16905 16897 e0e0d5 IsProcessorFeaturePresent 16899 e0e0e1 16897->16899 16935 e0de43 16899->16935 16901 e0e0cb 16901->16897 16904 e0e0f4 16901->16904 16941 e11fe9 16904->16941 16944 e144e5 16905->16944 16908 e145f8 16909 e14604 ___scrt_is_nonwritable_in_current_image 16908->16909 16910 e14311 __dosmaperr 14 API calls 16909->16910 16915 e14631 __FrameHandler3::FrameUnwindToState 16909->16915 16918 e1462b __FrameHandler3::FrameUnwindToState 16909->16918 16910->16918 16911 e14678 16912 e10fb7 __strnicoll 14 API calls 16911->16912 16914 e1467d 16912->16914 16913 e14662 16913->16901 16954 e0e03f 16914->16954 16917 e146a4 16915->16917 16957 e0ef59 EnterCriticalSection 16915->16957 16921 e147d7 16917->16921 16922 e146e6 16917->16922 16933 e14715 16917->16933 16918->16911 16918->16913 16918->16915 16923 e147e2 16921->16923 16989 e0efa1 LeaveCriticalSection 16921->16989 16922->16933 16958 e141c0 GetLastError 16922->16958 16926 e11fe9 __FrameHandler3::FrameUnwindToState 23 API calls 16923->16926 16928 e147ea 16926->16928 16929 e141c0 _unexpected 41 API calls 16931 e1476a 16929->16931 16931->16913 16934 e141c0 _unexpected 41 API calls 16931->16934 16932 e141c0 _unexpected 41 API calls 16932->16933 16985 e14784 16933->16985 16934->16913 16936 e0de5f __fread_nolock __FrameHandler3::FrameUnwindToState 16935->16936 16937 e0de8b IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16936->16937 16940 e0df5c __FrameHandler3::FrameUnwindToState 16937->16940 16938 e09a3b __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 16939 e0df7a 16938->16939 16939->16904 16940->16938 16991 e11e0d 16941->16991 16945 e144f1 ___scrt_is_nonwritable_in_current_image 16944->16945 16950 e0ef59 EnterCriticalSection 16945->16950 16947 e144ff 16951 e1453d 16947->16951 16950->16947 16952 e0efa1 std::_Lockit::~_Lockit LeaveCriticalSection 16951->16952 16953 e0e0c0 16952->16953 16953->16901 16953->16908 16955 e0df8b __strnicoll 41 API calls 16954->16955 16956 e0e04b 16955->16956 16956->16913 16957->16917 16959 e141dc 16958->16959 16960 e141d6 16958->16960 16961 e14f29 __dosmaperr 6 API calls 16959->16961 16964 e141e0 SetLastError 16959->16964 16962 e14eea __dosmaperr 6 API calls 16960->16962 16963 e141f8 16961->16963 16962->16959 16963->16964 16966 e149db __dosmaperr 14 API calls 16963->16966 16968 e14270 16964->16968 16969 e14275 16964->16969 16967 e1420d 16966->16967 16970 e14215 16967->16970 16971 e14226 16967->16971 16968->16932 16972 e0e0bb __FrameHandler3::FrameUnwindToState 39 API calls 16969->16972 16973 e14f29 __dosmaperr 6 API calls 16970->16973 16974 e14f29 __dosmaperr 6 API calls 16971->16974 16975 e1427a 16972->16975 16976 e14223 16973->16976 16977 e14232 16974->16977 16980 e144ab ___free_lconv_mon 14 API calls 16976->16980 16978 e14236 16977->16978 16979 e1424d 16977->16979 16982 e14f29 __dosmaperr 6 API calls 16978->16982 16981 e13fee __dosmaperr 14 API calls 16979->16981 16980->16964 16983 e14258 16981->16983 16982->16976 16984 e144ab ___free_lconv_mon 14 API calls 16983->16984 16984->16964 16986 e1475b 16985->16986 16987 e1478a 16985->16987 16986->16913 16986->16929 16986->16931 16990 e0efa1 LeaveCriticalSection 16987->16990 16989->16923 16990->16986 16992 e11e3a 16991->16992 16993 e11e4b 16991->16993 17002 e11ed5 GetModuleHandleW 16992->17002 17009 e11cd5 16993->17009 16998 e0e0fe 17003 e11e3f 17002->17003 17003->16993 17004 e11f3a GetModuleHandleExW 17003->17004 17005 e11f79 GetProcAddress 17004->17005 17008 e11f8d 17004->17008 17005->17008 17006 e11fa0 FreeLibrary 17007 e11fa9 17006->17007 17007->16993 17008->17006 17008->17007 17010 e11ce1 ___scrt_is_nonwritable_in_current_image 17009->17010 17011 e0ef59 std::_Lockit::_Lockit EnterCriticalSection 17010->17011 17012 e11ceb 17011->17012 17013 e11d22 __FrameHandler3::FrameUnwindToState 14 API calls 17012->17013 17014 e11cf8 17013->17014 17015 e11d16 __FrameHandler3::FrameUnwindToState LeaveCriticalSection 17014->17015 17016 e11d04 17015->17016 17016->16998 17017 e11ea4 17016->17017 17018 e11f18 __FrameHandler3::FrameUnwindToState 7 API calls 17017->17018 17019 e11eae 17018->17019 17020 e11ec2 17019->17020 17021 e11eb2 GetCurrentProcess TerminateProcess 17019->17021 17022 e11f3a __FrameHandler3::FrameUnwindToState GetModuleHandleExW GetProcAddress FreeLibrary 17020->17022 17021->17020 17023 e11eca ExitProcess 17022->17023 17025 e018ad 17024->17025 17030 e018ed std::ios_base::_Init 17024->17030 17026 e018c4 17025->17026 17028 e018be 17025->17028 17025->17030 17027 e018cd 17026->17027 17029 e096f2 std::ios_base::_Init 16 API calls 17026->17029 17027->16768 17031 e096f2 std::ios_base::_Init 16 API calls 17028->17031 17032 e018e6 17029->17032 17033 e0a4b0 std::_Throw_Cpp_error RaiseException 17030->17033 17031->17026 17032->16768 17034 e0537a 17033->17034 17035 e0a4b0 std::_Throw_Cpp_error RaiseException 17034->17035 17036 e0539a 17035->17036 17070 e02bc0 17036->17070 17039 e0a4b0 std::_Throw_Cpp_error RaiseException 17040 e053be 17039->17040 17073 e06ffa 17040->17073 17043 e053db 17046 e05443 17043->17046 17053 e053e5 17043->17053 17044 e0543c 17084 e07377 17044->17084 17047 e07377 std::_Throw_Cpp_error 88 API calls 17046->17047 17048 e0544e 17047->17048 17051 e04ad0 17048->17051 17052 e0545e 17048->17052 17049 e05423 17050 e05433 17049->17050 17081 e0700b 17049->17081 17050->16768 17067 e02c40 17051->17067 17090 e05470 17052->17090 17053->17049 17076 e071a6 17053->17076 17058 e0a4b0 std::_Throw_Cpp_error RaiseException 17060 e04aef 17058->17060 17061 e05537 17062 e05470 88 API calls 17061->17062 17064 e0553c 17062->17064 17063 e05544 17063->16768 17064->17063 17111 e04d60 17064->17111 17117 e0a42e 17067->17117 17071 e0a42e std::invalid_argument::invalid_argument 42 API calls 17070->17071 17072 e02bee 17071->17072 17072->17039 17137 e07029 GetCurrentThreadId 17073->17137 17163 e07155 17076->17163 17080 e071c6 17080->17053 17082 e07025 17081->17082 17083 e07017 ReleaseSRWLockExclusive 17081->17083 17082->17050 17083->17082 17085 e0738d std::_Throw_Cpp_error 17084->17085 17171 e072b4 17085->17171 17091 e06ffa 12 API calls 17090->17091 17092 e0547d 17091->17092 17093 e054b0 17092->17093 17094 e05484 17092->17094 17095 e07377 std::_Throw_Cpp_error 88 API calls 17093->17095 17096 e054b7 17094->17096 17097 e0548e 17094->17097 17095->17096 17098 e07377 std::_Throw_Cpp_error 88 API calls 17096->17098 17099 e054a4 17097->17099 17101 e071a6 43 API calls 17097->17101 17100 e054c2 17098->17100 17102 e0700b ReleaseSRWLockExclusive 17099->17102 17104 e05470 88 API calls 17100->17104 17101->17097 17103 e054aa 17102->17103 17103->17061 17105 e05537 17104->17105 17106 e05470 88 API calls 17105->17106 17108 e0553c 17106->17108 17107 e05544 17107->17061 17108->17107 17109 e04d60 88 API calls 17108->17109 17110 e055af 17109->17110 17112 e04d68 17111->17112 17260 e061d0 17112->17260 17114 e04d8a 17116 e045a0 88 API calls 17114->17116 17115 e04d9c 17116->17115 17118 e02c6e 17117->17118 17119 e0a43b 17117->17119 17118->17058 17119->17118 17120 e0efcf _Yarn 15 API calls 17119->17120 17121 e0a458 17120->17121 17122 e0a468 17121->17122 17125 e13d75 17121->17125 17134 e0e0a0 17122->17134 17126 e13d83 17125->17126 17127 e13d91 17125->17127 17126->17127 17132 e13da9 17126->17132 17128 e10fb7 __strnicoll 14 API calls 17127->17128 17129 e13d99 17128->17129 17130 e0e03f __strnicoll 41 API calls 17129->17130 17131 e13da3 17130->17131 17131->17122 17132->17131 17133 e10fb7 __strnicoll 14 API calls 17132->17133 17133->17129 17135 e144ab ___free_lconv_mon 14 API calls 17134->17135 17136 e0e0b8 17135->17136 17136->17118 17138 e07072 17137->17138 17139 e07053 17137->17139 17140 e07092 17138->17140 17141 e0707b 17138->17141 17142 e07058 AcquireSRWLockExclusive 17139->17142 17148 e07068 17139->17148 17144 e070f1 17140->17144 17150 e070aa 17140->17150 17143 e07086 AcquireSRWLockExclusive 17141->17143 17141->17148 17142->17148 17143->17148 17146 e070f8 TryAcquireSRWLockExclusive 17144->17146 17144->17148 17145 e09a3b __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 17147 e053d4 17145->17147 17146->17148 17147->17043 17147->17044 17148->17145 17150->17148 17151 e070e1 TryAcquireSRWLockExclusive 17150->17151 17152 e08fc2 17150->17152 17151->17148 17151->17150 17155 e09000 17152->17155 17154 e08fcd __aulldiv __aullrem 17154->17150 17158 e0944c 17155->17158 17159 e09488 GetSystemTimeAsFileTime 17158->17159 17160 e0947c GetSystemTimePreciseAsFileTime 17158->17160 17161 e0900e 17159->17161 17160->17161 17161->17154 17170 e07170 SleepConditionVariableSRW 17163->17170 17165 e07162 17166 e07166 17165->17166 17167 e0e0bb __FrameHandler3::FrameUnwindToState 41 API calls 17165->17167 17169 e071cc GetCurrentThreadId 17166->17169 17168 e0716f 17167->17168 17169->17080 17170->17165 17172 e072c0 __EH_prolog3_GS 17171->17172 17181 e022b0 17172->17181 17176 e072e9 17205 e02e80 17176->17205 17178 e072f1 17210 e09a80 17178->17210 17182 e022d1 17181->17182 17182->17182 17213 e01960 17182->17213 17184 e022e3 17185 e02480 17184->17185 17186 e024a8 17185->17186 17187 e02665 17186->17187 17190 e024b9 17186->17190 17188 e055c0 std::_Throw_Cpp_error 88 API calls 17187->17188 17189 e0266a 17188->17189 17191 e0e04f std::_Throw_Cpp_error 41 API calls 17189->17191 17193 e01900 std::_Throw_Cpp_error 88 API calls 17190->17193 17199 e024be _Yarn 17190->17199 17192 e0266f 17191->17192 17194 e0e04f std::_Throw_Cpp_error 41 API calls 17192->17194 17193->17199 17195 e02674 17194->17195 17197 e0a42e std::invalid_argument::invalid_argument 42 API calls 17195->17197 17196 e025aa std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 17200 e0a42e std::invalid_argument::invalid_argument 42 API calls 17196->17200 17198 e026a2 17197->17198 17198->17176 17199->17189 17199->17196 17201 e025ff 17200->17201 17201->17192 17202 e02630 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 17201->17202 17203 e09a3b __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 17202->17203 17204 e0265f 17203->17204 17204->17176 17206 e02e8b 17205->17206 17207 e02ea6 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 17205->17207 17206->17207 17208 e0e04f std::_Throw_Cpp_error 41 API calls 17206->17208 17207->17178 17209 e02eca 17208->17209 17211 e09a3b __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 17210->17211 17212 e09a8a 17211->17212 17212->17212 17214 e019e9 17213->17214 17218 e01970 17213->17218 17235 e055c0 17214->17235 17215 e01975 _Yarn 17215->17184 17218->17215 17221 e01900 17218->17221 17220 e019c3 _Yarn 17220->17184 17222 e01910 17221->17222 17226 e01933 17221->17226 17223 e01917 17222->17223 17224 e0194a 17222->17224 17228 e096f2 std::ios_base::_Init 16 API calls 17223->17228 17227 e05360 std::_Throw_Cpp_error 88 API calls 17224->17227 17225 e01944 17225->17220 17226->17225 17229 e096f2 std::ios_base::_Init 16 API calls 17226->17229 17231 e0191d 17227->17231 17228->17231 17230 e0193d 17229->17230 17230->17220 17232 e0e04f std::_Throw_Cpp_error 41 API calls 17231->17232 17233 e01926 17231->17233 17234 e01954 17232->17234 17233->17220 17255 e06497 17235->17255 17256 e0642e std::invalid_argument::invalid_argument 42 API calls 17255->17256 17257 e064a8 17256->17257 17258 e0a4b0 std::_Throw_Cpp_error RaiseException 17257->17258 17259 e064b6 17258->17259 17263 e06f01 17260->17263 17264 e06f1c __InternalCxxFrameHandler 17263->17264 17271 e06f32 17263->17271 17267 e0a4b0 std::_Throw_Cpp_error RaiseException 17264->17267 17265 e06fa3 RaiseException 17266 e09a3b __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 17265->17266 17268 e061da 17266->17268 17267->17271 17269 e06fc5 17270 e0e0bb __FrameHandler3::FrameUnwindToState 41 API calls 17269->17270 17272 e06fca 17270->17272 17271->17265 17271->17269 17273 e06f83 __alloca_probe_16 17271->17273 17273->17265 17288 e0ea3b 17274->17288 17276 e0e18a 17282 e0e1ae 17276->17282 17295 e0e9e0 17276->17295 17277 e0e142 17277->17276 17278 e0e157 17277->17278 17287 e0e172 std::_Locinfo::_Locinfo_ctor 17277->17287 17279 e0dfc2 __strnicoll 41 API calls 17278->17279 17279->17287 17284 e0e1d2 17282->17284 17302 e0ea78 17282->17302 17283 e0e25a 17285 e0e981 41 API calls 17283->17285 17284->17283 17309 e0e981 17284->17309 17285->17287 17287->16776 17289 e0ea40 17288->17289 17290 e0ea53 17288->17290 17291 e10fb7 __strnicoll 14 API calls 17289->17291 17290->17277 17292 e0ea45 17291->17292 17293 e0e03f __strnicoll 41 API calls 17292->17293 17294 e0ea50 17293->17294 17294->17277 17296 e0de26 _Fputc 41 API calls 17295->17296 17297 e0e9f0 17296->17297 17315 e1494c 17297->17315 17303 e0ea84 17302->17303 17304 e0ea9a 17302->17304 17366 e0f592 17303->17366 17308 e0eaaa 17304->17308 17371 e14854 17304->17371 17307 e0ea8f std::_Locinfo::_Locinfo_ctor 17307->17282 17308->17282 17310 e0e992 17309->17310 17311 e0e9a6 17309->17311 17310->17311 17312 e10fb7 __strnicoll 14 API calls 17310->17312 17311->17283 17313 e0e99b 17312->17313 17314 e0e03f __strnicoll 41 API calls 17313->17314 17314->17311 17316 e14963 17315->17316 17318 e0ea0d 17315->17318 17316->17318 17323 e1bf89 17316->17323 17319 e149aa 17318->17319 17320 e149c1 17319->17320 17321 e0ea1a 17319->17321 17320->17321 17345 e1a66c 17320->17345 17321->17282 17324 e1bf95 ___scrt_is_nonwritable_in_current_image 17323->17324 17325 e141c0 _unexpected 41 API calls 17324->17325 17326 e1bf9e 17325->17326 17327 e1bfe4 17326->17327 17336 e0ef59 EnterCriticalSection 17326->17336 17327->17318 17329 e1bfbc 17337 e1c00a 17329->17337 17334 e0e0bb __FrameHandler3::FrameUnwindToState 41 API calls 17335 e1c009 17334->17335 17336->17329 17338 e1c018 __Getctype 17337->17338 17340 e1bfcd 17337->17340 17339 e1bd3d __Getctype 14 API calls 17338->17339 17338->17340 17339->17340 17341 e1bfe9 17340->17341 17344 e0efa1 LeaveCriticalSection 17341->17344 17343 e1bfe0 17343->17327 17343->17334 17344->17343 17346 e141c0 _unexpected 41 API calls 17345->17346 17347 e1a671 17346->17347 17350 e1a584 17347->17350 17351 e1a590 ___scrt_is_nonwritable_in_current_image 17350->17351 17352 e1a5aa 17351->17352 17361 e0ef59 EnterCriticalSection 17351->17361 17354 e1a5b1 17352->17354 17357 e0e0bb __FrameHandler3::FrameUnwindToState 41 API calls 17352->17357 17354->17321 17355 e1a5e6 17362 e1a603 17355->17362 17358 e1a623 17357->17358 17359 e1a5ba 17359->17355 17360 e144ab ___free_lconv_mon 14 API calls 17359->17360 17360->17355 17361->17359 17365 e0efa1 LeaveCriticalSection 17362->17365 17364 e1a60a 17364->17352 17365->17364 17367 e141c0 _unexpected 41 API calls 17366->17367 17368 e0f59d 17367->17368 17378 e1491f 17368->17378 17382 e10fca 17371->17382 17375 e09a3b __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 17377 e1491d 17375->17377 17376 e14881 17376->17375 17377->17308 17379 e14932 17378->17379 17380 e0f5ad 17378->17380 17379->17380 17381 e1bf89 __Getctype 41 API calls 17379->17381 17380->17307 17381->17380 17383 e10fe8 17382->17383 17389 e10fe1 17382->17389 17384 e141c0 _unexpected 41 API calls 17383->17384 17383->17389 17385 e11009 17384->17385 17386 e1491f __Getctype 41 API calls 17385->17386 17387 e1101f 17386->17387 17405 e1497d 17387->17405 17389->17376 17390 e163e3 17389->17390 17391 e10fca __strnicoll 41 API calls 17390->17391 17392 e16403 17391->17392 17409 e194f8 17392->17409 17394 e164c7 17397 e09a3b __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 17394->17397 17395 e164bf 17419 e092a9 17395->17419 17396 e16430 17396->17394 17396->17395 17401 e16455 __fread_nolock __alloca_probe_16 17396->17401 17412 e153d2 17396->17412 17400 e164ea 17397->17400 17400->17376 17401->17395 17402 e194f8 __strnicoll MultiByteToWideChar 17401->17402 17403 e164a0 17402->17403 17403->17395 17404 e164ab GetStringTypeW 17403->17404 17404->17395 17406 e14990 17405->17406 17407 e149a5 17405->17407 17406->17407 17408 e1a66c __strnicoll 41 API calls 17406->17408 17407->17389 17408->17407 17410 e19509 MultiByteToWideChar 17409->17410 17410->17396 17413 e15410 17412->17413 17414 e153e0 __dosmaperr 17412->17414 17416 e10fb7 __strnicoll 14 API calls 17413->17416 17414->17413 17415 e153fb HeapAlloc 17414->17415 17418 e1380e std::ios_base::_Init 2 API calls 17414->17418 17415->17414 17417 e1540e 17415->17417 17416->17417 17417->17401 17418->17414 17420 e092b3 17419->17420 17421 e092c4 17419->17421 17420->17421 17422 e0e0a0 __freea 14 API calls 17420->17422 17421->17394 17422->17421 17423->16785 17425 e01900 std::_Throw_Cpp_error 87 API calls 17424->17425 17426 e22bce 17425->17426 17427 e096f2 std::ios_base::_Init 16 API calls 17426->17427 17428 e22c0a 17427->17428 17429 e22c22 VirtualAlloc 17428->17429 17458 e220c0 17428->17458 17431 e228f0 87 API calls 17429->17431 17433 e22c40 _Yarn 17431->17433 17442 e225d0 17433->17442 17435 e22c9b std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 17437 e09a3b __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 17435->17437 17439 e22cb2 17437->17439 17438 e22cb6 17440 e0e04f std::_Throw_Cpp_error 41 API calls 17438->17440 17441 e22cbb 17440->17441 17443 e096f2 std::ios_base::_Init 16 API calls 17442->17443 17445 e22602 17443->17445 17447 e22664 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 17445->17447 17470 e01660 17445->17470 17482 e02010 17445->17482 17448 e228af std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 17447->17448 17449 e226ec OffsetRect Polyline 17447->17449 17454 e0eb0e 44 API calls 17447->17454 17455 e228e9 17447->17455 17503 e01ba0 17447->17503 17451 e09a3b __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 17448->17451 17490 e019f0 17449->17490 17453 e228e2 17451->17453 17453->17435 17453->17438 17454->17447 17456 e0e04f std::_Throw_Cpp_error 41 API calls 17455->17456 17457 e228ee 17456->17457 17459 e22532 17458->17459 17465 e220ed _Yarn std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 17458->17465 17460 e09a3b __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 17459->17460 17461 e22543 17460->17461 17461->17429 17462 e0eb0e 44 API calls 17462->17465 17463 e2254e 17464 e055c0 std::_Throw_Cpp_error 88 API calls 17463->17464 17466 e22553 17464->17466 17465->17459 17465->17462 17465->17463 17467 e01900 88 API calls std::_Throw_Cpp_error 17465->17467 17468 e22549 17465->17468 17467->17465 17469 e0e04f std::_Throw_Cpp_error 41 API calls 17468->17469 17469->17463 17471 e01696 17470->17471 17520 e02d20 17471->17520 17473 e01843 std::ios_base::_Init 17529 e02ac0 17473->17529 17474 e0180a 17475 e0181d 17474->17475 17525 e04af0 17474->17525 17475->17445 17478 e016e3 17478->17473 17478->17474 17479 e01877 17480 e0a4b0 std::_Throw_Cpp_error RaiseException 17479->17480 17481 e01885 17480->17481 17483 e02030 17482->17483 17566 e02090 17483->17566 17486 e0203a 17595 e06080 17486->17595 17488 e059f0 88 API calls 17489 e02075 17488->17489 17489->17445 17491 e01b84 17490->17491 17492 e01a3c 17490->17492 17496 e05360 std::_Throw_Cpp_error 88 API calls 17491->17496 17493 e01a56 17492->17493 17494 e01aa4 17492->17494 17495 e01a94 17492->17495 17497 e096f2 std::ios_base::_Init 16 API calls 17493->17497 17498 e096f2 std::ios_base::_Init 16 API calls 17494->17498 17501 e01a69 _Yarn 17494->17501 17495->17491 17495->17493 17496->17501 17497->17501 17498->17501 17499 e0e04f std::_Throw_Cpp_error 41 API calls 17500 e01b93 17499->17500 17501->17499 17502 e01b38 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 17501->17502 17502->17447 17504 e01bf2 17503->17504 17518 e01c4d _Yarn 17503->17518 17505 e01d34 17504->17505 17508 e01c69 17504->17508 17509 e01c3c 17504->17509 17506 e05360 std::_Throw_Cpp_error 88 API calls 17505->17506 17506->17518 17507 e0e04f std::_Throw_Cpp_error 41 API calls 17510 e01d43 17507->17510 17512 e096f2 std::ios_base::_Init 16 API calls 17508->17512 17508->17518 17509->17505 17511 e01c47 17509->17511 17802 e05830 17510->17802 17514 e096f2 std::ios_base::_Init 16 API calls 17511->17514 17512->17518 17514->17518 17515 e01d51 17516 e0a4b0 std::_Throw_Cpp_error RaiseException 17515->17516 17517 e01d5a 17516->17517 17518->17507 17519 e01cff std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 17518->17519 17519->17447 17522 e02d37 17520->17522 17521 e02d4b 17521->17478 17522->17521 17543 e059f0 17522->17543 17526 e04b53 17525->17526 17527 e04b2e 17525->17527 17526->17475 17527->17526 17555 e061e0 17527->17555 17530 e02b00 17529->17530 17530->17530 17531 e01960 std::_Throw_Cpp_error 88 API calls 17530->17531 17532 e02b14 17531->17532 17533 e02480 std::_Throw_Cpp_error 88 API calls 17532->17533 17535 e02b22 17533->17535 17534 e02b4a std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 17536 e09a3b __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 17534->17536 17535->17534 17537 e02b71 17535->17537 17538 e02b6b 17536->17538 17539 e0e04f std::_Throw_Cpp_error 41 API calls 17537->17539 17538->17479 17540 e02b76 17539->17540 17541 e0a42e std::invalid_argument::invalid_argument 42 API calls 17540->17541 17542 e02ba2 17541->17542 17542->17479 17544 e05a31 17543->17544 17548 e02d67 17543->17548 17545 e02d20 88 API calls 17544->17545 17547 e05a3a 17545->17547 17546 e05ab2 17546->17548 17549 e04af0 88 API calls 17546->17549 17547->17546 17550 e05aeb std::ios_base::_Init 17547->17550 17548->17478 17549->17548 17551 e02ac0 std::ios_base::_Init 88 API calls 17550->17551 17552 e05b1d 17551->17552 17553 e0a4b0 std::_Throw_Cpp_error RaiseException 17552->17553 17554 e05b2b 17553->17554 17558 e05740 17555->17558 17557 e061fe 17557->17526 17559 e05754 17558->17559 17560 e0575d std::ios_base::_Init 17558->17560 17559->17560 17561 e0a4b0 std::_Throw_Cpp_error RaiseException 17559->17561 17560->17557 17562 e02ac0 std::ios_base::_Init 88 API calls 17560->17562 17561->17560 17563 e057a3 17562->17563 17564 e0a4b0 std::_Throw_Cpp_error RaiseException 17563->17564 17565 e057b2 17564->17565 17606 e06340 17566->17606 17569 e06340 std::_Lockit::_Lockit 7 API calls 17570 e020c4 17569->17570 17612 e06398 17570->17612 17571 e06398 std::_Lockit::~_Lockit 2 API calls 17573 e0222d 17571->17573 17572 e020e5 17575 e02132 17572->17575 17576 e02147 17572->17576 17587 e02214 17572->17587 17573->17486 17577 e06398 std::_Lockit::~_Lockit 2 API calls 17575->17577 17578 e096f2 std::ios_base::_Init 16 API calls 17576->17578 17579 e0213d 17577->17579 17582 e0214e 17578->17582 17579->17486 17580 e021ea 17581 e0220e 17580->17581 17640 e02f90 17580->17640 17655 e0750b 17581->17655 17582->17580 17583 e06340 std::_Lockit::_Lockit 7 API calls 17582->17583 17586 e02182 17583->17586 17588 e02237 17586->17588 17589 e021c8 17586->17589 17587->17571 17658 e064b7 17588->17658 17619 e0763b 17589->17619 17596 e02d20 88 API calls 17595->17596 17597 e060be 17596->17597 17598 e06148 17597->17598 17600 e06183 std::ios_base::_Init 17597->17600 17599 e0206e 17598->17599 17601 e04af0 88 API calls 17598->17601 17599->17488 17602 e02ac0 std::ios_base::_Init 88 API calls 17600->17602 17601->17599 17603 e061b5 17602->17603 17604 e0a4b0 std::_Throw_Cpp_error RaiseException 17603->17604 17605 e061c3 17604->17605 17607 e06356 17606->17607 17608 e0634f 17606->17608 17611 e020aa 17607->17611 17668 e08fa6 EnterCriticalSection 17607->17668 17663 e0efb8 17608->17663 17611->17569 17611->17572 17613 e063a2 17612->17613 17614 e0efc6 17612->17614 17615 e063b5 17613->17615 17720 e08fb4 LeaveCriticalSection 17613->17720 17721 e0efa1 LeaveCriticalSection 17614->17721 17615->17572 17618 e0efcd 17618->17572 17722 e0f55a 17619->17722 17623 e0765f 17624 e0766f 17623->17624 17625 e0f55a std::_Locinfo::_Locinfo_ctor 68 API calls 17623->17625 17626 e07495 _Yarn 15 API calls 17624->17626 17625->17624 17627 e021d3 17626->17627 17628 e07750 17627->17628 17767 e0f6d4 17628->17767 17630 e07759 __Getctype 17631 e07791 17630->17631 17632 e07773 17630->17632 17634 e0f592 __Getctype 41 API calls 17631->17634 17633 e0f592 __Getctype 41 API calls 17632->17633 17635 e0777a 17633->17635 17634->17635 17772 e0f6f9 17635->17772 17638 e077b2 17638->17580 17795 e07686 17640->17795 17643 e02fa9 17644 e02fc0 17643->17644 17646 e0e0a0 __freea 14 API calls 17643->17646 17647 e02fd7 17644->17647 17648 e0e0a0 __freea 14 API calls 17644->17648 17645 e0e0a0 __freea 14 API calls 17645->17643 17646->17644 17649 e0e0a0 __freea 14 API calls 17647->17649 17651 e02fee 17647->17651 17648->17647 17649->17651 17650 e0301c 17652 e0e0a0 __freea 14 API calls 17651->17652 17653 e03005 17651->17653 17652->17653 17653->17650 17654 e0e0a0 __freea 14 API calls 17653->17654 17654->17650 17656 e096f2 std::ios_base::_Init 16 API calls 17655->17656 17657 e07516 17656->17657 17657->17587 17799 e02ce0 17658->17799 17661 e0a4b0 std::_Throw_Cpp_error RaiseException 17662 e02241 17661->17662 17669 e15141 17663->17669 17668->17611 17690 e14af0 17669->17690 17689 e15173 17689->17689 17691 e14cd9 std::_Locinfo::_Locinfo_ctor 5 API calls 17690->17691 17692 e14b06 17691->17692 17693 e14b0a 17692->17693 17694 e14cd9 std::_Locinfo::_Locinfo_ctor 5 API calls 17693->17694 17695 e14b20 17694->17695 17696 e14b24 17695->17696 17697 e14cd9 std::_Locinfo::_Locinfo_ctor 5 API calls 17696->17697 17698 e14b3a 17697->17698 17699 e14b3e 17698->17699 17700 e14cd9 std::_Locinfo::_Locinfo_ctor 5 API calls 17699->17700 17701 e14b54 17700->17701 17702 e14b58 17701->17702 17703 e14cd9 std::_Locinfo::_Locinfo_ctor 5 API calls 17702->17703 17704 e14b6e 17703->17704 17705 e14b72 17704->17705 17706 e14cd9 std::_Locinfo::_Locinfo_ctor 5 API calls 17705->17706 17707 e14b88 17706->17707 17708 e14b8c 17707->17708 17709 e14cd9 std::_Locinfo::_Locinfo_ctor 5 API calls 17708->17709 17710 e14ba2 17709->17710 17711 e14ba6 17710->17711 17712 e14cd9 std::_Locinfo::_Locinfo_ctor 5 API calls 17711->17712 17713 e14bbc 17712->17713 17714 e14bda 17713->17714 17715 e14cd9 std::_Locinfo::_Locinfo_ctor 5 API calls 17714->17715 17716 e14bf0 17715->17716 17717 e14bc0 17716->17717 17718 e14cd9 std::_Locinfo::_Locinfo_ctor 5 API calls 17717->17718 17719 e14bd6 17718->17719 17719->17689 17720->17615 17721->17618 17723 e15141 std::_Locinfo::_Locinfo_ctor 5 API calls 17722->17723 17724 e0f567 17723->17724 17733 e0f305 17724->17733 17727 e07495 17728 e074a3 17727->17728 17732 e074ce _Yarn 17727->17732 17729 e074af 17728->17729 17730 e0e0a0 __freea 14 API calls 17728->17730 17731 e0efcf _Yarn 15 API calls 17729->17731 17729->17732 17730->17729 17731->17732 17732->17623 17734 e0f311 ___scrt_is_nonwritable_in_current_image 17733->17734 17741 e0ef59 EnterCriticalSection 17734->17741 17736 e0f31f 17742 e0f360 17736->17742 17741->17736 17743 e0f4bf std::_Locinfo::_Locinfo_ctor 68 API calls 17742->17743 17744 e0f37b 17743->17744 17745 e141c0 _unexpected 41 API calls 17744->17745 17763 e0f32c 17744->17763 17746 e0f388 17745->17746 17747 e1610e std::_Locinfo::_Locinfo_ctor 43 API calls 17746->17747 17748 e0f3ad 17747->17748 17749 e0f3b4 17748->17749 17750 e153d2 __strnicoll 15 API calls 17748->17750 17751 e0e06c __Getctype 11 API calls 17749->17751 17749->17763 17752 e0f3d9 17750->17752 17753 e0f4be 17751->17753 17754 e1610e std::_Locinfo::_Locinfo_ctor 43 API calls 17752->17754 17752->17763 17755 e0f3f5 17754->17755 17756 e0f417 17755->17756 17757 e0f3fc 17755->17757 17760 e144ab ___free_lconv_mon 14 API calls 17756->17760 17761 e0f442 17756->17761 17757->17749 17758 e0f40e 17757->17758 17759 e144ab ___free_lconv_mon 14 API calls 17758->17759 17759->17763 17760->17761 17762 e144ab ___free_lconv_mon 14 API calls 17761->17762 17761->17763 17762->17763 17764 e0f354 17763->17764 17765 e0efa1 std::_Lockit::~_Lockit LeaveCriticalSection 17764->17765 17766 e07647 17765->17766 17766->17727 17768 e141c0 _unexpected 41 API calls 17767->17768 17769 e0f6df 17768->17769 17770 e1491f __Getctype 41 API calls 17769->17770 17771 e0f6ef 17770->17771 17771->17630 17773 e141c0 _unexpected 41 API calls 17772->17773 17774 e0f704 17773->17774 17775 e1491f __Getctype 41 API calls 17774->17775 17776 e077a2 17775->17776 17776->17638 17777 e0fb7d 17776->17777 17778 e0fb8a 17777->17778 17783 e0fbc5 17777->17783 17779 e0efcf _Yarn 15 API calls 17778->17779 17780 e0fbad 17779->17780 17780->17783 17786 e16723 17780->17786 17783->17638 17784 e0e06c __Getctype 11 API calls 17785 e0fbdb 17784->17785 17787 e16731 17786->17787 17788 e1673f 17786->17788 17787->17788 17792 e16759 17787->17792 17789 e10fb7 __strnicoll 14 API calls 17788->17789 17794 e16749 17789->17794 17790 e0e03f __strnicoll 41 API calls 17791 e0fbbe 17790->17791 17791->17783 17791->17784 17792->17791 17793 e10fb7 __strnicoll 14 API calls 17792->17793 17793->17794 17794->17790 17796 e07692 17795->17796 17797 e02f99 17795->17797 17798 e0f55a std::_Locinfo::_Locinfo_ctor 68 API calls 17796->17798 17797->17643 17797->17645 17798->17797 17800 e0a42e std::invalid_argument::invalid_argument 42 API calls 17799->17800 17801 e02d0e 17800->17801 17801->17661 17803 e05847 17802->17803 17804 e05857 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 17802->17804 17803->17804 17805 e0e04f std::_Throw_Cpp_error 41 API calls 17803->17805 17804->17515 17806 e0586b 17805->17806 17806->17515

                            Executed Functions

                            Function 013E018D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282threadinjectionmemoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,013E00FF,013E00EF), ref: 013E02FC
                            • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 013E030F
                            • Wow64GetThreadContext.KERNEL32(00000110,00000000), ref: 013E032D
                            • ReadProcessMemory.KERNELBASE(00000114,?,013E0143,00000004,00000000), ref: 013E0351
                            • VirtualAllocEx.KERNELBASE(00000114,?,?,00003000,00000040), ref: 013E037C
                            • WriteProcessMemory.KERNELBASE(00000114,00000000,?,?,00000000,?), ref: 013E03D4
                            • WriteProcessMemory.KERNELBASE(00000114,00400000,?,?,00000000,?,00000028), ref: 013E041F
                            • WriteProcessMemory.KERNELBASE(00000114,-00000008,?,00000004,00000000), ref: 013E045D
                            • Wow64SetThreadContext.KERNEL32(00000110,03190000), ref: 013E0499
                            • ResumeThread.KERNELBASE(00000110), ref: 013E04A8
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241910752.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_13e0000_vNx9jGoYpb.jbxd
                            Similarity
                            • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                            • API String ID: 2687962208-1257834847
                            • Opcode ID: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
                            • Instruction ID: 5dcfd71b97fd213718feb038171161da0bafe8876af86c65524f9d147be18262
                            • Opcode Fuzzy Hash: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
                            • Instruction Fuzzy Hash: 19B1E57664028AAFDB60CF68CC80BDA77E5FF88714F158524EA0CAB341D774FA418B94
                            Function 00E228F0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 214synchronizationthreadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • CreateThread.KERNELBASE(00000000,00000000,00E22BA0,00000000,00000000,00000000), ref: 00E22B8F
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,0000001F,?,?,?,?,?,?,?,?,00E22C40), ref: 00E22B98
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateObjectSingleThreadWait
                            • String ID: C$Earth$Own head
                            • API String ID: 1891408510-3365287836
                            • Opcode ID: c37c83b958d9800d5fe593c2a23f8c0b2fe2361389055e7ae667ce2564315cca
                            • Instruction ID: 96c968c275db600fe0fa2b95aa38f05905192fbaeef8f22d3ea1df51919c67d7
                            • Opcode Fuzzy Hash: c37c83b958d9800d5fe593c2a23f8c0b2fe2361389055e7ae667ce2564315cca
                            • Instruction Fuzzy Hash: E0719B729043106BDB24DF34AC85B1BB7E4EF45340F042A2DF5A5B7193D764EA88CB51
                            Function 00E225D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 218COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 97 e225d0-e22627 call e096f2 100 e22630-e22662 call e01660 call e02010 97->100 105 e22664-e22668 100->105 106 e22670-e22689 105->106 107 e22693-e226a6 106->107 108 e2268b-e22692 106->108 107->106 109 e226a8-e226b9 107->109 108->107 110 e228af-e228e8 call e01ed0 call e09722 call e09a3b 109->110 111 e226bf 109->111 113 e226c0-e226c7 111->113 115 e226d1-e226e3 113->115 116 e226c9-e226d0 113->116 118 e226e5-e226eb 115->118 119 e226ec-e22748 OffsetRect Polyline call e019f0 115->119 116->115 118->119 123 e2274d-e227be call e01ba0 call e0eb0e 119->123 129 e227c0-e227cd 123->129 130 e227ed-e22804 123->130 131 e227e3-e227ea call e09722 129->131 132 e227cf-e227dd 129->132 133 e22806-e22816 130->133 134 e2284e-e22850 130->134 131->130 132->131 137 e228e9-e228ef call e0e04f 132->137 139 e22818-e22826 133->139 140 e2282c-e22846 call e09722 133->140 135 e22852-e22860 134->135 136 e22894-e228a0 134->136 141 e22872-e2288c call e09722 135->141 142 e22862-e22870 135->142 136->110 143 e228a2-e228aa 136->143 139->137 139->140 140->134 141->136 142->137 142->141 143->113
                            APIs
                            • OffsetRect.USER32(00000000,00000000,00000000), ref: 00E226F6
                            • Polyline.GDI32(00000000,00000000,00000000), ref: 00E22713
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: OffsetPolylineRect
                            • String ID: 0$Zatlat
                            • API String ID: 1418762327-1547964091
                            • Opcode ID: e7351dd29bdff3be6ff508a9ace2cc6214b60440316ea5d831a2f5ddf2348f94
                            • Instruction ID: ea8b71dcfe14b29ebf4d8f432dce169c4467835572bd3f0710798febd7cb2f7f
                            • Opcode Fuzzy Hash: e7351dd29bdff3be6ff508a9ace2cc6214b60440316ea5d831a2f5ddf2348f94
                            • Instruction Fuzzy Hash: 6381DF715083909FD314DF28D85976BBBE0AFC5308F181A2DF5D8AB292C7B5D544CB92
                            Function 00E144AB Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 151 e144ab-e144b4 152 e144e3-e144e4 151->152 153 e144b6-e144c9 RtlFreeHeap 151->153 153->152 154 e144cb-e144e2 GetLastError call e10f1a call e10fb7 153->154 154->152
                            APIs
                            • RtlFreeHeap.NTDLL(00000000,00000000,?,00E1B73A,?,00000000,?,?,00E1B9DB,?,00000007,?,?,00E1BED4,?,?), ref: 00E144C1
                            • GetLastError.KERNEL32(?,?,00E1B73A,?,00000000,?,?,00E1B9DB,?,00000007,?,?,00E1BED4,?,?), ref: 00E144CC
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 485612231-0
                            • Opcode ID: e846a48a17bcb38dff4fc2469baf6be735069afa7ee8a7a9d7ac5d0baea99b98
                            • Instruction ID: 4f5a0ad86bca21e232644403ac51cec970c6b5a883f08d1d2a58ec85d9a719db
                            • Opcode Fuzzy Hash: e846a48a17bcb38dff4fc2469baf6be735069afa7ee8a7a9d7ac5d0baea99b98
                            • Instruction Fuzzy Hash: 0DE08C32200304ABCB322FB1EC0ABC97A98AB04755F104020F60CB61A0CA788AD5CFA4
                            Function 00E22BA0 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 159 e22ba0-e22c0f call e01900 call e096f2 164 e22c22-e22c7c VirtualAlloc call e228f0 call e0a8d0 call e225d0 159->164 165 e22c11-e22c1f call e220c0 159->165 175 e22ca5-e22cb5 call e09a3b 164->175 176 e22c7e-e22c89 164->176 165->164 177 e22c9b-e22c9d call e09722 176->177 178 e22c8b-e22c99 176->178 183 e22ca2 177->183 178->177 180 e22cb6-e22cbb call e0e04f 178->180 183->175
                            APIs
                            • VirtualAlloc.KERNELBASE(00000000,000004AC,00001000,00000040), ref: 00E22C30
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: 265a45dc2ee5d22d1f06d0167c0d4fe6e2abde640bf7f97583a76e34decd0c08
                            • Instruction ID: e872e174347fd9881596c8e06c6becee6f8e16dbcfa6e6945bcd97b178cc564b
                            • Opcode Fuzzy Hash: 265a45dc2ee5d22d1f06d0167c0d4fe6e2abde640bf7f97583a76e34decd0c08
                            • Instruction Fuzzy Hash: F331F371E003186ADB00EF64AC42BEDB7F0AF59300F145229F90477283DB74AA818B65

                            Non-executed Functions

                            Function 00E1CEE5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLocaleInfoW.KERNEL32(?,2000000B,00E1D203,00000002,00000000,?,?,?,00E1D203,?,00000000), ref: 00E1CF7E
                            • GetLocaleInfoW.KERNEL32(?,20001004,00E1D203,00000002,00000000,?,?,?,00E1D203,?,00000000), ref: 00E1CFA7
                            • GetACP.KERNEL32(?,?,00E1D203,?,00000000), ref: 00E1CFBC
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: InfoLocale
                            • String ID: ACP$OCP
                            • API String ID: 2299586839-711371036
                            • Opcode ID: 52a26144f7362eb7dc0db6cf0db205346fd29ac520e5fa8689cb39df823e0485
                            • Instruction ID: ae61dc35c83d4458cd209dc179fc94ef8a438826a2d9e062d4b1faa5708aa5b8
                            • Opcode Fuzzy Hash: 52a26144f7362eb7dc0db6cf0db205346fd29ac520e5fa8689cb39df823e0485
                            • Instruction Fuzzy Hash: D1218C32780101AADB348B64D905AD7B3E7EB58F58B66A424E90AF7200E732DEC3C350
                            Function 00E1D0BA Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E141C0: GetLastError.KERNEL32(?,00000008,00E147BF), ref: 00E141C4
                              • Part of subcall function 00E141C0: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 00E14266
                            • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00E1D1C6
                            • IsValidCodePage.KERNEL32(00000000), ref: 00E1D20F
                            • IsValidLocale.KERNEL32(?,00000001), ref: 00E1D21E
                            • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00E1D266
                            • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00E1D285
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                            • String ID:
                            • API String ID: 415426439-0
                            • Opcode ID: 2f5ce29284d6e7f269dd7d2e9b08327d37e8825385d9598072e8de24c7412641
                            • Instruction ID: 0cd3cd647fec6513e489fe9893f5ee032bea52be1691c05d379c9d7143806b8b
                            • Opcode Fuzzy Hash: 2f5ce29284d6e7f269dd7d2e9b08327d37e8825385d9598072e8de24c7412641
                            • Instruction Fuzzy Hash: 43519C72B05209AFEB20DFA5CC45AFE77B8FF08704F185029A951F7190EB709A84CB60
                            Function 00E1C756 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E141C0: GetLastError.KERNEL32(?,00000008,00E147BF), ref: 00E141C4
                              • Part of subcall function 00E141C0: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 00E14266
                            • GetACP.KERNEL32(?,?,?,?,?,?,00E12857,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00E1C817
                            • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00E12857,?,?,?,00000055,?,-00000050,?,?), ref: 00E1C842
                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00E1C9A5
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$CodeInfoLocalePageValid
                            • String ID: utf8
                            • API String ID: 607553120-905460609
                            • Opcode ID: a4db3b504211d654cbe15db69ccef22c2fa10aa9369b7ea7d6b081525451832b
                            • Instruction ID: ffef37283570cbcef97c69f5077f4f8cfe1ce593a8d3d744ee249a156b16dcf4
                            • Opcode Fuzzy Hash: a4db3b504211d654cbe15db69ccef22c2fa10aa9369b7ea7d6b081525451832b
                            • Instruction Fuzzy Hash: 9771D772680311AAD724AB75CC86BFA73E8EF58704F24602AF515F71C1EB74E9C1C661
                            Function 00E09F26 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00E09F32
                            • IsDebuggerPresent.KERNEL32 ref: 00E09FFE
                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00E0A017
                            • UnhandledExceptionFilter.KERNEL32(?), ref: 00E0A021
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                            • String ID:
                            • API String ID: 254469556-0
                            • Opcode ID: 7e8f35654eed772a40ec100787dd3d2de3dc4fff8a72b3c8eb1d3e56ff88df2d
                            • Instruction ID: bc74e3c03e8aeaeb1b2a5f4ef58c80922a383a9e06bb258c42ad27adb4865007
                            • Opcode Fuzzy Hash: 7e8f35654eed772a40ec100787dd3d2de3dc4fff8a72b3c8eb1d3e56ff88df2d
                            • Instruction Fuzzy Hash: 07310575D0131C9BDB20DFA4D949BCDBBB8BF08300F1041AAE50CAB290EB759B898F45
                            Function 00E0944C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27timeCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetSystemTimePreciseAsFileTime.KERNEL32(?,00E0900E,?,00000000,00000000,?,00E08FCD,?,?,?,?,00E070B3,?,?), ref: 00E09484
                            • GetSystemTimeAsFileTime.KERNEL32(?,D3BFC901,?,?,00E2108C,000000FF,?,00E0900E,?,00000000,00000000,?,00E08FCD,?,?), ref: 00E09488
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: Time$FileSystem$Precise
                            • String ID: k
                            • API String ID: 743729956-4082892380
                            • Opcode ID: 08c6e721d6800247072954ac5c8fe1eee6dc8f97fd4876962f95613a6a88b87c
                            • Instruction ID: b8c944fcf1cfac43471e2636bd4932b9619a0243a390c5bb090539ff0dae0f09
                            • Opcode Fuzzy Hash: 08c6e721d6800247072954ac5c8fe1eee6dc8f97fd4876962f95613a6a88b87c
                            • Instruction Fuzzy Hash: 59F0A036908658EFC711CF65EC40F9EB7A8FB08B10F004126E822B3790CB796941CB90
                            Function 00E1CB69 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E141C0: GetLastError.KERNEL32(?,00000008,00E147BF), ref: 00E141C4
                              • Part of subcall function 00E141C0: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 00E14266
                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E1CBBD
                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E1CC07
                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E1CCCD
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: InfoLocale$ErrorLast
                            • String ID:
                            • API String ID: 661929714-0
                            • Opcode ID: 03fee1dbcd674e00133bc5c6692eb40d4b9f2e27403c33e3a7e57bc15d731ec1
                            • Instruction ID: bea1abc4d77d0bceb4b301368e14375b5ba1213742cd06b99c3bdf127a1300e4
                            • Opcode Fuzzy Hash: 03fee1dbcd674e00133bc5c6692eb40d4b9f2e27403c33e3a7e57bc15d731ec1
                            • Instruction Fuzzy Hash: DF61A371A902179FDB249F28DC82BFAB7A9EF04304F205179E90AE6185E734DDC1CB95
                            Function 00E0DE43 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000001), ref: 00E0DF3B
                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000001), ref: 00E0DF45
                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000001), ref: 00E0DF52
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                            • String ID:
                            • API String ID: 3906539128-0
                            • Opcode ID: 72fba766031c8b8e2e5d50097aa951d64bfba4c8258b11b2b097488f355e4460
                            • Instruction ID: e9c26815974d26d93e79285fd618e7d3c1a0e3e8d7713a99648dae03ceba13ff
                            • Opcode Fuzzy Hash: 72fba766031c8b8e2e5d50097aa951d64bfba4c8258b11b2b097488f355e4460
                            • Instruction Fuzzy Hash: 4231F37090121DABCB21DF64DC88B8DBBB4BF08310F5091EAE40CA7290E7349B858F45
                            Function 00E14F6B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00E133BD,?,20001004,00000000,00000002,?,?,00E129BF), ref: 00E14F9F
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: InfoLocale
                            • String ID: k
                            • API String ID: 2299586839-4082892380
                            • Opcode ID: 17968ce7b0a91f69aec20b349c4f4a3d959a967d2f79258c16edd7791c6ed603
                            • Instruction ID: 8a0b4f709f0dc1b93a686493822402be84436da6463c35a42043f9edb03bbaf6
                            • Opcode Fuzzy Hash: 17968ce7b0a91f69aec20b349c4f4a3d959a967d2f79258c16edd7791c6ed603
                            • Instruction Fuzzy Hash: FCE09A72205218BBCB122F21DC09EEE7F66AB44710F051010F80536260CB358972AAA0
                            Function 00E18D09 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00E18D04,?,?,00000008,?,?,00E1F3A3,00000000), ref: 00E18F36
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExceptionRaise
                            • String ID:
                            • API String ID: 3997070919-0
                            • Opcode ID: 3d88eb6f7022f6e4f50453fe573fce2f217d4ad6d19d7800162a09444d72ee7e
                            • Instruction ID: 9119d72f58cfd76291f1cb77ff53dba8743423eb1ed7105bf93855c464f33975
                            • Opcode Fuzzy Hash: 3d88eb6f7022f6e4f50453fe573fce2f217d4ad6d19d7800162a09444d72ee7e
                            • Instruction Fuzzy Hash: 81B15E31610608CFD715CF28C586BA57BE1FF49368F299658E8DADF2A1C735E982CB40
                            Function 00E09C45 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                            Download Yara Rule
                            APIs
                            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00E09C5B
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: FeaturePresentProcessor
                            • String ID:
                            • API String ID: 2325560087-0
                            • Opcode ID: b1d9fa8e235c6fbe53e0b4ffd28852d6c491c481aeec5e9abe08fdcb5c1a0200
                            • Instruction ID: 1d668657109111b964a84f8dfbd55b3b9efebe285f8b8c8a009b639323f6e91e
                            • Opcode Fuzzy Hash: b1d9fa8e235c6fbe53e0b4ffd28852d6c491c481aeec5e9abe08fdcb5c1a0200
                            • Instruction Fuzzy Hash: FC515C71A002058FEB15CF5AD8817AAB7F0FB44315F24846AD519FB3A2D7759D84CF50
                            Function 00E19BD3 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ff0ef23d8272f8ea21e9c71a3c2a68d78fee26340e3276fcd91724026a526619
                            • Instruction ID: bd60fdd7730145ad2060cc31c3c8d60a77c5ecf7a1063829b6619da5c8335a5d
                            • Opcode Fuzzy Hash: ff0ef23d8272f8ea21e9c71a3c2a68d78fee26340e3276fcd91724026a526619
                            • Instruction Fuzzy Hash: 8C41D3B580421DAEDF20DF69CC98EEABBF9EF45304F1442D9E458E3242DA319E848F50
                            Function 00E1CDBC Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E141C0: GetLastError.KERNEL32(?,00000008,00E147BF), ref: 00E141C4
                              • Part of subcall function 00E141C0: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 00E14266
                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E1CE10
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$InfoLocale
                            • String ID:
                            • API String ID: 3736152602-0
                            • Opcode ID: 4e756bf8f13500f36907f83b4685a9d909d76122ccee7135c1ae1b5274402ee4
                            • Instruction ID: d497aaddc0645b40271683a412aae9676ce7d252016f35953847b7e5af4f918c
                            • Opcode Fuzzy Hash: 4e756bf8f13500f36907f83b4685a9d909d76122ccee7135c1ae1b5274402ee4
                            • Instruction Fuzzy Hash: 3721C571651216ABDB289A25DC42EFA77EDEF45304F205079F901E6141EB35DDC0CB54
                            Function 00E1CA43 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E141C0: GetLastError.KERNEL32(?,00000008,00E147BF), ref: 00E141C4
                              • Part of subcall function 00E141C0: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 00E14266
                            • EnumSystemLocalesW.KERNEL32(00E1CB69,00000001,00000000,?,-00000050,?,00E1D19A,00000000,?,?,?,00000055,?), ref: 00E1CAB5
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$EnumLocalesSystem
                            • String ID:
                            • API String ID: 2417226690-0
                            • Opcode ID: 9a2bdfa524f6bc36f5e980c62bbb3a1a9274c33183c150b6975f6eb35b105c93
                            • Instruction ID: e5f2a5e490f453ac9995e5032bdfdc7f9d52179c9bf1236be1c0e7a9dc241ad4
                            • Opcode Fuzzy Hash: 9a2bdfa524f6bc36f5e980c62bbb3a1a9274c33183c150b6975f6eb35b105c93
                            • Instruction Fuzzy Hash: F61125362007099FDB18DF79D8919FABB92FF84358B24482DE987D7A40D771A983CB40
                            Function 00E1CFEB Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E141C0: GetLastError.KERNEL32(?,00000008,00E147BF), ref: 00E141C4
                              • Part of subcall function 00E141C0: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 00E14266
                            • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00E1CE66,00000000,00000000,?), ref: 00E1D017
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$InfoLocale
                            • String ID:
                            • API String ID: 3736152602-0
                            • Opcode ID: c36e8c9a938f795dba1eb77a4d4f46279cfa8d0301a0d8b715feb1b2093d7e6f
                            • Instruction ID: 26aadd319f2a0f7ff229f65828bf81f00171f9e453d80aac17ec8da3d9eaa25b
                            • Opcode Fuzzy Hash: c36e8c9a938f795dba1eb77a4d4f46279cfa8d0301a0d8b715feb1b2093d7e6f
                            • Instruction Fuzzy Hash: 0BF0A472648115BFDB289A65CC06FFA77A9EB84758F155428EC06F3180EA74FE83C6D0
                            Function 00E1C951 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E141C0: GetLastError.KERNEL32(?,00000008,00E147BF), ref: 00E141C4
                              • Part of subcall function 00E141C0: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 00E14266
                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00E1C9A5
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$InfoLocale
                            • String ID: utf8
                            • API String ID: 3736152602-905460609
                            • Opcode ID: ccc908ace37fa00fe6725f19344b475604caab07df386098abecfb816e80c46c
                            • Instruction ID: 847982670b301e6af7ab424e1210790583a45ac0aedd02d5e7d0208e616491eb
                            • Opcode Fuzzy Hash: ccc908ace37fa00fe6725f19344b475604caab07df386098abecfb816e80c46c
                            • Instruction Fuzzy Hash: E3F0F472741105ABC714AB74DC46EFA33E8DB45314F105179B602E7282DA74AD858790
                            Function 00E1CADE Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E141C0: GetLastError.KERNEL32(?,00000008,00E147BF), ref: 00E141C4
                              • Part of subcall function 00E141C0: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 00E14266
                            • EnumSystemLocalesW.KERNEL32(00E1CDBC,00000001,?,?,-00000050,?,00E1D15E,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00E1CB28
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$EnumLocalesSystem
                            • String ID:
                            • API String ID: 2417226690-0
                            • Opcode ID: 2ecc6f881d972a4d937fbd36c6c571583790c93931ffa3be4359315db77a0e26
                            • Instruction ID: d6677c8f74dcf243c8fc6a779c1740877f26747d0516f51ca00a46caa600c751
                            • Opcode Fuzzy Hash: 2ecc6f881d972a4d937fbd36c6c571583790c93931ffa3be4359315db77a0e26
                            • Instruction Fuzzy Hash: 50F0C2363443085FDB245F35DC82EAA7B95FF81368B25492DF946EB680C6B19C82CB50
                            Function 00E14A45 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E0EF59: EnterCriticalSection.KERNEL32(?,?,00E13852,00000000,00E2D6B0,0000000C,00E13819,?,?,00E14A0E,?,?,00E1435E,00000001,00000364,?), ref: 00E0EF68
                            • EnumSystemLocalesW.KERNEL32(00E14A38,00000001,00E2D7D0,0000000C,00E14E67,00000000), ref: 00E14A7D
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: CriticalEnterEnumLocalesSectionSystem
                            • String ID:
                            • API String ID: 1272433827-0
                            • Opcode ID: 06d37c729f7f096bd6d96eb9c300b7e6065581a576c4264160ce6bbef1f0c0e7
                            • Instruction ID: 69d79e286f8b238a0cf77753de88e22e4e344bca2ff143b1087f2bde0b2ef512
                            • Opcode Fuzzy Hash: 06d37c729f7f096bd6d96eb9c300b7e6065581a576c4264160ce6bbef1f0c0e7
                            • Instruction Fuzzy Hash: 0EF01472A40204DFD710EFA8E842B9877F0EB48721F20516AE514BB3A0DAB54984CF50
                            Function 00E1C9F8 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E141C0: GetLastError.KERNEL32(?,00000008,00E147BF), ref: 00E141C4
                              • Part of subcall function 00E141C0: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 00E14266
                            • EnumSystemLocalesW.KERNEL32(00E1C951,00000001,?,?,?,00E1D1BC,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00E1CA2F
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$EnumLocalesSystem
                            • String ID:
                            • API String ID: 2417226690-0
                            • Opcode ID: 78b73121a5aa240cf0ddfaa4dab2ddce06b6db3150efd16fbcc34f1ce6d4e432
                            • Instruction ID: 57a821b20f0a1cfdadfe12eeaaf359a99cb5fb0b4829d92ef1f18ff84e72d681
                            • Opcode Fuzzy Hash: 78b73121a5aa240cf0ddfaa4dab2ddce06b6db3150efd16fbcc34f1ce6d4e432
                            • Instruction Fuzzy Hash: 43F0553634020957CB14AF35DC15AAA7F94EFC1714B160058EA0ADB280C631D883CB90
                            Function 00E0A082 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                            Download Yara Rule
                            APIs
                            • SetUnhandledExceptionFilter.KERNEL32(Function_0000A08E,00E09559), ref: 00E0A087
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExceptionFilterUnhandled
                            • String ID:
                            • API String ID: 3192549508-0
                            • Opcode ID: 35286b4f136e451103bf19576c0bd883cd48d92fc3b5569d9c01d5c29f942778
                            • Instruction ID: 72146fac6e7107fe3a957add23b9e21fcd326badd1649f6f38a03a491353203e
                            • Opcode Fuzzy Hash: 35286b4f136e451103bf19576c0bd883cd48d92fc3b5569d9c01d5c29f942778
                            • Instruction Fuzzy Hash:
                            Function 00E1D31C Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: HeapProcess
                            • String ID:
                            • API String ID: 54951025-0
                            • Opcode ID: f718cea593571c42cbc3be0ac4f16d7bcae9872f4aa6f8fd18388e6cb77d8763
                            • Instruction ID: 3eeb27d367edce324d5c32c8ef9b3703647c3705443bfa358523b28646a0bc11
                            • Opcode Fuzzy Hash: f718cea593571c42cbc3be0ac4f16d7bcae9872f4aa6f8fd18388e6cb77d8763
                            • Instruction Fuzzy Hash: 7FA012301012008F8310CF325B057083598A70068030540199044F1030DB2440449E00
                            Function 00E151C2 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3be818cf205956922cb42e2948fb7e1fdd6f2e0da355ec83d9b6a1afa0c5ae1d
                            • Instruction ID: e19cfafd99acf80580e64ad103f04d0fd8125c21ffd9ddd844f61525c087cf2d
                            • Opcode Fuzzy Hash: 3be818cf205956922cb42e2948fb7e1fdd6f2e0da355ec83d9b6a1afa0c5ae1d
                            • Instruction Fuzzy Hash: 81E08C72A12628EBCB16DBC8C904E8AF3FCEB88B00B210196F501E3250C270DF40C7D0
                            Function 00E11F18 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 65d7671a8dc77b38090010dfc7dabd85b93f02db96d547d94187d4f512e97d2c
                            • Instruction ID: 974f0544fb071fbe9d44eb46850a9b8e1aae564453800a163107cd19ab88d4bd
                            • Opcode Fuzzy Hash: 65d7671a8dc77b38090010dfc7dabd85b93f02db96d547d94187d4f512e97d2c
                            • Instruction Fuzzy Hash: 7AC08034322E4047CD15561081717E43355E7D6789FC425CCD50657A41C61E5CC3D600
                            Function 00E02090 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 144COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 222 e02090-e0209d 223 e020a5-e020b8 call e06340 222->223 225 e020ba-e020ca call e06340 223->225 226 e020eb-e020fc 223->226 235 e020dc-e020e5 call e06398 225->235 236 e020cc-e020d7 225->236 228 e0210e 226->228 229 e020fe-e02106 226->229 233 e02110-e02114 228->233 231 e02224-e02236 call e06398 229->231 232 e0210c 229->232 232->233 237 e02126-e02128 233->237 238 e02116-e0211e call e07537 233->238 235->226 236->235 237->231 241 e0212e-e02130 237->241 238->241 247 e02120-e02123 238->247 244 e02132-e02146 call e06398 241->244 245 e02147-e02155 call e096f2 241->245 252 e021fb-e021ff 245->252 253 e0215b-e02164 245->253 247->237 254 e02201-e02203 252->254 255 e02172 253->255 256 e02166-e0216b 253->256 257 e02205-e02209 call e02f90 254->257 258 e0220e-e0221e call e0750b 254->258 259 e02177-e021c6 call e06340 255->259 256->259 260 e0216d-e02170 256->260 257->258 258->231 266 e02237-e02241 call e064b7 259->266 267 e021c8-e021f9 call e0763b call e07750 259->267 260->259 267->254
                            APIs
                            • std::_Lockit::_Lockit.LIBCPMT ref: 00E020A5
                            • std::_Lockit::_Lockit.LIBCPMT ref: 00E020BF
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00E020E0
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00E02138
                            • std::_Lockit::_Lockit.LIBCPMT ref: 00E0217D
                            • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00E021CE
                            • __Getctype.LIBCPMT ref: 00E021E5
                            • std::_Facet_Register.LIBCPMT ref: 00E0220F
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00E02228
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeLocinfo::_Locinfo_ctorRegister
                            • String ID: bad locale name$t3
                            • API String ID: 2236780835-4066369680
                            • Opcode ID: f2d4f6bfc5629b13c1fd2eca08054914cdb2cd29da114eb79505e89afdee131e
                            • Instruction ID: fa40db664bf0d0aabbe7b52564c1cb8e45d289c0c83e8a2bb90c8c0bc8c278de
                            • Opcode Fuzzy Hash: f2d4f6bfc5629b13c1fd2eca08054914cdb2cd29da114eb79505e89afdee131e
                            • Instruction Fuzzy Hash: CF41D0319053408FC311DF68D884B5AF7E0EFD4714F15591CEA98BB2A2DB35E98ACB92
                            Function 00E09407 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 275 e09407-e0944b GetModuleHandleW GetProcAddress * 3
                            APIs
                            • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00E0940D
                            • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00E0941B
                            • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00E0942C
                            • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00E0943D
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$HandleModule
                            • String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
                            • API String ID: 667068680-1247241052
                            • Opcode ID: dc7c3e9eefdfa933a4b0996e60a27d5b2e05d242153c1dfacacd8a0b4e829701
                            • Instruction ID: 55bdc102f66b713192cc95218eabaf8f0501be73987f6d8fb2524fa701a462ad
                            • Opcode Fuzzy Hash: dc7c3e9eefdfa933a4b0996e60a27d5b2e05d242153c1dfacacd8a0b4e829701
                            • Instruction Fuzzy Hash: B6E0ECB1991320AF9311DFB6BC0DC867AA5FB09B123019412B54DF22A0DBBC068D8FA4
                            Function 00E0CDA8 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 276 e0cda8-e0cdd3 call e0dcd0 279 e0d147-e0d14c call e0e0bb 276->279 280 e0cdd9-e0cddc 276->280 280->279 281 e0cde2-e0cdeb 280->281 283 e0cdf1-e0cdf5 281->283 284 e0cee8-e0ceee 281->284 283->284 286 e0cdfb-e0ce02 283->286 287 e0cef6-e0cf04 284->287 288 e0ce04-e0ce0b 286->288 289 e0ce1a-e0ce1f 286->289 290 e0d0b0-e0d0b3 287->290 291 e0cf0a-e0cf0e 287->291 288->289 292 e0ce0d-e0ce14 288->292 289->284 293 e0ce25-e0ce2d call e0ca2c 289->293 294 e0d0b5-e0d0b8 290->294 295 e0d0d6-e0d0df call e0ca2c 290->295 291->290 296 e0cf14-e0cf1b 291->296 292->284 292->289 308 e0d0e1-e0d0e5 293->308 312 e0ce33-e0ce4c call e0ca2c * 2 293->312 294->279 299 e0d0be-e0d0d3 call e0d14d 294->299 295->279 295->308 300 e0cf33-e0cf39 296->300 301 e0cf1d-e0cf24 296->301 299->295 304 e0d050-e0d054 300->304 305 e0cf3f-e0cf66 call e0a51c 300->305 301->300 302 e0cf26-e0cf2d 301->302 302->290 302->300 310 e0d060-e0d06c 304->310 311 e0d056-e0d05f call e0ae64 304->311 305->304 319 e0cf6c-e0cf6f 305->319 310->295 317 e0d06e-e0d078 310->317 311->310 312->279 334 e0ce52-e0ce58 312->334 321 e0d086-e0d088 317->321 322 e0d07a-e0d07c 317->322 326 e0cf72-e0cf87 319->326 324 e0d08a-e0d09d call e0ca2c * 2 321->324 325 e0d09f-e0d0ac call e0d793 321->325 322->295 327 e0d07e-e0d082 322->327 352 e0d0e6 call e0eb4d 324->352 343 e0d10b-e0d120 call e0ca2c * 2 325->343 344 e0d0ae 325->344 331 e0d031-e0d044 326->331 332 e0cf8d-e0cf90 326->332 327->295 328 e0d084 327->328 328->324 331->326 336 e0d04a-e0d04d 331->336 332->331 337 e0cf96-e0cf9e 332->337 339 e0ce84-e0ce8c call e0ca2c 334->339 340 e0ce5a-e0ce5e 334->340 336->304 337->331 342 e0cfa4-e0cfb8 337->342 361 e0cef0-e0cef3 339->361 362 e0ce8e-e0ceae call e0ca2c * 2 call e0d793 339->362 340->339 345 e0ce60-e0ce67 340->345 347 e0cfbb-e0cfcc 342->347 369 e0d122 343->369 370 e0d125-e0d142 call e0a708 call e0d693 call e0d82d call e0d60a 343->370 344->295 350 e0ce69-e0ce70 345->350 351 e0ce7b-e0ce7e 345->351 353 e0cff2-e0cfff 347->353 354 e0cfce-e0cfdf call e0d283 347->354 350->351 359 e0ce72-e0ce79 350->359 351->279 351->339 366 e0d0eb-e0d106 call e0ae64 call e065c2 call e0a4b0 352->366 353->347 357 e0d001 353->357 372 e0cfe1-e0cfea 354->372 373 e0d003-e0d02b call e0cd28 354->373 365 e0d02e 357->365 359->339 359->351 361->287 362->361 390 e0ceb0-e0ceb5 362->390 365->331 366->343 369->370 370->279 372->354 379 e0cfec-e0cfef 372->379 373->365 379->353 390->352 392 e0cebb-e0cece call e0d41c 390->392 392->366 397 e0ced4-e0cee0 392->397 397->352 398 e0cee6 397->398 398->392
                            APIs
                            • type_info::operator==.LIBVCRUNTIME ref: 00E0CEC7
                            • ___TypeMatch.LIBVCRUNTIME ref: 00E0CFD5
                            • _UnwindNestedFrames.LIBCMT ref: 00E0D127
                            • CallUnexpected.LIBVCRUNTIME ref: 00E0D142
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                            • String ID: csm$csm$csm
                            • API String ID: 2751267872-393685449
                            • Opcode ID: 568ee5f2d87f87f8c74c41410e17e179117b4447d277b7964fcf4d7feb0ce21d
                            • Instruction ID: cf30cdf354b1d279695434c11e178847fffdd04c20caa92f4831617b2b5e847e
                            • Opcode Fuzzy Hash: 568ee5f2d87f87f8c74c41410e17e179117b4447d277b7964fcf4d7feb0ce21d
                            • Instruction Fuzzy Hash: 80B19E71904209EFCF25DFA4C8809AEBBB6FF14314F24615AE8057B282D731DA92CB91
                            Function 00E1830B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 399 e1830b-e1831b 400 e18335-e18337 399->400 401 e1831d-e18330 call e10fa4 call e10fb7 399->401 403 e1868b-e18698 call e10fa4 call e10fb7 400->403 404 e1833d-e18343 400->404 417 e186a3 401->417 422 e1869e call e0e03f 403->422 404->403 407 e18349-e18375 404->407 407->403 410 e1837b-e18384 407->410 413 e18386-e18399 call e10fa4 call e10fb7 410->413 414 e1839e-e183a0 410->414 413->422 415 e18687-e18689 414->415 416 e183a6-e183aa 414->416 421 e186a6-e186a9 415->421 416->415 420 e183b0-e183b4 416->420 417->421 420->413 424 e183b6-e183cd 420->424 422->417 428 e18412-e18418 424->428 429 e183cf-e183d2 424->429 430 e183e9-e18400 call e10fa4 call e10fb7 call e0e03f 428->430 431 e1841a-e18421 428->431 432 e183e1-e183e7 429->432 433 e183d4-e183dc 429->433 467 e185be 430->467 434 e18423 431->434 435 e18425-e18443 call e153d2 call e144ab * 2 431->435 432->430 437 e18405-e18410 432->437 436 e18492-e184a5 433->436 434->435 471 e18460-e18488 call e188b1 435->471 472 e18445-e1845b call e10fb7 call e10fa4 435->472 441 e18561-e1856a call e1e128 436->441 442 e184ab-e184b7 436->442 439 e1848f 437->439 439->436 452 e185db 441->452 453 e1856c-e1857e 441->453 442->441 445 e184bd-e184bf 442->445 445->441 449 e184c5-e184e6 445->449 449->441 455 e184e8-e184fe 449->455 460 e185df-e185f5 ReadFile 452->460 453->452 457 e18580-e1858f GetConsoleMode 453->457 455->441 459 e18500-e18502 455->459 457->452 462 e18591-e18595 457->462 459->441 464 e18504-e18527 459->464 465 e18653-e1865e GetLastError 460->465 466 e185f7-e185fd 460->466 462->460 469 e18597-e185af ReadConsoleW 462->469 464->441 473 e18529-e1853f 464->473 474 e18660-e18672 call e10fb7 call e10fa4 465->474 475 e18677-e1867a 465->475 466->465 468 e185ff 466->468 470 e185c1-e185cb call e144ab 467->470 478 e18602-e18614 468->478 479 e185b1 GetLastError 469->479 480 e185d0-e185d9 469->480 470->421 471->439 472->467 473->441 485 e18541-e18543 473->485 474->467 481 e18680-e18682 475->481 482 e185b7-e185bd call e10f5d 475->482 478->470 488 e18616-e1861a 478->488 479->482 480->478 481->470 482->467 485->441 492 e18545-e1855c 485->492 494 e18633-e18640 488->494 495 e1861c-e1862c call e18025 488->495 492->441 500 e18642 call e1817c 494->500 501 e1864c-e18651 call e17e7d 494->501 506 e1862f-e18631 495->506 507 e18647-e1864a 500->507 501->507 506->470 507->506
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-3907804496
                            • Opcode ID: 72a57947bb8423b20b3403dc5cb86d95d39c8dac1cafd9888646205341f19a3b
                            • Instruction ID: dc12c8e8c39011ee84315fef61766e1ac50e1ea6fa641f2bfe1d31f82cd4c7fb
                            • Opcode Fuzzy Hash: 72a57947bb8423b20b3403dc5cb86d95d39c8dac1cafd9888646205341f19a3b
                            • Instruction Fuzzy Hash: 09B1BF70A00249AFDB11DF99C981BEDBBF6BF49308F285158E955B7291CB709DC2CB60
                            Function 00E1FAD9 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 509 e1fad9-e1fb0b 510 e1fb1d-e1fb20 509->510 511 e1fb0d-e1fb1b call e11096 509->511 513 e1fd21 510->513 514 e1fb26-e1fb2b 510->514 511->514 515 e1fd23-e1fd34 call e09a3b 513->515 517 e1fb3d-e1fb40 514->517 518 e1fb2d-e1fb3b call e11096 514->518 517->513 521 e1fb46-e1fb4b 517->521 518->521 524 e1fb58-e1fb5a 521->524 525 e1fb4d-e1fb55 521->525 526 e1fb64-e1fb66 524->526 527 e1fb5c-e1fb5e 524->527 525->524 529 e1fd71 526->529 530 e1fb6c-e1fb6f 526->530 527->526 528 e1fc03-e1fc1b call e194f8 527->528 528->513 538 e1fc21-e1fc2d 528->538 531 e1fb75-e1fb78 530->531 532 e1fbfb-e1fbfe 530->532 534 e1fbc0-e1fbc3 531->534 535 e1fb7a-e1fb87 GetCPInfo 531->535 532->515 534->515 535->513 537 e1fb8d-e1fb8f 535->537 539 e1fb91-e1fb95 537->539 540 e1fbc8-e1fbca 537->540 541 e1fc33-e1fc38 538->541 542 e1fd6d-e1fd6f 538->542 539->534 544 e1fb97-e1fb9e 539->544 540->528 547 e1fbcc-e1fbd0 540->547 545 e1fc51 541->545 546 e1fc3a-e1fc43 call e09b30 541->546 543 e1fd66-e1fd6b call e092a9 542->543 558 e1fd20 543->558 544->534 550 e1fba0 544->550 549 e1fc52 call e153d2 545->549 546->542 562 e1fc49-e1fc4f 546->562 547->532 548 e1fbd2-e1fbd9 547->548 548->532 553 e1fbdb 548->553 554 e1fc57-e1fc5c 549->554 555 e1fba3-e1fba8 550->555 559 e1fbde-e1fbe3 553->559 554->542 560 e1fc62 554->560 555->534 561 e1fbaa-e1fbae 555->561 558->513 559->532 564 e1fbe5-e1fbe9 559->564 563 e1fc68-e1fc6d 560->563 565 e1fbb0-e1fbb2 561->565 566 e1fbb8-e1fbbe 561->566 562->563 563->542 569 e1fc73-e1fc8b call e194f8 563->569 567 e1fbf3-e1fbf9 564->567 568 e1fbeb-e1fbed 564->568 565->529 565->566 566->534 566->555 567->532 567->559 568->529 568->567 572 e1fc91-e1fcaa call e194f8 569->572 573 e1fd65 569->573 572->573 576 e1fcb0-e1fcbc 572->576 573->543 577 e1fd61-e1fd63 576->577 578 e1fcc2-e1fcc7 576->578 579 e1fd14-e1fd1f call e092a9 * 2 577->579 580 e1fce0 578->580 581 e1fcc9-e1fcd2 call e09b30 578->581 579->558 582 e1fce1 call e153d2 580->582 581->577 588 e1fcd8-e1fcde 581->588 585 e1fce6-e1fceb 582->585 585->577 589 e1fced 585->589 591 e1fcf3-e1fcf8 588->591 589->591 591->577 593 e1fcfa-e1fd11 call e194f8 591->593 596 e1fd13 593->596 597 e1fd35-e1fd5f call e14dbb call e092a9 * 2 593->597 596->579 597->515
                            APIs
                            • GetCPInfo.KERNEL32(01405380,01405380,?,7FFFFFFF,?,00E1FDA9,01405380,01405380,?,01405380,?,?,?,?,01405380,?), ref: 00E1FB7F
                            • __alloca_probe_16.LIBCMT ref: 00E1FC3A
                            • __alloca_probe_16.LIBCMT ref: 00E1FCC9
                            • __freea.LIBCMT ref: 00E1FD14
                            • __freea.LIBCMT ref: 00E1FD1A
                            • __freea.LIBCMT ref: 00E1FD50
                            • __freea.LIBCMT ref: 00E1FD56
                            • __freea.LIBCMT ref: 00E1FD66
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: __freea$__alloca_probe_16$Info
                            • String ID:
                            • API String ID: 127012223-0
                            • Opcode ID: bea939869869bb72c742a0eb3d2b7cc2ce57180ff615d7e3df223dff169204d9
                            • Instruction ID: d2becb4078b51358d55ab73375265aa0c89bea273de4b9505f01d2bbf5a4b570
                            • Opcode Fuzzy Hash: bea939869869bb72c742a0eb3d2b7cc2ce57180ff615d7e3df223dff169204d9
                            • Instruction Fuzzy Hash: 1C71D57290420A6BDF209E64EC91FFE77F59F49318F292165E914BB282D635DCC187E0
                            Function 00E090DD Relevance: 12.2, APIs: 8, Instructions: 175COMMON
                            Download Yara Rule
                            APIs
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00E09126
                            • __alloca_probe_16.LIBCMT ref: 00E09152
                            • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00E09191
                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E091AE
                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00E091ED
                            • __alloca_probe_16.LIBCMT ref: 00E0920A
                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E0924C
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00E0926F
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharMultiStringWide$__alloca_probe_16
                            • String ID:
                            • API String ID: 2040435927-0
                            • Opcode ID: bde83ac1ee7acbd100fcf26498868cf2b5bccaf3e0e71f4c4e39517ea16a1550
                            • Instruction ID: 9f0cf3801849d9b46369f975f1ef122a5a37db63984c75052090a5eed0edaace
                            • Opcode Fuzzy Hash: bde83ac1ee7acbd100fcf26498868cf2b5bccaf3e0e71f4c4e39517ea16a1550
                            • Instruction Fuzzy Hash: 8251AC72A0020ABBDF209FA0DC45FAB7BB9EF40754F215528F905B61E2D7748991CB60
                            Function 00E14C0E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,D3BFC901,?,00E14D1B,?,?,?,00000000), ref: 00E14CCF
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: FreeLibrary
                            • String ID: api-ms-$ext-ms-
                            • API String ID: 3664257935-537541572
                            • Opcode ID: 6fdefc268bc0fc99cc20cfb30ab21bf538973118cfd7b031df023b02d49bcac0
                            • Instruction ID: 97e0f062489889e3145f89f37441f343589ea87a3e568121e0854a3c869448b8
                            • Opcode Fuzzy Hash: 6fdefc268bc0fc99cc20cfb30ab21bf538973118cfd7b031df023b02d49bcac0
                            • Instruction Fuzzy Hash: 05212BB1A02310BBDB319B75DC40ADAB798AB51764F241115E907B73D0D731EE85CAE0
                            Function 00E07C3F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog3.LIBCMT ref: 00E07C46
                            • std::_Lockit::_Lockit.LIBCPMT ref: 00E07C50
                              • Part of subcall function 00E033F0: std::_Lockit::_Lockit.LIBCPMT ref: 00E033FF
                              • Part of subcall function 00E033F0: std::_Lockit::~_Lockit.LIBCPMT ref: 00E0341A
                            • codecvt.LIBCPMT ref: 00E07C8A
                            • std::_Facet_Register.LIBCPMT ref: 00E07CA1
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00E07CC1
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                            • String ID: k
                            • API String ID: 712880209-4082892380
                            • Opcode ID: 7df495184536fb0bd9888dd61c4600325d08c24f8e485eaf91d21a844795bf50
                            • Instruction ID: 537b1bab52817df8f4888916c93a5636a64f3a1e408f5bc90024f8f9d2ae4873
                            • Opcode Fuzzy Hash: 7df495184536fb0bd9888dd61c4600325d08c24f8e485eaf91d21a844795bf50
                            • Instruction Fuzzy Hash: F311DF729042259FCB04EB6898426AEBBF4AF84720F64141DE555B72C2DB74AE808BD0
                            Function 00E0753D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __EH_prolog3.LIBCMT ref: 00E07544
                            • std::_Lockit::_Lockit.LIBCPMT ref: 00E0754F
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00E075BD
                              • Part of subcall function 00E076A0: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00E076B8
                            • std::locale::_Setgloballocale.LIBCPMT ref: 00E0756A
                            • _Yarn.LIBCPMT ref: 00E07580
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                            • String ID: k
                            • API String ID: 1088826258-4082892380
                            • Opcode ID: 6d4ef1a9eeb722fc77bde7a1ae7d75cd4492505025c3789f771719e9c19f3bdf
                            • Instruction ID: cad8fd1cc6d76c060d5eff7c18a9a40d39f276018c9f362e30f2d4d11a2c7428
                            • Opcode Fuzzy Hash: 6d4ef1a9eeb722fc77bde7a1ae7d75cd4492505025c3789f771719e9c19f3bdf
                            • Instruction Fuzzy Hash: B4015A75A016219FDB06EF21E855A7DBBB2AFC4350B145008EA52773C2DB386E86CBD1
                            Function 00E11F3A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,D3BFC901,?,?,00000000,00E210A9,000000FF,?,00E11ECA,?,?,00E11E9E,00000016), ref: 00E11F6F
                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E11F81
                            • FreeLibrary.KERNEL32(00000000,?,00000000,00E210A9,000000FF,?,00E11ECA,?,?,00E11E9E,00000016), ref: 00E11FA3
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressFreeHandleLibraryModuleProc
                            • String ID: CorExitProcess$mscoree.dll$k
                            • API String ID: 4061214504-590038894
                            • Opcode ID: 91ecf7093c8f04ba42bc851c837ad41fbbc702f3793dfab9a5c6c6a09a3064a8
                            • Instruction ID: 4d606baddb09e00dbc3c81724c598e6057e7cdd370d1ea2f4c3b589567a470aa
                            • Opcode Fuzzy Hash: 91ecf7093c8f04ba42bc851c837ad41fbbc702f3793dfab9a5c6c6a09a3064a8
                            • Instruction Fuzzy Hash: B401F731A44729AFDB118F51DC05FBEB7B8FB04B15F000126F912B2290D7798945CE90
                            Function 00E0CA3A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(?,?,00E0CA31,00E0B003,00E06E40,D3BFC901,?,?,?,00000000,00E20E82,000000FF,?,00E057DE,?,?), ref: 00E0CA48
                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E0CA56
                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E0CA6F
                            • SetLastError.KERNEL32(00000000,?,00E0CA31,00E0B003,00E06E40,D3BFC901,?,?,?,00000000,00E20E82,000000FF,?,00E057DE,?,?), ref: 00E0CAC1
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLastValue___vcrt_
                            • String ID:
                            • API String ID: 3852720340-0
                            • Opcode ID: e8163f56449c6110e543314b751b7e5b9b665a9bac65c6e10e03d511b74f4ee4
                            • Instruction ID: 3595528e4be8b66e3b14682168db1b10caef3b6f69d40ed64d3c52362d072b07
                            • Opcode Fuzzy Hash: e8163f56449c6110e543314b751b7e5b9b665a9bac65c6e10e03d511b74f4ee4
                            • Instruction Fuzzy Hash: B501283230C215ADE620D7B5AC8552A76E8EF12375330332AF116711E2EF924CC6D250
                            Function 00E0CB51 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: AdjustPointer
                            • String ID: k
                            • API String ID: 1740715915-4082892380
                            • Opcode ID: e8d6f302b96e9f7b81467c786df8a170646e8ee363a07da47cc49964357640f5
                            • Instruction ID: 36a3212127992dfc8a7154794f89c76e38c1d5c288c6219840988047beb9659a
                            • Opcode Fuzzy Hash: e8d6f302b96e9f7b81467c786df8a170646e8ee363a07da47cc49964357640f5
                            • Instruction Fuzzy Hash: B551B3716043069FEB299F64D881BBAB7A4EF04714F385729E919A72E1D731ACC4CB90
                            Function 00E164EC Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                            Download Yara Rule
                            APIs
                            • __alloca_probe_16.LIBCMT ref: 00E16573
                            • __alloca_probe_16.LIBCMT ref: 00E16634
                            • __freea.LIBCMT ref: 00E1669B
                              • Part of subcall function 00E153D2: HeapAlloc.KERNEL32(00000000,?,?,?,00E0970C,?,?,00E0193D,?,?,00E22BCE,?,?), ref: 00E15404
                            • __freea.LIBCMT ref: 00E166B0
                            • __freea.LIBCMT ref: 00E166C0
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: __freea$__alloca_probe_16$AllocHeap
                            • String ID:
                            • API String ID: 1096550386-0
                            • Opcode ID: 41592cf4ffb527e95033a547149e6ca72f9dcb4ac624e510d17730011a03bfda
                            • Instruction ID: bcb384cf7bd613b3ef995e2331d7734e44027b659858459ae0a3e2a567b1e8fa
                            • Opcode Fuzzy Hash: 41592cf4ffb527e95033a547149e6ca72f9dcb4ac624e510d17730011a03bfda
                            • Instruction Fuzzy Hash: F5519072600216AFEF219F64DC81EFB3AEAEF44354B151528FD04F6151EB71CD9086A0
                            Function 00E07029 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThreadId.KERNEL32 ref: 00E0703D
                            • AcquireSRWLockExclusive.KERNEL32(?,?,00000000,?,00E053D4,?,?,?,?,?), ref: 00E0705C
                            • AcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,?,00E053D4,?,?,?,?,?), ref: 00E0708A
                            • TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,?,00E053D4,?,?,?,?,?), ref: 00E070E5
                            • TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,?,00E053D4,?,?,?,?,?), ref: 00E070FC
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: AcquireExclusiveLock$CurrentThread
                            • String ID:
                            • API String ID: 66001078-0
                            • Opcode ID: 30fc9d4eb22b77f3e6f93b01ac91ca6992bf0c62060c33ad2280ec294069a507
                            • Instruction ID: c8bd2280874ff14cf0cc17b176f97646a28966abab0a21687f08c708529e3601
                            • Opcode Fuzzy Hash: 30fc9d4eb22b77f3e6f93b01ac91ca6992bf0c62060c33ad2280ec294069a507
                            • Instruction Fuzzy Hash: 6A41F831D09606DFCB20DF65C8809AAB3F5FF04354B506619E496A75C0E770F9D5CBA1
                            Function 00E0C840 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                            Download Yara Rule
                            APIs
                            • ___except_validate_context_record.LIBVCRUNTIME ref: 00E0C87F
                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00E0C933
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: CurrentImageNonwritable___except_validate_context_record
                            • String ID: csm$k
                            • API String ID: 3480331319-4057219848
                            • Opcode ID: 8c1624f9d3f379d4cfe9f3bc098d05660987229775e1c81a7ee6daca7b83fcb3
                            • Instruction ID: 8609195b2fdc94c1e2c64063d8d14784b7aa9cad12d26c491c5935af2c48d1d4
                            • Opcode Fuzzy Hash: 8c1624f9d3f379d4cfe9f3bc098d05660987229775e1c81a7ee6daca7b83fcb3
                            • Instruction Fuzzy Hash: 9241A534A00219AFCF14DF68CC41A9EBBF5AF45318F24D255E8197B3D2D731AA95CB90
                            Function 00E0DB32 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,00E0DAE3,?,?,00000000,?,?,?,00E0DC0D,00000002,FlsGetValue,00E250A0,FlsGetValue), ref: 00E0DB3F
                            • GetLastError.KERNEL32(?,00E0DAE3,?,?,00000000,?,?,?,00E0DC0D,00000002,FlsGetValue,00E250A0,FlsGetValue,?,?,00E0CA5B), ref: 00E0DB49
                            • LoadLibraryExW.KERNEL32(?,00000000,00000000,00E2CC7C,ios_base::failbit set,00000000), ref: 00E0DB71
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: LibraryLoad$ErrorLast
                            • String ID: api-ms-
                            • API String ID: 3177248105-2084034818
                            • Opcode ID: cd53a61d36673d4c7551d64569438df2353985e3d583fa96f803edbe82f6be0a
                            • Instruction ID: 3e11348f4ac75645104cb3203d69850e474a0b4cee9b0973cadbca44685eb62d
                            • Opcode Fuzzy Hash: cd53a61d36673d4c7551d64569438df2353985e3d583fa96f803edbe82f6be0a
                            • Instruction Fuzzy Hash: C9E01A71284304BBEF201BB1EC06F593F54AB01F64F145021F90DB80E1DB66DA959EA8
                            Function 00E16AB5 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetConsoleOutputCP.KERNEL32(D3BFC901,00000000,00000000,00000000), ref: 00E16B18
                              • Part of subcall function 00E19574: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00E16691,?,00000000,-00000008), ref: 00E19620
                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00E16D73
                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00E16DBB
                            • GetLastError.KERNEL32 ref: 00E16E5E
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                            • String ID:
                            • API String ID: 2112829910-0
                            • Opcode ID: 9421d088236960e3ee4a3fd75dfbd38ce3db17503a56d7d201f7247124297280
                            • Instruction ID: 61dc9ba307522ef0813d871f5e9c458dced586ad2c64d6c753b20b9341933de9
                            • Opcode Fuzzy Hash: 9421d088236960e3ee4a3fd75dfbd38ce3db17503a56d7d201f7247124297280
                            • Instruction Fuzzy Hash: 7DD148B5E002589FCB15CFA8D8809EDBBB5FF49304F28516AE865F7351E630AA85CF50
                            Function 00E04740 Relevance: 6.2, APIs: 4, Instructions: 169COMMON
                            Download Yara Rule
                            APIs
                            • std::_Throw_Cpp_error.LIBCPMT ref: 00E047F6
                            • std::_Throw_Cpp_error.LIBCPMT ref: 00E04801
                            • std::_Throw_Cpp_error.LIBCPMT ref: 00E04905
                            • std::_Throw_Cpp_error.LIBCPMT ref: 00E04910
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: Cpp_errorThrow_std::_
                            • String ID:
                            • API String ID: 2134207285-0
                            • Opcode ID: fe46b539dc8b7b2c6960b9db6ab09d3413bf2391604aa84ae4479e77096a6711
                            • Instruction ID: 2da009e784447bb075a94f206a5540c26276052eb2533029fa18703870328ab7
                            • Opcode Fuzzy Hash: fe46b539dc8b7b2c6960b9db6ab09d3413bf2391604aa84ae4479e77096a6711
                            • Instruction Fuzzy Hash: EA5144F28043406AE724AB709906B5B77E89F51314F086D2DFAD6221D2D771E8D8C7A3
                            Function 00E05B50 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceBeginInitialize.KERNEL32(00E7B6EC,00000000,?,00000000), ref: 00E05B61
                            • InitOnceComplete.KERNEL32(00E7B6EC,00000000,00000000), ref: 00E05B84
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: InitOnce$BeginCompleteInitialize
                            • String ID:
                            • API String ID: 51270584-0
                            • Opcode ID: fd4661912c58758652e97cbcfc27b1b7f4964bace3a7401d05108d1527e674d3
                            • Instruction ID: 2579267a831ba2d2ee086535348da33ca805b9dc45b502e56e0b422230f67d26
                            • Opcode Fuzzy Hash: fd4661912c58758652e97cbcfc27b1b7f4964bace3a7401d05108d1527e674d3
                            • Instruction Fuzzy Hash: 6B31D2B1A00605EFDB20EFA5DC42B5AB7E8FB04714F10822AF919A72C1D775B944CF91
                            Function 00E19990 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E19574: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00E16691,?,00000000,-00000008), ref: 00E19620
                            • GetLastError.KERNEL32 ref: 00E199F4
                            • __dosmaperr.LIBCMT ref: 00E199FB
                            • GetLastError.KERNEL32(?,?,?,?), ref: 00E19A35
                            • __dosmaperr.LIBCMT ref: 00E19A3C
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                            • String ID:
                            • API String ID: 1913693674-0
                            • Opcode ID: e419d2cab86ae96bfccda9d2317711625dcdb22c78661dd3dbf5ce823552c1b1
                            • Instruction ID: 1255107c51eef8925396b80f5bad92f4f562b466ef12110eea3bb619cec0e5f7
                            • Opcode Fuzzy Hash: e419d2cab86ae96bfccda9d2317711625dcdb22c78661dd3dbf5ce823552c1b1
                            • Instruction Fuzzy Hash: 3721B671700205AF9B20AF6188A1DEAB7E9FF44364700A519F919F7552D734EDC5CBA0
                            Function 00E11164 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 86eaee0de0f77b0121594300dccc03dbd7a0e12584dea6edb47c17be835ac613
                            • Instruction ID: d0bfcee19a22459ab72ff775d3e086bf8c30e5a707cfb35290e62313c6c26cf7
                            • Opcode Fuzzy Hash: 86eaee0de0f77b0121594300dccc03dbd7a0e12584dea6edb47c17be835ac613
                            • Instruction Fuzzy Hash: F4217C71604205BF9B20AFA1E881DEAB7A9AB053687109594FA19F6160D730EDC1EAA1
                            Function 00E1A926 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                            Download Yara Rule
                            APIs
                            • GetEnvironmentStringsW.KERNEL32 ref: 00E1A92E
                              • Part of subcall function 00E19574: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00E16691,?,00000000,-00000008), ref: 00E19620
                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00E1A966
                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00E1A986
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                            • String ID:
                            • API String ID: 158306478-0
                            • Opcode ID: 45d004d934e339181f3fed45ad23e29556a17590ae5c2507557e1ac1c6fcaa62
                            • Instruction ID: dc4bd0aa1bdf08f54eb40af3970eeeca70f27bc6ebbfdcdd596aef655a29287f
                            • Opcode Fuzzy Hash: 45d004d934e339181f3fed45ad23e29556a17590ae5c2507557e1ac1c6fcaa62
                            • Instruction Fuzzy Hash: 1711C4F16036157E67212BB6AC8ADFF6AACDEC53A47652424F502B1101EA648EC14972
                            Function 00E1F6A8 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00E1E4E1,00000000,00000001,00000000,00000000,?,00E16EB2,00000000,00000000,00000000), ref: 00E1F6BF
                            • GetLastError.KERNEL32(?,00E1E4E1,00000000,00000001,00000000,00000000,?,00E16EB2,00000000,00000000,00000000,00000000,00000000,?,00E17439,?), ref: 00E1F6CB
                              • Part of subcall function 00E1F691: CloseHandle.KERNEL32(FFFFFFFE,00E1F6DB,?,00E1E4E1,00000000,00000001,00000000,00000000,?,00E16EB2,00000000,00000000,00000000,00000000,00000000), ref: 00E1F6A1
                            • ___initconout.LIBCMT ref: 00E1F6DB
                              • Part of subcall function 00E1F653: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00E1F682,00E1E4CE,00000000,?,00E16EB2,00000000,00000000,00000000,00000000), ref: 00E1F666
                            • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,00E1E4E1,00000000,00000001,00000000,00000000,?,00E16EB2,00000000,00000000,00000000,00000000), ref: 00E1F6F0
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                            • String ID:
                            • API String ID: 2744216297-0
                            • Opcode ID: 1d4a35f851a32f510da05367643b5516ef10fa6f471ea08e1b7a0cd04f8c1e49
                            • Instruction ID: 915a7f7ae1b755d2d6d829c9ea0cffcea6e2db9efcb2577e8bc959104450bd3b
                            • Opcode Fuzzy Hash: 1d4a35f851a32f510da05367643b5516ef10fa6f471ea08e1b7a0cd04f8c1e49
                            • Instruction Fuzzy Hash: 4AF01C36001224BFCF326FE6DC089DE3F66FB497A1B144020FA18A5131C63289A1DFD1
                            Function 00E20256 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                            Download Yara Rule
                            APIs
                            • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,00E2000F), ref: 00E2026F
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: DecodePointer
                            • String ID: dr$k
                            • API String ID: 3527080286-1751057584
                            • Opcode ID: 57026dfba5db7cf16b09cc5065e449cfcaf3aa7327ac8f7d5e9399b3390e0656
                            • Instruction ID: 06f2196c685b3421dc3c60a1cbc78ca68b857272e69902d4f41589aba8811228
                            • Opcode Fuzzy Hash: 57026dfba5db7cf16b09cc5065e449cfcaf3aa7327ac8f7d5e9399b3390e0656
                            • Instruction Fuzzy Hash: 1351917190462ACBCF10DF69F84D1EDBFB0FB48318F146046E591B62A6CB748A65CF51
                            Function 00E03CC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135COMMON
                            Download Yara Rule
                            APIs
                            • std::_Throw_Cpp_error.LIBCPMT ref: 00E03E5E
                            • std::_Throw_Cpp_error.LIBCPMT ref: 00E03E69
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: Cpp_errorThrow_std::_
                            • String ID: H6
                            • API String ID: 2134207285-265464115
                            • Opcode ID: 8ae71fd67ac62930351a4469816fa698a7603fd645cecbb1141163c7ba48283c
                            • Instruction ID: 6015d65a7024e760779a6d9c69178d9e5890cadd35cdac05070c7c83d6c55620
                            • Opcode Fuzzy Hash: 8ae71fd67ac62930351a4469816fa698a7603fd645cecbb1141163c7ba48283c
                            • Instruction Fuzzy Hash: 1641F870600301CFCB24EF34C88576AB7E9BF45319F08956DE8199B2D6D731EA85CB92
                            Function 00E0D14D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • EncodePointer.KERNEL32(00000000,?), ref: 00E0D172
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: EncodePointer
                            • String ID: MOC$RCC
                            • API String ID: 2118026453-2084237596
                            • Opcode ID: 94122ba484e0402055c12ad9441e6f3cbd5bbc4d5aca7372bb83b5d8af92169b
                            • Instruction ID: 82bc4c97ebdb2b42191585684f1a681aedee8c4e509870f548a0697816e4db48
                            • Opcode Fuzzy Hash: 94122ba484e0402055c12ad9441e6f3cbd5bbc4d5aca7372bb83b5d8af92169b
                            • Instruction Fuzzy Hash: A5415672904209AFCF16CFA8CC81AAEBBB5FF48318F189159F904B72A1D335D990DB51
                            Function 00E06F01 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                            Download Yara Rule
                            APIs
                            • __alloca_probe_16.LIBCMT ref: 00E06F89
                            • RaiseException.KERNEL32(?,?,?,?,00000000,00000000), ref: 00E06FAE
                              • Part of subcall function 00E0A4B0: RaiseException.KERNEL32(E06D7363,00000001,00000003,00E0A1CE,?,?,?,?,00E0A1CE,?,00E2CB74), ref: 00E0A510
                              • Part of subcall function 00E0E0BB: IsProcessorFeaturePresent.KERNEL32(00000017,00E0DE42,?,00E0DDB1,00000001,00000016,00E0DFC0,?,?,?,?,?,00000000), ref: 00E0E0D7
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
                            • String ID: csm
                            • API String ID: 1924019822-1018135373
                            • Opcode ID: 5658ebc737eaabd034a8ae10b4ab359bc7058f8aa5f3e2bc2b9bccc247c0f01f
                            • Instruction ID: 71009d0a20025185b4560741b17b1ebf979a95de8f179704b90986cb418a9b34
                            • Opcode Fuzzy Hash: 5658ebc737eaabd034a8ae10b4ab359bc7058f8aa5f3e2bc2b9bccc247c0f01f
                            • Instruction Fuzzy Hash: 1C21D331E002199BCF24DF95E941BAEB3B5EF04714F145409F405BB1D1C770AEA5CB81
                            Function 00E075CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • std::_Lockit::_Lockit.LIBCPMT ref: 00E075D6
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00E07632
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: Lockitstd::_$Lockit::_Lockit::~_
                            • String ID: k
                            • API String ID: 593203224-4082892380
                            • Opcode ID: a503a8714ecb2898c38f0e400614e1a6d26bcebdbf362ec3356305f1257cd0f8
                            • Instruction ID: ee1096d5f6bff8286d81b02f8005a756bb1ed6ec03f60f8c85081778ed8a02ad
                            • Opcode Fuzzy Hash: a503a8714ecb2898c38f0e400614e1a6d26bcebdbf362ec3356305f1257cd0f8
                            • Instruction Fuzzy Hash: 7201B531A00619EFCB15DB18D855EAD77B8EF84354F050099E402AB3A0DF71FE85CB50
                            Function 00E023C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • std::_Lockit::_Lockit.LIBCPMT ref: 00E023C5
                            • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00E0240A
                              • Part of subcall function 00E0763B: _Yarn.LIBCPMT ref: 00E0765A
                              • Part of subcall function 00E0763B: _Yarn.LIBCPMT ref: 00E0767E
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                            • String ID: bad locale name
                            • API String ID: 1908188788-1405518554
                            • Opcode ID: e48c48580213faf96def0a9ca4252058344b2a815f3fde6bbccfb54e5d4d386b
                            • Instruction ID: 1076555d9c859d956d9edd1aef75746cab9504f64c756747f597d55ca6dc7376
                            • Opcode Fuzzy Hash: e48c48580213faf96def0a9ca4252058344b2a815f3fde6bbccfb54e5d4d386b
                            • Instruction Fuzzy Hash: DFF067B0500B408EE330DF39C404743BAE0AF28310F009A1EE4DAD7A82E379E148CBE6
                            Function 00E14FE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON
                            Download Yara Rule
                            APIs
                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 00E15026
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: CountCriticalInitializeSectionSpin
                            • String ID: InitializeCriticalSectionEx$k
                            • API String ID: 2593887523-2089363706
                            • Opcode ID: 892afd1ae6f0ef82d73dd690666f8e544d06f2bc346d4e8bc0cc0a0306a6d606
                            • Instruction ID: 8a37f3a8d206f5ae55366403e3f9e25f165292d16d68db8dabfe9c55816a887f
                            • Opcode Fuzzy Hash: 892afd1ae6f0ef82d73dd690666f8e544d06f2bc346d4e8bc0cc0a0306a6d606
                            • Instruction Fuzzy Hash: 7AE09232141328FBCB252FA1EC05EDE7F12EB48760F445421FD0C35160C6729961AAD0
                            Function 00E14E6C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: Alloc
                            • String ID: FlsAlloc$k
                            • API String ID: 2773662609-1091923096
                            • Opcode ID: 6410fd868cff4a56942b12a054b7c366b70aa6671cf87e95109109e2c02b2155
                            • Instruction ID: 501b97cf4ddeb73688fd85de325d02415bb5dc1c58f2c21f5a35488a47f368fc
                            • Opcode Fuzzy Hash: 6410fd868cff4a56942b12a054b7c366b70aa6671cf87e95109109e2c02b2155
                            • Instruction Fuzzy Hash: 32E0C272681338BB822127B2BC0ADDEBE85DB80B71B141121FA05792908EB549A19AD5
                            Function 00E0106D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: H_prolog3
                            • String ID: ,7$p7
                            • API String ID: 431132790-3136625856
                            • Opcode ID: 1cc1890cfec83c451510a9e06e1ee12890bf38bbf0a7e7acfc6d41e3e84303a7
                            • Instruction ID: ac58a4b151b5d1d1843c1f2de9389c85e75e6e6628cc2cd7ba45bcaeec0c5c0b
                            • Opcode Fuzzy Hash: 1cc1890cfec83c451510a9e06e1ee12890bf38bbf0a7e7acfc6d41e3e84303a7
                            • Instruction Fuzzy Hash: 96E09AB0A80302AADF30EFA0A90B7AD79B5EF80710F90A148A1247A2C3C7B40B489751
                            Function 00E01016 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2241644452.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                            • Associated: 00000001.00000002.2241618556.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241680398.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241708700.0000000000E2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2241756848.0000000000E7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e00000_vNx9jGoYpb.jbxd
                            Yara matches
                            Similarity
                            • API ID: H_prolog3
                            • String ID: \7$h2
                            • API String ID: 431132790-597254722
                            • Opcode ID: 12cf82a949df9d172f42295cdb303cf83fca8bd80b2518818dfcf0835fad1a3b
                            • Instruction ID: 7ad11959fe4b9c34f8c1eea7324c4676320c2b2113433c3d1d5c41362fe42690
                            • Opcode Fuzzy Hash: 12cf82a949df9d172f42295cdb303cf83fca8bd80b2518818dfcf0835fad1a3b
                            • Instruction Fuzzy Hash: B6E0DF70A80306EEDF20FFA4D80736D7AB0AF81714FA0B558E214762C3CBB40B448B91

                            Execution Graph

                            Execution Coverage:15.2%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:3.3%
                            Total number of Nodes:120
                            Total number of Limit Nodes:5
                            execution_graph 46771 518ad38 46774 518ae30 46771->46774 46772 518ad47 46775 518ae41 46774->46775 46776 518ae64 46774->46776 46775->46776 46782 518b0b8 46775->46782 46786 518b0c8 46775->46786 46776->46772 46777 518b068 GetModuleHandleW 46779 518b095 46777->46779 46778 518ae5c 46778->46776 46778->46777 46779->46772 46783 518b0dc 46782->46783 46785 518b101 46783->46785 46790 518a870 46783->46790 46785->46778 46787 518b0dc 46786->46787 46788 518a870 LoadLibraryExW 46787->46788 46789 518b101 46787->46789 46788->46789 46789->46778 46791 518b2a8 LoadLibraryExW 46790->46791 46793 518b321 46791->46793 46793->46785 46794 518d0b8 46795 518d0fe 46794->46795 46799 518d298 46795->46799 46802 518d289 46795->46802 46796 518d1eb 46805 518c9a0 46799->46805 46803 518d2c6 46802->46803 46804 518c9a0 DuplicateHandle 46802->46804 46803->46796 46804->46803 46806 518d300 DuplicateHandle 46805->46806 46807 518d2c6 46806->46807 46807->46796 46901 5184668 46902 5184684 46901->46902 46903 5184696 46902->46903 46905 51847a0 46902->46905 46906 51847c5 46905->46906 46910 51848b0 46906->46910 46914 51848a1 46906->46914 46912 51848d7 46910->46912 46911 51849b4 46911->46911 46912->46911 46918 5184248 46912->46918 46915 51848b0 46914->46915 46916 5184248 CreateActCtxA 46915->46916 46917 51849b4 46915->46917 46916->46917 46919 5185940 CreateActCtxA 46918->46919 46921 5185a03 46919->46921 46808 a019fe0 46811 a019fe1 46808->46811 46809 a01a16b 46811->46809 46812 a017580 46811->46812 46813 a01a260 PostMessageW 46812->46813 46814 a01a2cc 46813->46814 46814->46811 46815 60e16a0 46816 60e16ba 46815->46816 46821 60e1700 46816->46821 46826 60e16f1 46816->46826 46831 60e1ab0 46816->46831 46817 60e16d6 46823 60e172d 46821->46823 46822 60e1ae6 46822->46817 46823->46822 46836 60e80f0 46823->46836 46845 60e8100 46823->46845 46827 60e1700 46826->46827 46828 60e1ae6 46827->46828 46829 60e80f0 3 API calls 46827->46829 46830 60e8100 3 API calls 46827->46830 46828->46817 46829->46827 46830->46827 46832 60e1a7e 46831->46832 46833 60e1ae6 46832->46833 46834 60e80f0 3 API calls 46832->46834 46835 60e8100 3 API calls 46832->46835 46833->46817 46834->46832 46835->46832 46837 60e8100 46836->46837 46854 60e8190 46837->46854 46858 60e81a0 46837->46858 46838 60e8139 46862 60e8378 46838->46862 46870 60e83ea 46838->46870 46878 60e8367 46838->46878 46839 60e8170 46839->46823 46846 60e8127 46845->46846 46852 60e8190 OleInitialize 46846->46852 46853 60e81a0 OleInitialize 46846->46853 46847 60e8139 46849 60e83ea 2 API calls 46847->46849 46850 60e8378 2 API calls 46847->46850 46851 60e8367 2 API calls 46847->46851 46848 60e8170 46848->46823 46849->46848 46850->46848 46851->46848 46852->46847 46853->46847 46855 60e81d9 46854->46855 46886 60e588c 46855->46886 46859 60e81d9 46858->46859 46860 60e588c OleInitialize 46859->46860 46861 60e81e2 46860->46861 46861->46838 46863 60e8394 46862->46863 46893 60e8538 46863->46893 46897 60e8548 46863->46897 46864 60e845e 46866 60e8538 LdrInitializeThunk 46864->46866 46867 60e8548 LdrInitializeThunk 46864->46867 46865 60e84c6 46865->46839 46866->46865 46867->46865 46871 60e83fd 46870->46871 46876 60e8538 LdrInitializeThunk 46871->46876 46877 60e8548 LdrInitializeThunk 46871->46877 46872 60e845e 46874 60e8538 LdrInitializeThunk 46872->46874 46875 60e8548 LdrInitializeThunk 46872->46875 46873 60e84c6 46873->46839 46874->46873 46875->46873 46876->46872 46877->46872 46879 60e8378 46878->46879 46884 60e8538 LdrInitializeThunk 46879->46884 46885 60e8548 LdrInitializeThunk 46879->46885 46880 60e845e 46882 60e8538 LdrInitializeThunk 46880->46882 46883 60e8548 LdrInitializeThunk 46880->46883 46881 60e84c6 46881->46839 46882->46881 46883->46881 46884->46880 46885->46880 46887 60e5897 46886->46887 46889 60e81e2 46887->46889 46890 60e589c 46887->46890 46889->46838 46891 60e82a0 OleInitialize 46890->46891 46892 60e8304 46891->46892 46892->46889 46894 60e856f 46893->46894 46895 60e85a7 LdrInitializeThunk 46894->46895 46896 60e859f 46894->46896 46895->46896 46896->46864 46898 60e856f 46897->46898 46899 60e85a7 LdrInitializeThunk 46898->46899 46900 60e859f 46898->46900 46899->46900 46900->46864

                            Executed Functions

                            Function 060FEA18 Relevance: 8.3, Strings: 6, Instructions: 779COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 294 60fea18-60fea24 295 60fea96-60fea9f 294->295 296 60fea26-60fea2a 294->296 297 60feaa8-60feadd 295->297 298 60feaa1-60feaa6 295->298 299 60feae4-60feaed 296->299 300 60fea30-60fea36 296->300 297->299 298->297 301 60feaef-60feaf4 299->301 302 60feaf6-60feb60 299->302 303 60fea3d 300->303 304 60fea38-60fea3b 300->304 301->302 324 60feb62 302->324 325 60feb90-60feb95 302->325 306 60fea40-60fea44 303->306 304->306 310 60fea5a-60fea5f 306->310 311 60fea46-60fea54 306->311 313 60fea6f-60fea77 310->313 314 60fea61-60fea67 310->314 311->310 497 60fea79 call 60fea0a 313->497 498 60fea79 call 60fea18 313->498 499 60fea79 call 60feb38 313->499 314->313 317 60fea7f-60fea83 319 60fea8f-60fea93 317->319 320 60fea85-60fea89 317->320 320->319 326 60feb65-60feb78 324->326 327 60feb7a-60feb82 326->327 328 60feb98-60febce 326->328 502 60feb84 call a018bb8 327->502 503 60feb84 call a018bc8 327->503 504 60feb84 call a018c8d 327->504 331 60fef3c-60fef45 328->331 332 60febd4-60febd8 328->332 329 60feb8a-60feb8e 329->325 329->326 335 60fef4e-60fef69 331->335 336 60fef47-60fef4c 331->336 333 60febde-60febf0 332->333 334 60fef70-60fefda 332->334 341 60fecdd-60fece6 333->341 342 60febf6-60fec3f 333->342 363 60fefdc-60fefe2 334->363 364 60fefe4-60fefe7 334->364 335->334 336->335 344 60fecfa-60fed04 341->344 345 60fece8-60fecf2 341->345 367 60fec53-60fec5d 342->367 368 60fec41-60fec4b 342->368 348 60fed2c-60fed3d 344->348 349 60fed06-60fed24 344->349 345->344 355 60fed3f-60fed45 348->355 356 60fed4d-60fed68 348->356 349->348 355->356 491 60fed6a call 60fea0a 356->491 492 60fed6a call 60fea18 356->492 493 60fed6a call 60feb38 356->493 494 60fed6a call 60ff4e8 356->494 495 60fed6a call 60ff417 356->495 496 60fed6a call 60ff1c6 356->496 365 60fefea-60feff1 363->365 364->365 371 60feffd-60ff016 365->371 372 60feff3-60feffa 365->372 366 60fed70-60fef39 369 60fec5f-60fec7d 367->369 370 60fec85-60fec96 367->370 368->367 369->370 380 60fec98-60fec9e 370->380 381 60feca6-60fecd8 370->381 378 60ff018-60ff031 371->378 379 60ff034-60ff040 371->379 378->379 383 60ff40d-60ff411 379->383 384 60ff046-60ff083 call 60f2860 379->384 380->381 381->366 386 60ff478-60ff47f 383->386 387 60ff413-60ff415 383->387 416 60ff089-60ff094 384->416 417 60ff2e0-60ff2e7 384->417 390 60ff4d3-60ff4da 386->390 391 60ff481-60ff4a4 386->391 392 60ff470-60ff476 387->392 408 60ff4a6-60ff4b0 391->408 409 60ff4b2 391->409 392->386 395 60ff420-60ff426 392->395 399 60ff4dd-60ff51b 395->399 400 60ff42c-60ff43b 395->400 406 60ff51d-60ff529 399->406 407 60ff52b-60ff534 399->407 410 60ff46f 400->410 411 60ff43d-60ff467 400->411 413 60ff537-60ff53b 406->413 407->413 415 60ff4bc-60ff4cc 408->415 409->415 410->392 411->410 418 60ff53d-60ff55f 413->418 419 60ff562-60ff56e 413->419 415->390 431 60ff096-60ff09d 416->431 432 60ff0e2-60ff112 416->432 421 60ff2ed-60ff353 417->421 422 60ff3fb-60ff407 417->422 429 60ff57c-60ff597 call 60fc9c0 419->429 430 60ff570-60ff579 419->430 471 60ff3cb-60ff3f8 421->471 472 60ff355-60ff35c 421->472 422->383 422->384 446 60ff599-60ff59f 429->446 447 60ff5a1 429->447 434 60ff09f-60ff0c3 431->434 435 60ff0cb-60ff0de 431->435 444 60ff19d-60ff1b6 432->444 445 60ff118-60ff19b call 60f2860 * 3 432->445 434->435 435->432 451 60ff1b8-60ff1c3 444->451 445->451 452 60ff5a3-60ff5b6 446->452 447->452 451->417 500 60ff5b9 call 60ff618 452->500 501 60ff5b9 call 60ff610 452->501 456 60ff5bc-60ff5e3 call 60fd560 464 60ff5ee 456->464 465 60ff5e5 456->465 465->464 471->422 472->471 473 60ff35e-60ff3c9 call 60f2860 * 3 472->473 473->471 491->366 492->366 493->366 494->366 495->366 496->366 497->317 498->317 499->317 500->456 501->456 502->329 503->329 504->329
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: (aq$(aq$(aq$0o@p$Dq@p$Lj@p
                            • API String ID: 0-3521037203
                            • Opcode ID: abcccc47bb583b705711db19e948c0f4391d15e6746a3df118469d54aeb415a9
                            • Instruction ID: 08c3cb2bcd16795dc1f2ee34e4d9a0f9ce395633f91496075badca323c88317f
                            • Opcode Fuzzy Hash: abcccc47bb583b705711db19e948c0f4391d15e6746a3df118469d54aeb415a9
                            • Instruction Fuzzy Hash: CC625B35A502159FCB54DF68D594AADBBF6FF88310F1484A9E906DB361CB31EC42CB90
                            Function 0A010D30 Relevance: 5.5, Strings: 4, Instructions: 496COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 505 a010d30-a010d50 506 a010d52 505->506 507 a010d57-a010e4c 505->507 506->507 516 a010e53-a010e81 507->516 517 a010e4e 507->517 519 a011229-a011232 516->519 517->516 520 a010e86-a010e8f 519->520 521 a011238-a0112ba 519->521 522 a010e91 520->522 523 a010e96-a010f75 520->523 536 a0112c1-a0112ef 521->536 537 a0112bc 521->537 522->523 554 a010f7c-a010fb0 523->554 540 a0116ac-a0116b5 536->540 537->536 542 a0112f4-a0112fd 540->542 543 a0116bb-a0116eb 540->543 544 a011304-a0113e3 542->544 545 a0112ff 542->545 577 a0113ea-a01141e 544->577 545->544 557 a011153-a011167 554->557 561 a010fb5-a01104d 557->561 562 a01116d-a01118a 557->562 579 a011069 561->579 580 a01104f-a011067 561->580 566 a011199 562->566 567 a01118c-a011198 562->567 566->519 567->566 582 a0115d3-a0115e7 577->582 583 a01106f-a011090 579->583 580->583 588 a011423-a0114c1 582->588 589 a0115ed-a01160a 582->589 586 a011142-a011152 583->586 587 a011096-a011111 583->587 586->557 605 a011113-a01112b 587->605 606 a01112d 587->606 609 a0114c3-a0114db 588->609 610 a0114dd 588->610 594 a011619 589->594 595 a01160c-a011618 589->595 594->540 595->594 607 a011133-a011141 605->607 606->607 607->586 612 a0114e3-a011504 609->612 610->612 614 a01150a-a01158e 612->614 615 a0115bf-a0115d2 612->615 622 a011590-a0115a8 614->622 623 a0115aa 614->623 615->582 624 a0115b0-a0115be 622->624 623->624 624->615
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2211365357.000000000A010000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A010000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_a010000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: $]q$$]q$$]q$$]q
                            • API String ID: 0-858218434
                            • Opcode ID: 611c101f8838d8da54ddf70bf9c88a71ae6293f326b9e70e05ec7415c8804529
                            • Instruction ID: 90618d02bdfb17a052fdc4379720dba73ce4c97c453ba30765344a2374c62568
                            • Opcode Fuzzy Hash: 611c101f8838d8da54ddf70bf9c88a71ae6293f326b9e70e05ec7415c8804529
                            • Instruction Fuzzy Hash: 3232B474D00228CFDB69DF64C890BDEBBB2BB89304F5085E9C50AAB250DB359E85CF55
                            Function 0A011898 Relevance: 5.3, Strings: 4, Instructions: 271COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 626 a011898-a0118b8 627 a0118ba 626->627 628 a0118bf-a011988 626->628 627->628 637 a011c6a-a011c73 628->637 638 a011c79-a011c94 637->638 639 a01198d-a011996 637->639 643 a011ca0 638->643 644 a011c96-a011c9f 638->644 640 a011998 639->640 641 a01199d-a0119c1 639->641 640->641 648 a0119c3-a0119cc 641->648 649 a0119ce-a011a13 641->649 647 a011ca1 643->647 644->643 647->647 650 a011a24-a011a2b 648->650 675 a011a1e 649->675 651 a011a55 650->651 652 a011a2d-a011a39 650->652 656 a011a5b-a011a62 651->656 654 a011a43-a011a49 652->654 655 a011a3b-a011a41 652->655 658 a011a53 654->658 655->658 659 a011a64-a011a6d 656->659 660 a011a6f-a011ac3 656->660 658->656 661 a011ad4-a011adb 659->661 683 a011ace 660->683 664 a011b05 661->664 665 a011add-a011ae9 661->665 666 a011b0b-a011b1d 664->666 667 a011af3-a011af9 665->667 668 a011aeb-a011af1 665->668 673 a011b3a-a011b3c 666->673 674 a011b1f-a011b38 666->674 671 a011b03 667->671 668->671 671->666 677 a011b3f-a011b4a 673->677 674->677 675->650 680 a011c20-a011c3b 677->680 681 a011b50-a011c1f 677->681 685 a011c47 680->685 686 a011c3d-a011c46 680->686 681->680 683->661 685->637 686->685
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2211365357.000000000A010000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A010000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_a010000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: $]q$$]q$$]q$$]q
                            • API String ID: 0-858218434
                            • Opcode ID: 7b20aac8041ae391317a4885ecb7c2ba95fecda3098434acd900409753402006
                            • Instruction ID: f4404afd35a5e66220a43183bd916d8d17f3bfa57b62fbea255f6f96afbf5349
                            • Opcode Fuzzy Hash: 7b20aac8041ae391317a4885ecb7c2ba95fecda3098434acd900409753402006
                            • Instruction Fuzzy Hash: 72C1C370E0021CCFDB68DFA5C990B9EBBB2BF89300F5085A9C51AAB254DB745986CF51
                            Function 0A0103D8 Relevance: 2.7, Strings: 2, Instructions: 219COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 916 a0103d8-a0103f9 917 a010400-a01046a 916->917 918 a0103fb 916->918 923 a010472-a0104bf 917->923 918->917 927 a0106f7-a01070b 923->927 929 a010711-a010735 927->929 930 a0104c4-a0105af 927->930 935 a010736 929->935 945 a01068b-a01069b 930->945 935->935 947 a0106a1-a0106cb 945->947 948 a0105b4-a0105ca 945->948 954 a0106d7 947->954 955 a0106cd-a0106d6 947->955 952 a0105f4 948->952 953 a0105cc-a0105d8 948->953 958 a0105fa-a01065f 952->958 956 a0105e2-a0105e8 953->956 957 a0105da-a0105e0 953->957 954->927 955->954 959 a0105f2 956->959 957->959 965 a010661-a010676 958->965 966 a010677-a01068a 958->966 959->958 965->966 966->945
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2211365357.000000000A010000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A010000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_a010000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: LR]q$PH]q
                            • API String ID: 0-3791814328
                            • Opcode ID: 38e6bcbb404ba573605794cafcf08b428da5788f7b7bb2452b984ed1c811b829
                            • Instruction ID: 16598da682c1818f3bcca43cd3387f6ab222d41d1d2cf91e5291837321a770f8
                            • Opcode Fuzzy Hash: 38e6bcbb404ba573605794cafcf08b428da5788f7b7bb2452b984ed1c811b829
                            • Instruction Fuzzy Hash: 5AA1E274E00228CFDB68DFA5C994BAEBBB2FF89304F1084A9D449AB254DB745985CF41
                            Function 060E39C0 Relevance: 2.7, Strings: 2, Instructions: 202COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 969 60e39c0-60e39db 970 60e39dd 969->970 971 60e39e2-60e3a88 969->971 970->971 976 60e3c61-60e3c6a 971->976 977 60e3a8d-60e3a96 976->977 978 60e3c70-60e3c87 976->978 980 60e3a9d-60e3ae6 977->980 981 60e3a98 977->981 986 60e3aec-60e3b60 980->986 987 60e3c5d-60e3c5e 980->987 981->980 990 60e3b65-60e3b6c 986->990 987->976 991 60e3b6e-60e3b80 990->991 992 60e3b82 990->992 993 60e3b85-60e3b9e 991->993 992->993 995 60e3c5c 993->995 996 60e3ba4-60e3c5b call 60e0250 993->996 995->987 996->995
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207664226.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60e0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: $]q$$]q
                            • API String ID: 0-127220927
                            • Opcode ID: 25544b14f77950ffbc3034c5f060b30d956047843ed2bf2d235dfc2e2b7eff30
                            • Instruction ID: f3fe41df05804545c80bd68c81bda30dff744a20111287846e60ea8b91b17990
                            • Opcode Fuzzy Hash: 25544b14f77950ffbc3034c5f060b30d956047843ed2bf2d235dfc2e2b7eff30
                            • Instruction Fuzzy Hash: D261D274E402189FDB48DFA9C884ADDBBF2FF89300F648169D505BB264DB34A886CF54
                            Function 060E8548 Relevance: 1.6, APIs: 1, Instructions: 60libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207664226.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60e0000_RegAsm.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 9698b31a87449bc16e5aace5474e2f31588e2fac11750e1ec22c741722dc61c4
                            • Instruction ID: dc6d9f273b842514269d6bbe5f260cee5c063aa9c3710b142d510237670403f2
                            • Opcode Fuzzy Hash: 9698b31a87449bc16e5aace5474e2f31588e2fac11750e1ec22c741722dc61c4
                            • Instruction Fuzzy Hash: FE21C075E012289FCB58DFA9E484AEDBBF2BB89310F10942AE405B7360DB305881CF54
                            Function 0A0166F8 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2211365357.000000000A010000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A010000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_a010000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: $]q
                            • API String ID: 0-1007455737
                            • Opcode ID: e15c8e2a000f7495a99589b517f89b2fa33cc64a727bb06c5e15cba87e1495c8
                            • Instruction ID: 577eedf4476790339eceab42bd7ae708e432a3a1d4eda277788dfc8279c42153
                            • Opcode Fuzzy Hash: e15c8e2a000f7495a99589b517f89b2fa33cc64a727bb06c5e15cba87e1495c8
                            • Instruction Fuzzy Hash: DE71E074E00218DFDB68DFA9D890AEDBBB2FF89300F609529D415AB354DB359886CF44
                            Function 060FC618 Relevance: 2.8, Strings: 2, Instructions: 289COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 768 60fc618-60fc63b 769 60fc904-60fc90d 768->769 770 60fc641-60fc643 768->770 771 60fc90f-60fc914 769->771 772 60fc916-60fc94b 769->772 773 60fc649-60fc655 770->773 774 60fc952-60fc99d 770->774 771->772 772->774 779 60fc66a-60fc67b 773->779 780 60fc657-60fc65e 773->780 800 60fc99f-60fc9a4 774->800 801 60fc9dd-60fc9ea 774->801 850 60fc67d call 60fcc50 779->850 851 60fc67d call 60fcc80 779->851 783 60fc6b9-60fc6c2 780->783 784 60fc660-60fc665 780->784 785 60fc6cb-60fc71a 783->785 786 60fc6c4-60fc6c9 783->786 788 60fc8ee-60fc8f8 784->788 809 60fc71c-60fc721 785->809 810 60fc723-60fc7ba 785->810 786->785 793 60fc683-60fc6ab 803 60fc6ad 793->803 804 60fc6b6 793->804 803->804 804->783 809->810 823 60fc7bc-60fc7c1 810->823 824 60fc7c3-60fc85a 810->824 823->824 837 60fc85c-60fc861 824->837 838 60fc863-60fc8e7 824->838 837->838 838->788 850->793 851->793
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: (aq$(aq
                            • API String ID: 0-3916115647
                            • Opcode ID: d5e53253b10fce4c62261a178452fa2455bf9abbfbc7b1f77798aba6a6c6e96c
                            • Instruction ID: 7eec7149349ea9da1d346ea24ad1922c0c980e77f50fda6bb185f74a827e96d1
                            • Opcode Fuzzy Hash: d5e53253b10fce4c62261a178452fa2455bf9abbfbc7b1f77798aba6a6c6e96c
                            • Instruction Fuzzy Hash: 84A19134B442448FEB94EB7894A8A6E7BE7EFC8310F1544A9E506DB392DE75DC01CB90
                            Function 060FF618 Relevance: 2.7, Strings: 2, Instructions: 225COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 852 60ff618-60ff628 853 60ff62e-60ff632 852->853 854 60ff71a-60ff723 852->854 857 60ff768-60ff771 853->857 858 60ff638-60ff63e 853->858 855 60ff72c-60ff761 854->855 856 60ff725-60ff72a 854->856 855->857 856->855 859 60ff77a-60ff7af 857->859 860 60ff773-60ff778 857->860 861 60ff648-60ff64b 858->861 862 60ff640-60ff646 858->862 876 60ff7b6-60ff7c0 859->876 860->859 863 60ff64e-60ff653 861->863 862->863 867 60ff655-60ff664 863->867 868 60ff690-60ff699 863->868 875 60ff66a-60ff682 867->875 867->876 871 60ff69b-60ff6b6 868->871 872 60ff6e6-60ff6f4 868->872 888 60ff6ce-60ff6da 871->888 889 60ff6b8-60ff6c1 871->889 878 60ff6fc-60ff701 872->878 875->868 897 60ff684-60ff68d 875->897 881 60ff7ca-60ff8a7 876->881 882 60ff7c2-60ff7c7 876->882 883 60ff70d-60ff717 878->883 884 60ff703-60ff707 878->884 882->881 884->883 888->872 898 60ff6dc-60ff6e4 888->898 914 60ff6c3 call 60ff961 889->914 915 60ff6c3 call 60ff970 889->915 894 60ff6c9-60ff6cc 894->872 898->871 914->894 915->894
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: (aq$(aq
                            • API String ID: 0-3916115647
                            • Opcode ID: 7364287e3cabfb771ee44b0a5421da7d12c9b15f0c5684ff6345d872c4bc41d6
                            • Instruction ID: 0b54618f98b3ad553e70f2adbb5b90e8c0185cd6f78a8d2762ee146886586288
                            • Opcode Fuzzy Hash: 7364287e3cabfb771ee44b0a5421da7d12c9b15f0c5684ff6345d872c4bc41d6
                            • Instruction Fuzzy Hash: F6819D35B502158FDB84DF38D894A2E7BE6AFC9710B1580A9E905DB3A6DE34DC01CBA0
                            Function 0518AE30 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1205 518ae30-518ae3f 1206 518ae6b-518ae6f 1205->1206 1207 518ae41-518ae4e call 5189838 1205->1207 1208 518ae71-518ae7b 1206->1208 1209 518ae83-518aec4 1206->1209 1214 518ae50 1207->1214 1215 518ae64 1207->1215 1208->1209 1216 518aed1-518aedf 1209->1216 1217 518aec6-518aece 1209->1217 1263 518ae56 call 518b0b8 1214->1263 1264 518ae56 call 518b0c8 1214->1264 1215->1206 1219 518aee1-518aee6 1216->1219 1220 518af03-518af05 1216->1220 1217->1216 1218 518ae5c-518ae5e 1218->1215 1221 518afa0-518afb7 1218->1221 1223 518aee8-518aeef call 518a814 1219->1223 1224 518aef1 1219->1224 1222 518af08-518af0f 1220->1222 1238 518afb9-518b018 1221->1238 1226 518af1c-518af23 1222->1226 1227 518af11-518af19 1222->1227 1225 518aef3-518af01 1223->1225 1224->1225 1225->1222 1229 518af30-518af39 call 518a824 1226->1229 1230 518af25-518af2d 1226->1230 1227->1226 1236 518af3b-518af43 1229->1236 1237 518af46-518af4b 1229->1237 1230->1229 1236->1237 1239 518af69-518af76 1237->1239 1240 518af4d-518af54 1237->1240 1256 518b01a-518b060 1238->1256 1246 518af78-518af96 1239->1246 1247 518af99-518af9f 1239->1247 1240->1239 1241 518af56-518af66 call 518a834 call 518a844 1240->1241 1241->1239 1246->1247 1258 518b068-518b093 GetModuleHandleW 1256->1258 1259 518b062-518b065 1256->1259 1260 518b09c-518b0b0 1258->1260 1261 518b095-518b09b 1258->1261 1259->1258 1261->1260 1263->1218 1264->1218
                            APIs
                            • GetModuleHandleW.KERNEL32(00000000), ref: 0518B086
                            Memory Dump Source
                            • Source File: 00000002.00000002.2205353620.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_5180000_RegAsm.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 6b4f08d71a423b6433988c0b10fe6f7d7f762b20f2918fda0bab7b30c0fb6519
                            • Instruction ID: 07c47a9d9e0fb5317ff41d9b5799cc61b7afe78ba9a63b2aaf1256cf7a62c6c7
                            • Opcode Fuzzy Hash: 6b4f08d71a423b6433988c0b10fe6f7d7f762b20f2918fda0bab7b30c0fb6519
                            • Instruction Fuzzy Hash: 537113B0A00B458FD724EF29D544B6ABBF6FF88214F00892ED44A97A50DB79E845CF90
                            Function 0A0173D0 Relevance: 1.7, APIs: 1, Instructions: 175COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1265 a0173d0-a0173e8 1268 a017440 1265->1268 1269 a0173ea-a017413 1265->1269 1270 a017442-a017446 1268->1270 1271 a01749d-a0174b9 1268->1271 1269->1268 1274 a01744c-a01745b 1270->1274 1273 a0174bb-a01a2ca PostMessageW 1271->1273 1271->1274 1292 a01a2d3-a01a2e7 1273->1292 1293 a01a2cc-a01a2d2 1273->1293 1274->1271 1293->1292
                            Memory Dump Source
                            • Source File: 00000002.00000002.2211365357.000000000A010000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A010000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_a010000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5602a61a4b592a9b1da785245a6b7ebdafa379d18e815621179ad03a9a4a07d7
                            • Instruction ID: 040707f6e7510cd16df567d468e26ef7a929c1a0cd49818ff1cffc5d5a94668a
                            • Opcode Fuzzy Hash: 5602a61a4b592a9b1da785245a6b7ebdafa379d18e815621179ad03a9a4a07d7
                            • Instruction Fuzzy Hash: 5F516F2284E3E45FD702AB7CD9B49CA7FB4AF53224F0900D7D0809F163D668944CCBAA
                            Function 0A017488 Relevance: 1.6, APIs: 1, Instructions: 140windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1295 a017488-a017496 1297 a01749d-a0174b9 1295->1297 1298 a0174bb-a01a2ca PostMessageW 1297->1298 1299 a01744c-a01745b 1297->1299 1316 a01a2d3-a01a2e7 1298->1316 1317 a01a2cc-a01a2d2 1298->1317 1299->1297 1317->1316
                            APIs
                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 0A01A2BD
                            Memory Dump Source
                            • Source File: 00000002.00000002.2211365357.000000000A010000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A010000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_a010000_RegAsm.jbxd
                            Similarity
                            • API ID: MessagePost
                            • String ID:
                            • API String ID: 410705778-0
                            • Opcode ID: 8a0d2ba5c727f148af01a31c9b8ae899555d723f807a70e0ce067bd591ee0321
                            • Instruction ID: 823631311988f510ee934f86d9d06b7c20c277d24f00d7423e57d78085cf40de
                            • Opcode Fuzzy Hash: 8a0d2ba5c727f148af01a31c9b8ae899555d723f807a70e0ce067bd591ee0321
                            • Instruction Fuzzy Hash: 2851827284A3E45FD7029B7CD9B5ACA7FB4EF42224F09009BD0809B163D66C9449CBA9
                            Function 05184248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                            Download Yara Rule
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 051859F1
                            Memory Dump Source
                            • Source File: 00000002.00000002.2205353620.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_5180000_RegAsm.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: 4eadaf9d3833d67a4b04951a1a8c715e61a9d994a88f567ceb3e4146b8c7073d
                            • Instruction ID: 1d5e0a6c6db9bc0546f2ab8a96e4b58cb7618a502f473917456a2a54446b38f5
                            • Opcode Fuzzy Hash: 4eadaf9d3833d67a4b04951a1a8c715e61a9d994a88f567ceb3e4146b8c7073d
                            • Instruction Fuzzy Hash: D241F2B0C00619DFDB24DFA9C888B9DBBF6FF45304F20806AD409AB254DB756946CF90
                            Function 05185935 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                            Download Yara Rule
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 051859F1
                            Memory Dump Source
                            • Source File: 00000002.00000002.2205353620.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_5180000_RegAsm.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: 09c0551e69928c45060053d5ce7ac1d46aebe9080c8fe094b3bb302406a43f4e
                            • Instruction ID: d2dae16affaff2ca136a74bf0206351fb3ce0fe7f47ced54c937ed31978f539f
                            • Opcode Fuzzy Hash: 09c0551e69928c45060053d5ce7ac1d46aebe9080c8fe094b3bb302406a43f4e
                            • Instruction Fuzzy Hash: DE4101B1C00619DEDB24DFA9C988B9DBBF6FF48304F24805AD418BB254DB75694ACF90
                            Function 0518A858 Relevance: 1.6, APIs: 1, Instructions: 81libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0518B101,00000800,00000000,00000000), ref: 0518B312
                            Memory Dump Source
                            • Source File: 00000002.00000002.2205353620.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_5180000_RegAsm.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: a575dfc6bcccbae07575963f6ae3bc2aaf0f837d1056ec987f40a71d19787777
                            • Instruction ID: 9466d756bab32c32be087ff5e7991466e4f665c5d6ea6fe43fd1a5c03f480cec
                            • Opcode Fuzzy Hash: a575dfc6bcccbae07575963f6ae3bc2aaf0f837d1056ec987f40a71d19787777
                            • Instruction Fuzzy Hash: F831BFB68087488FDB21DF9DC844AEEBFF4EF59310F05805AD455A7252C7789505CFA1
                            Function 060F5250 Relevance: 1.6, Strings: 1, Instructions: 327COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: (_]q
                            • API String ID: 0-188044275
                            • Opcode ID: 6a9efc401ac4a576d360d6da29a08420b736670f45a64de3c188cf69463c3678
                            • Instruction ID: 1571a159315f7dd18a7b03cad5707c965f6229cbec4d023eb8629fa8becf73ab
                            • Opcode Fuzzy Hash: 6a9efc401ac4a576d360d6da29a08420b736670f45a64de3c188cf69463c3678
                            • Instruction Fuzzy Hash: 63C1AF31E106088FCB95DF78D854A9EBBF2FF89310F10856ED506AB651EB30E946CB91
                            Function 0518C9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0518D2C6,?,?,?,?,?), ref: 0518D387
                            Memory Dump Source
                            • Source File: 00000002.00000002.2205353620.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_5180000_RegAsm.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 2f614be86e91c082439b6dec6d616fad93d7549422fe36b0a45893c8362ce7bd
                            • Instruction ID: 03506eb3a3ad23977af1a999812877631e8f8a148d9378f987a6470c9ac667c4
                            • Opcode Fuzzy Hash: 2f614be86e91c082439b6dec6d616fad93d7549422fe36b0a45893c8362ce7bd
                            • Instruction Fuzzy Hash: 0921E6B59003489FDB10DF9AD984AEEBFF4FB48310F14841AE918A3350D378A954CFA4
                            Function 0518D2F9 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0518D2C6,?,?,?,?,?), ref: 0518D387
                            Memory Dump Source
                            • Source File: 00000002.00000002.2205353620.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_5180000_RegAsm.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 2260269471b3e602b1a45a2e5a473f5bbcba30d0b5074a803a4c3a4cdcaf6dd4
                            • Instruction ID: e58ad57f6e0c2b68163ae801c5954082d0e181ed2f623932e4114917a9ca828e
                            • Opcode Fuzzy Hash: 2260269471b3e602b1a45a2e5a473f5bbcba30d0b5074a803a4c3a4cdcaf6dd4
                            • Instruction Fuzzy Hash: C321E4B5D002489FDB10CFAAD984AEEBBF5FB48310F14841AE918B3350D378A954CFA4
                            Function 0518A870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0518B101,00000800,00000000,00000000), ref: 0518B312
                            Memory Dump Source
                            • Source File: 00000002.00000002.2205353620.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_5180000_RegAsm.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 7972257e6f2b3220fa513b3278bc276aedd1da86d3027fb2894181093c6a2e9b
                            • Instruction ID: 3c18ee5814c290046df2399ae7d72310b5709c87e96993cc9990ba55d15d21cd
                            • Opcode Fuzzy Hash: 7972257e6f2b3220fa513b3278bc276aedd1da86d3027fb2894181093c6a2e9b
                            • Instruction Fuzzy Hash: 621114B69043498FCB20DF9AC544AAEFBF5EF48310F10842AE919A7210C778A545CFA4
                            Function 0518B2A0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0518B101,00000800,00000000,00000000), ref: 0518B312
                            Memory Dump Source
                            • Source File: 00000002.00000002.2205353620.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_5180000_RegAsm.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 05e03be5880a00423f46ecb30823f954daf760df5b07bcecb62ee07a2b2f3e61
                            • Instruction ID: 07e6653d9c067f1e9d0c33f63fef6c3a2126f2fa03d710ff1b9f22fdf294a9a8
                            • Opcode Fuzzy Hash: 05e03be5880a00423f46ecb30823f954daf760df5b07bcecb62ee07a2b2f3e61
                            • Instruction Fuzzy Hash: 531117B68043498FCB20DF9AD544AEEFBF4EB48310F14841AE519A7200C778A545CFA4
                            Function 0A01A25A Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                            Download Yara Rule
                            APIs
                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 0A01A2BD
                            Memory Dump Source
                            • Source File: 00000002.00000002.2211365357.000000000A010000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A010000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_a010000_RegAsm.jbxd
                            Similarity
                            • API ID: MessagePost
                            • String ID:
                            • API String ID: 410705778-0
                            • Opcode ID: d509ba597bb32541e0adbffbb7f6c830a59ee1822b972787c12d53283084558f
                            • Instruction ID: c4b43fe81a16f803021c904703dc5d399361e94a7e26c025f0c7898c7be194e5
                            • Opcode Fuzzy Hash: d509ba597bb32541e0adbffbb7f6c830a59ee1822b972787c12d53283084558f
                            • Instruction Fuzzy Hash: 751103B59003499FCB10DF9AD985BDEFFF8EB48320F10841AE518A7610C379A544CFA5
                            Function 0A017580 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                            Download Yara Rule
                            APIs
                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 0A01A2BD
                            Memory Dump Source
                            • Source File: 00000002.00000002.2211365357.000000000A010000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A010000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_a010000_RegAsm.jbxd
                            Similarity
                            • API ID: MessagePost
                            • String ID:
                            • API String ID: 410705778-0
                            • Opcode ID: b55d6945a335310b5f3009c91b7faf9c381dd00fe157175c8bc277b16d7de4a3
                            • Instruction ID: 3ccd6b3072f39e4c92a4ebb96eea68f91354797957bfa1751febbc6d88f2d87e
                            • Opcode Fuzzy Hash: b55d6945a335310b5f3009c91b7faf9c381dd00fe157175c8bc277b16d7de4a3
                            • Instruction Fuzzy Hash: 121103B590034C9FCB10DF9AC985BDEBBF8EB48720F10841AE918A7200C379A944CFA5
                            Function 0518B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNEL32(00000000), ref: 0518B086
                            Memory Dump Source
                            • Source File: 00000002.00000002.2205353620.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_5180000_RegAsm.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: b793df176b3c97105a3c0945123e1d8ddc5a6d5ff24c50f6b152907e80035794
                            • Instruction ID: 3d8734c3b86fbaabd57f45bc2bc3129f1332ea2217e10d07602a952cfb6bd391
                            • Opcode Fuzzy Hash: b793df176b3c97105a3c0945123e1d8ddc5a6d5ff24c50f6b152907e80035794
                            • Instruction Fuzzy Hash: 61110FB6C043498FCB20DF9AC944A9EFBF4EB89220F10841AD429B7210C379A549CFA5
                            Function 060E589C Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                            Download Yara Rule
                            APIs
                            • OleInitialize.OLE32(00000000), ref: 060E82F5
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207664226.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60e0000_RegAsm.jbxd
                            Similarity
                            • API ID: Initialize
                            • String ID:
                            • API String ID: 2538663250-0
                            • Opcode ID: e55b8465942da2675879b2b1a7b978801e40e94da5d0c723bf8822278ddfc267
                            • Instruction ID: ae1013a26191f62e10c531990328f8327ccf15e92c07e7900440bb561f66538a
                            • Opcode Fuzzy Hash: e55b8465942da2675879b2b1a7b978801e40e94da5d0c723bf8822278ddfc267
                            • Instruction Fuzzy Hash: 9C1115B59007488FCB60DF9AC949B9EBFF4EB48324F108459D519B7200C378A944CFA5
                            Function 060E8298 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON
                            Download Yara Rule
                            APIs
                            • OleInitialize.OLE32(00000000), ref: 060E82F5
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207664226.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60e0000_RegAsm.jbxd
                            Similarity
                            • API ID: Initialize
                            • String ID:
                            • API String ID: 2538663250-0
                            • Opcode ID: 25092fbaa3be061806750f8e83cba41ab5af2ab1f10fe2b51d6dde76c04d0949
                            • Instruction ID: 07e805cfe97c9c74d7ea1fe51282dee5337107826dcb7f53662df3e11c92a167
                            • Opcode Fuzzy Hash: 25092fbaa3be061806750f8e83cba41ab5af2ab1f10fe2b51d6dde76c04d0949
                            • Instruction Fuzzy Hash: 281112B58006488FCB20DFAADA44B9EBFF4EB48324F24845AD519B3610C338A584CFA5
                            Function 060F22C0 Relevance: 1.4, Strings: 1, Instructions: 165COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: (aq
                            • API String ID: 0-600464949
                            • Opcode ID: 91efeefcca3095373aaf723ad4d6ef680297d21ccf008f41ccf3f3dcdfedff1d
                            • Instruction ID: adf9fc3f1a25145bc9889235c233ecb7695d316d6e571b828eb7f7d89d1041cf
                            • Opcode Fuzzy Hash: 91efeefcca3095373aaf723ad4d6ef680297d21ccf008f41ccf3f3dcdfedff1d
                            • Instruction Fuzzy Hash: FA518F34F042498FDB48ABB8A46826EBBF3FFC9310B24456DD546C7381EF7899428B51
                            Function 060F0040 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: (_]q
                            • API String ID: 0-188044275
                            • Opcode ID: 62089b6b29c7b3db0d64ce79bb274ceb4b851411d5919657a1f99258040a6b58
                            • Instruction ID: bfb12ae4401ec24b662b0d1ca47304dcc80174388fbeccf07a068472bc3ec6a0
                            • Opcode Fuzzy Hash: 62089b6b29c7b3db0d64ce79bb274ceb4b851411d5919657a1f99258040a6b58
                            • Instruction Fuzzy Hash: 04516234A102088FDB44EFA8D854AAD7BF6FF89310F158569E506EB361DF749C46CB90
                            Function 060FD9A0 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: PH]q
                            • API String ID: 0-3168235125
                            • Opcode ID: 6f74ae9a957180a2fb34f38fc2187bf0085ab7c218ebfcf978984e47a3433559
                            • Instruction ID: 1d6e61f2141b9fcc784c50e60745a15341f0e161ffc829652b31728c54901e56
                            • Opcode Fuzzy Hash: 6f74ae9a957180a2fb34f38fc2187bf0085ab7c218ebfcf978984e47a3433559
                            • Instruction Fuzzy Hash: 9851E331E583898FCBA5CB79D84466ABFF6AF81310F0885AED54487A92D730D881CB91
                            Function 060F8078 Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: (aq
                            • API String ID: 0-600464949
                            • Opcode ID: 7b54f4448c1d3aa928668447e28d070d8b7b8148bd5432ea78dde401425043f0
                            • Instruction ID: 61a03fec3759c88a8acd88c0664952c15b8c0c9b5b3e4ebcc29282a7202feef8
                            • Opcode Fuzzy Hash: 7b54f4448c1d3aa928668447e28d070d8b7b8148bd5432ea78dde401425043f0
                            • Instruction Fuzzy Hash: 2241B531A502048FC769DF38E854A6EBBFAEFC4310B148669D1068B655DB74EC4ACBD1
                            Function 060FA978 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: (aq
                            • API String ID: 0-600464949
                            • Opcode ID: 43c6b2ef1df9c903db6aec71d9b3787c1f2fd323404e6037326a478849b7e775
                            • Instruction ID: 50f26884611dfa81bde64395f3106c40ab802b56cb6862a6e65ca9df7451d5c2
                            • Opcode Fuzzy Hash: 43c6b2ef1df9c903db6aec71d9b3787c1f2fd323404e6037326a478849b7e775
                            • Instruction Fuzzy Hash: FE112636F083555FD7959B39581066E7BEADFCA250B1A80EAD508D3382DE38CD068761
                            Function 060FC050 Relevance: .4, Instructions: 411COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a4a52827f146fb5cf07007caf77fc807e7d3cf87a695eba1a84b53d2d2de5719
                            • Instruction ID: 922047539b7fac42d36a5db8c388da4e78dbaba4f3949d4bcd874c99c53bdf23
                            • Opcode Fuzzy Hash: a4a52827f146fb5cf07007caf77fc807e7d3cf87a695eba1a84b53d2d2de5719
                            • Instruction Fuzzy Hash: 4C029F30A006098FEBA5DF68C854B9ABBF2BF85300F158599D509AB752DB31ED85CF90
                            Function 060F6689 Relevance: .4, Instructions: 407COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f53c0b71342a9cd98d438362328564863b07cc4b53b591f628e017e6f4eb87a6
                            • Instruction ID: f39a289911827a882d006b04b12016676d75a8c9c30172968cca2942a8876b08
                            • Opcode Fuzzy Hash: f53c0b71342a9cd98d438362328564863b07cc4b53b591f628e017e6f4eb87a6
                            • Instruction Fuzzy Hash: 94127C34A01208CFCB2ADFB4D19499DBBB7FF89305B60856DD505AB391CB76A982CF50
                            Function 060F0660 Relevance: .4, Instructions: 406COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 82ccd4bc8406617d0f00a72198184406bcf6a01818519f2c63e33ef66fd3d339
                            • Instruction ID: 63a4b7a0301fa07634e4939a4cda77f48916e7c50a6e760d43cb38e3ad79c8da
                            • Opcode Fuzzy Hash: 82ccd4bc8406617d0f00a72198184406bcf6a01818519f2c63e33ef66fd3d339
                            • Instruction Fuzzy Hash: 2FF15B34E102499FDB95DFA8D494AAD7BF6FF88300F154468E9029B392DB35DC45CB90
                            Function 060F6698 Relevance: .4, Instructions: 403COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 69070683e001848a61701696d26b9bfcc956b6f475f0a901bf5a3898552901d8
                            • Instruction ID: 207f9ce7126c54afd98a46636469f428a24f6357cec3da3cceb73acf5f72c51c
                            • Opcode Fuzzy Hash: 69070683e001848a61701696d26b9bfcc956b6f475f0a901bf5a3898552901d8
                            • Instruction Fuzzy Hash: EE127C34A01208CFCB2ADFB4D19499DBBB7FF89305B60856DD505AB391CB76A982CF50
                            Function 060FB258 Relevance: .4, Instructions: 381COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2dd4befae6586973458348d4619e18d4305ffa3603aa94e054b84fc518d03389
                            • Instruction ID: cf70c404159cb27b5edc980e2e561bd9b30c2ca7e6e8d6dba05d429dd2e88e4e
                            • Opcode Fuzzy Hash: 2dd4befae6586973458348d4619e18d4305ffa3603aa94e054b84fc518d03389
                            • Instruction Fuzzy Hash: 66023A35A10719CFDB54DF78C854A99BBB1FF89310F118699E949AB361EB30E981CF80
                            Function 060F71F0 Relevance: .4, Instructions: 358COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b346b649f22709bedb0decf9cfff4d41a1794953ead34894b6466a6735418404
                            • Instruction ID: e090f9ba8457086edf115404121119773b9be55253dae9b03b8d019ea0b231bd
                            • Opcode Fuzzy Hash: b346b649f22709bedb0decf9cfff4d41a1794953ead34894b6466a6735418404
                            • Instruction Fuzzy Hash: 32D18A34F502489BDB94DFB8E854AAE7BF2AF88200F148469E905EB385DF74DD058B91
                            Function 060F6258 Relevance: .3, Instructions: 339COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 14ecc0e981d111c20530f7530f5c6ca4a2f3e674040becc7a76e890d2cb1aaa8
                            • Instruction ID: fa79c74cd4d8b1ac30fbafc4bb1694b611f29f2c19740c23453f8b0c08d073c7
                            • Opcode Fuzzy Hash: 14ecc0e981d111c20530f7530f5c6ca4a2f3e674040becc7a76e890d2cb1aaa8
                            • Instruction Fuzzy Hash: 02C17C34B202049FDB54DF78D494A6E7BF6EF88300F108469E6069B795DB76EC45CB90
                            Function 060F7830 Relevance: .3, Instructions: 316COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2062a0dc2b6078dfcf0d7be46512034af0e2be2554d3fbc08202a9432ce6473d
                            • Instruction ID: 31d1d6be9cc70a966afcc1fa28f7d2d6fe9833ff4276201619000377e195ad89
                            • Opcode Fuzzy Hash: 2062a0dc2b6078dfcf0d7be46512034af0e2be2554d3fbc08202a9432ce6473d
                            • Instruction Fuzzy Hash: 92C16B35B102059FDB54DF69D844AAEBBF6EF88310B158528E905DB3A4EB30EC46CB91
                            Function 060FC041 Relevance: .3, Instructions: 308COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fcd8dae12616a652d679abfbe3834da764c046673b28c3b8e92fb590ca4b4b9a
                            • Instruction ID: a7b17d16c21bdb59c063bdbac6c20d07e5e637ad09d4d73f8b9bcaf844f537d9
                            • Opcode Fuzzy Hash: fcd8dae12616a652d679abfbe3834da764c046673b28c3b8e92fb590ca4b4b9a
                            • Instruction Fuzzy Hash: 51E19970A007098FEBA4DF28C454B9ABBF2FF85300F158699D549AB652DB31ED85CF90
                            Function 060F84A8 Relevance: .3, Instructions: 302COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4a29a7b3e335d4f674461b0bbadaeba1c51f88daba506952fa4ad2abbfb43f0e
                            • Instruction ID: 90b94af6316691dd5b155a5163fc1845ea474b50cb5eb154cd2b229fb208e4c3
                            • Opcode Fuzzy Hash: 4a29a7b3e335d4f674461b0bbadaeba1c51f88daba506952fa4ad2abbfb43f0e
                            • Instruction Fuzzy Hash: CEC184B4AA8100CFE38CEF59E594B697BF5E784340B194155E232CBB5AD770ED888BC1
                            Function 060FB246 Relevance: .3, Instructions: 260COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3a4e76087bb592f9c4cdc5008669f3fa63eaa828871db31805336ef06c1fca5a
                            • Instruction ID: 839a941907e690e64dad4deadf69687e3484030258b4139dc4a11bccd47037a8
                            • Opcode Fuzzy Hash: 3a4e76087bb592f9c4cdc5008669f3fa63eaa828871db31805336ef06c1fca5a
                            • Instruction Fuzzy Hash: 4EC13A3191071ADFDB50DF78C854A99BBB1FF49310F118699E989AB261EB30E9C1CF80
                            Function 060F5B28 Relevance: .2, Instructions: 233COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e01c0c033504c7e1b21a8045c3f5d9a4c6d3442b684d7fd168fd92f896fa8adc
                            • Instruction ID: b708568b23ea2fb77645d3aa76898123ba1b33f33ba68ef619b167ec5c9e1838
                            • Opcode Fuzzy Hash: e01c0c033504c7e1b21a8045c3f5d9a4c6d3442b684d7fd168fd92f896fa8adc
                            • Instruction Fuzzy Hash: C7A1F435A502489FCB55DF68D888E9DBBF2EF89320F154499E905DB362DB30EC81CB50
                            Function 060F4830 Relevance: .2, Instructions: 233COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a940ea55ffbcba1f4d2a3d326957c633d6e3ebbfd856f3fed9caa89b028cf25b
                            • Instruction ID: 08ffb364234a7134c30b377e3f7fe61ecad876616c19f8b1a760c2a7927247ae
                            • Opcode Fuzzy Hash: a940ea55ffbcba1f4d2a3d326957c633d6e3ebbfd856f3fed9caa89b028cf25b
                            • Instruction Fuzzy Hash: E9819D31A142099FCB44EFB8D894AAF7FE6EF89310B108569E919D7341DF30D9418BA1
                            Function 060F5FB0 Relevance: .2, Instructions: 212COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 51d188172fac1d9751f5b843c31fffefa3b5993e0ee43b5a320925329cad7004
                            • Instruction ID: 6458c6fe5501e94d0830343f44566e3828ba6e00ba1bf0a05500cf6cad9528ed
                            • Opcode Fuzzy Hash: 51d188172fac1d9751f5b843c31fffefa3b5993e0ee43b5a320925329cad7004
                            • Instruction Fuzzy Hash: 8071CC34F442489FDB54DBB89854B6E7FE2EF85300F2484AAD905CB382DE369D42CB91
                            Function 060F3300 Relevance: .2, Instructions: 205COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b883982ea16fb505050c656eddc9738ee1e69b640c98745bbb931e2daab5b767
                            • Instruction ID: 7213f70c37a51b85af3c79156ae40a2dd64e7a267b68c54b7d2035bc0c8b2c4a
                            • Opcode Fuzzy Hash: b883982ea16fb505050c656eddc9738ee1e69b640c98745bbb931e2daab5b767
                            • Instruction Fuzzy Hash: D3612430B042454FDB5A9B78986066EBFE2EFC6310B2585AAD945DB382CF34EC45C7E1
                            Function 060F2080 Relevance: .2, Instructions: 179COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 438ab9e81322dab98e82c68ad2eb7002bfc11c2e7bcf1dbee7aca618d9b0ac0b
                            • Instruction ID: 4259940696b93aa912f103bc3f19f598e8b9e8f64aef8fbb391648c9704cc1c3
                            • Opcode Fuzzy Hash: 438ab9e81322dab98e82c68ad2eb7002bfc11c2e7bcf1dbee7aca618d9b0ac0b
                            • Instruction Fuzzy Hash: BD516E35B007009FCB649FB9D89496ABBF6FFC92107148A2DE946CB721DA71EC45CB90
                            Function 060F6247 Relevance: .2, Instructions: 172COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3eab61ab355e49c2b6d21500b2ceef4e15225a00d4e3a0f04206d38a9066b26c
                            • Instruction ID: 833a54c73015d199a8aac7cad74b4a2b32f9e7dbce632c461c94a530d8f83a8f
                            • Opcode Fuzzy Hash: 3eab61ab355e49c2b6d21500b2ceef4e15225a00d4e3a0f04206d38a9066b26c
                            • Instruction Fuzzy Hash: 67616B34A102059FCB54DF68D494A9EBBF6FF88300F108569EA069B761DB72ED45CFA0
                            Function 060FADF0 Relevance: .2, Instructions: 169COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7dd4d33f9077ed761385e0c34cd037c71c46f091632feb51a41ed4efe75830e2
                            • Instruction ID: 2a555c3a2119d923db3b419cb06cd6f10fdd030e384e48f71b1b026f8d1c3fca
                            • Opcode Fuzzy Hash: 7dd4d33f9077ed761385e0c34cd037c71c46f091632feb51a41ed4efe75830e2
                            • Instruction Fuzzy Hash: 3951FE31B002158FCB50DF68C8809AEBBF6EF88310B158569D5099B361DB74ED0ACBE1
                            Function 060FCC80 Relevance: .2, Instructions: 167COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8281dc9ea9e26994819fa8cc8260256d8dca77d31ed74ba7e50e347f599b6253
                            • Instruction ID: 7d9237c8ffb0f141c0885d62b0838e40435e4cdc043da2390e9a6f1d4f423159
                            • Opcode Fuzzy Hash: 8281dc9ea9e26994819fa8cc8260256d8dca77d31ed74ba7e50e347f599b6253
                            • Instruction Fuzzy Hash: 0751BF347402159FDB44DF69D998A6EBBF6BF8871071480A9E606CB775CB31EC05CB90
                            Function 060F0651 Relevance: .2, Instructions: 163COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 671a6923e6cea421104717addec7f1d49c4264510ef6b877d0b6c55ed88b388a
                            • Instruction ID: b589e7176d9a13732b8c3c970d40eb9f53a96cf6e2f0635667da8638900356d6
                            • Opcode Fuzzy Hash: 671a6923e6cea421104717addec7f1d49c4264510ef6b877d0b6c55ed88b388a
                            • Instruction Fuzzy Hash: F8710634A50209DFDB95CF68D598A9DBFF2FF44311F014468E9029B661DB74E885CF90
                            Function 060F5B19 Relevance: .2, Instructions: 158COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0cd2f57007bdf6c7f3b7ca600136565683d294fcaacf8580b0e1f478d4b87648
                            • Instruction ID: 710f7367f2d9cb79bcc8bed6687b84f1a95357dbba26b0001252c0df82bce192
                            • Opcode Fuzzy Hash: 0cd2f57007bdf6c7f3b7ca600136565683d294fcaacf8580b0e1f478d4b87648
                            • Instruction Fuzzy Hash: 09512435A10208EFCB95CF58D888A9DBBF6FF98320F158565E5059B761D730E881CB90
                            Function 060FD6F7 Relevance: .2, Instructions: 157COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0868a6cfaa5a9a72e4ecaf0545836f338de7eaeaebda95b088a24558ad950c1c
                            • Instruction ID: 2ff61fa46e07adf30036c068c083141b7bce23b538df377da28947654064176f
                            • Opcode Fuzzy Hash: 0868a6cfaa5a9a72e4ecaf0545836f338de7eaeaebda95b088a24558ad950c1c
                            • Instruction Fuzzy Hash: FE51E634A103499FCB55DF74E844BAEBBF6FF85300F108569E545AB291EB70AC85CB90
                            Function 060F0DB1 Relevance: .1, Instructions: 139COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3569c04efef8d1ac493a130508409a34d262da85b799daf34626b3478468cf98
                            • Instruction ID: a98e80b4a861b7445f2722e0e549c5d503347e623e72172982ebd04942432920
                            • Opcode Fuzzy Hash: 3569c04efef8d1ac493a130508409a34d262da85b799daf34626b3478468cf98
                            • Instruction Fuzzy Hash: 7251E479A511099FCB48CF68D99489DFBB2FF89310B258659E916EB371CB30EC41CB90
                            Function 060F0DC0 Relevance: .1, Instructions: 137COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 02c268fac3d808dd106513f475123fa74daad7c2b740b2570a942523a366cdb5
                            • Instruction ID: a9bf5e3887f52ba6aa819b3b53ba1b2f6e709654362b370543a69f47fb1a1d49
                            • Opcode Fuzzy Hash: 02c268fac3d808dd106513f475123fa74daad7c2b740b2570a942523a366cdb5
                            • Instruction Fuzzy Hash: C651E475A511099FCB48CF68D99489EBBF2FF89310B258259E9169B375CB30EC42CB90
                            Function 060FA710 Relevance: .1, Instructions: 117COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 70102925424c5a750ccc5b7d51b349d33e759c6716e7cc4245634abd202c2cd7
                            • Instruction ID: bd503bd5c19bc7503c6d91a71c6543dbb155dec37238bb87cdce9074c33ef14c
                            • Opcode Fuzzy Hash: 70102925424c5a750ccc5b7d51b349d33e759c6716e7cc4245634abd202c2cd7
                            • Instruction Fuzzy Hash: 8D416C35A10305CFCB54EF78D844AAEBBB6FF88300F10456DD509AB255EB75E846CBA0
                            Function 060FA720 Relevance: .1, Instructions: 117COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6bd7009d6adad8e03c3294a9f23383ee2b3f6ed00fbe70abdb6dee557f8ab636
                            • Instruction ID: d37fca26ad8a924016817a263df7b1b4c7f751ee973f5a3ae4a13a97182079e5
                            • Opcode Fuzzy Hash: 6bd7009d6adad8e03c3294a9f23383ee2b3f6ed00fbe70abdb6dee557f8ab636
                            • Instruction Fuzzy Hash: 49416E35A10305CFCB54EF78D844AAEBBB6FF88300F10856DD50AAB254DB75E846CB90
                            Function 060FD800 Relevance: .1, Instructions: 116COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 49d0d824972c95e50610b9f6ec7a1f8611ee31c3afda54981ccb4b3273b56995
                            • Instruction ID: 2a090a6a33ca127f1b080ab7cc3f6c402616a3daf0a953d9ca6d95575c63c0b9
                            • Opcode Fuzzy Hash: 49d0d824972c95e50610b9f6ec7a1f8611ee31c3afda54981ccb4b3273b56995
                            • Instruction Fuzzy Hash: 33419635E106099FC744ABB4E458BDDB7B5FF89300F10862DE545A7391EFB0A985CB50
                            Function 060F0007 Relevance: .1, Instructions: 111COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ec75b791111daa2084aeab791274307224657d6b705c337e6f5db4dedfad02a6
                            • Instruction ID: dcd970722cd1a0f6c0b35385e5b4a6bc32843d61f5960a2010ac4906887ea47c
                            • Opcode Fuzzy Hash: ec75b791111daa2084aeab791274307224657d6b705c337e6f5db4dedfad02a6
                            • Instruction Fuzzy Hash: 0D41C330A21308CFCB45EF64D8649AD7FB2FF46310F1541A9E502AB262DF749D4ACB90
                            Function 060F634D Relevance: .1, Instructions: 97COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 545ba4fc5b7cc8bc0e7eceb70e7abd7a6dd3f986db7b244f3fdcfa1fc3f776d3
                            • Instruction ID: 6182a34da909a57ecf99fc982114db0513a4df4a04984ea4ceb8ec1cc4afd79b
                            • Opcode Fuzzy Hash: 545ba4fc5b7cc8bc0e7eceb70e7abd7a6dd3f986db7b244f3fdcfa1fc3f776d3
                            • Instruction Fuzzy Hash: 3A413B34A10204DFD754DFA8D594AADBBF6FF48305F108469EA059B790DB72AC46CFA0
                            Function 060F16D8 Relevance: .1, Instructions: 80COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1933e01ba4083b1a1ef947c57d42c04271611e93b07f3363b041d310ebdf2ecd
                            • Instruction ID: 001c265df8a318046d4c60c247fb9f8b2a3f4668c739ddda6885386e3739d521
                            • Opcode Fuzzy Hash: 1933e01ba4083b1a1ef947c57d42c04271611e93b07f3363b041d310ebdf2ecd
                            • Instruction Fuzzy Hash: 24213634A483089BD791AB68E814B6E3FF6DFC1344F0441EAE119DB691DF788906CBE1
                            Function 060F1518 Relevance: .1, Instructions: 80COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 50b2c8ca37ed87090847bfec2f53183d2afb9cb87dd68326144f3263ae190f89
                            • Instruction ID: dda8e699569d53c82877d65ece4c62e3a72f987342ef959a8bd99a914c3f82d4
                            • Opcode Fuzzy Hash: 50b2c8ca37ed87090847bfec2f53183d2afb9cb87dd68326144f3263ae190f89
                            • Instruction Fuzzy Hash: 4C219E30B10209CFCB54EB69E9509AE7BFAFF88601B104269D5069B765EF34EC46CB91
                            Function 060F1509 Relevance: .1, Instructions: 78COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c4e62db5e60e39f3d7e4ce8b357d1f2079c3a2e6cf1813a808160186172b0557
                            • Instruction ID: ae58af62fe802f786e3d8ef8d6e324e777e0533792d9465344fee2e69ffd4fc6
                            • Opcode Fuzzy Hash: c4e62db5e60e39f3d7e4ce8b357d1f2079c3a2e6cf1813a808160186172b0557
                            • Instruction Fuzzy Hash: 9421F130B10345CFCB51AB68E990AAE7BF6EFC9600B0442A9D406DB755EF34EC45CB91
                            Function 0294D3D8 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2197365991.000000000294D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0294D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_294d000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1fa25f0dc820bd117cbaa1d2225e7edd34709533c4f9f764de5c2c2bdebf40f8
                            • Instruction ID: 6e0d86c803ae93787e45ce5bca250433a6f044f3907b10284ba70592bd46f526
                            • Opcode Fuzzy Hash: 1fa25f0dc820bd117cbaa1d2225e7edd34709533c4f9f764de5c2c2bdebf40f8
                            • Instruction Fuzzy Hash: ED210379500204DFDB09DF14D9C0F26BF69FB98324F64C569E90D0B296C73AE456CAB2
                            Function 060F2550 Relevance: .1, Instructions: 74COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 75cd0403b19fb0743a10ab75201159c34043a02a7b84e24e5284cfced1e4cb72
                            • Instruction ID: da300788286a28fcdf2e42e2e6067b23b27850fff6a09827c22733c6187066b2
                            • Opcode Fuzzy Hash: 75cd0403b19fb0743a10ab75201159c34043a02a7b84e24e5284cfced1e4cb72
                            • Instruction Fuzzy Hash: 60213378B405158FC740CB69D99885ABBFAFF8961472580A9E906DB372CB30ED01CBA0
                            Function 060F521B Relevance: .1, Instructions: 73COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bedd76ec02001872565badded0ab2033c9fe85e12c4d4869aacdfe4debb2b0ab
                            • Instruction ID: b647ef4b6201753fefb6e2a5714bd91112bddccf98e3928d306cb59c138f4eb6
                            • Opcode Fuzzy Hash: bedd76ec02001872565badded0ab2033c9fe85e12c4d4869aacdfe4debb2b0ab
                            • Instruction Fuzzy Hash: 9E21AE30D24259DFCB41EFB4DC508EEBBB4AF45200F01456EE401BB252EB70A94ACB91
                            Function 060FA270 Relevance: .1, Instructions: 73COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 11871103ad6546b0b0addae124bcd8d029c0457f9283df084dd47f6fa38f27fb
                            • Instruction ID: 7cfac795c5ff462446c32276b19b1b2f0996dd79f6502a09cb48951ddc53384a
                            • Opcode Fuzzy Hash: 11871103ad6546b0b0addae124bcd8d029c0457f9283df084dd47f6fa38f27fb
                            • Instruction Fuzzy Hash: 70115636B042445FC754AB3DE848D6E3BEEDFC9220B1944BAE50ACB361CD65DC0187A0
                            Function 0295D01C Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2197443997.000000000295D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0295D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_295d000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cecb3d5fe5642d0f7b757460a1a49523ffb5117508de407529fcb4d33631ad14
                            • Instruction ID: 21da143db34a25cfe05db7507c28378ea2f6a1418878d36d64c44c9a10d2a708
                            • Opcode Fuzzy Hash: cecb3d5fe5642d0f7b757460a1a49523ffb5117508de407529fcb4d33631ad14
                            • Instruction Fuzzy Hash: D921DE71604244DFDB14DF24D984B26BBA9EF88314F24C969DD0A4B256C33AD847CBB2
                            Function 060FF970 Relevance: .1, Instructions: 71COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 501902a22f7896bebcb7ed54661eda658889631a979a2252b92f8990a88992fa
                            • Instruction ID: 1c259d45d9a13ec33dcc308d060a70347282c2041617b72e6feeccb8ae845814
                            • Opcode Fuzzy Hash: 501902a22f7896bebcb7ed54661eda658889631a979a2252b92f8990a88992fa
                            • Instruction Fuzzy Hash: 8C218C757101159FC784DF2AE888D6EBBEAFF89620714816AE509CB361CB30EC01CB64
                            Function 060F1070 Relevance: .1, Instructions: 69COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 93f5def7e4147730647a3fa582ab169b259a55f1dd9d817c4371ff468fcf0431
                            • Instruction ID: 728c67807842419a0fa9553c274e66113b687055f9f00d92e59715de0870710b
                            • Opcode Fuzzy Hash: 93f5def7e4147730647a3fa582ab169b259a55f1dd9d817c4371ff468fcf0431
                            • Instruction Fuzzy Hash: 1A215E347506018FC7A49F28E89861A7BE6FF88311B105968E55BCBB54DB70E8568B90
                            Function 060F2560 Relevance: .1, Instructions: 67COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5d8c02fc73ad3d1e76c501b22967170c7a35bb83452773956d41a90db83f4cfd
                            • Instruction ID: e98fd4cd5d7f8b0151e6d6d3cf30c9892eb89dbd79ca81b913b0b58e3c489442
                            • Opcode Fuzzy Hash: 5d8c02fc73ad3d1e76c501b22967170c7a35bb83452773956d41a90db83f4cfd
                            • Instruction Fuzzy Hash: 3221E278B104158FCB44DF69D99886AFBFAFF8961572140A9E906EB331CB30ED05CB60
                            Function 060F0F78 Relevance: .1, Instructions: 64COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5761f9629e92b604292b468f7a011b563681cf9d7a3dcb46cb9c10cbe50cce3e
                            • Instruction ID: 1ba766271787854901da66efd4e33c10b4ff9fb06a4eb3d2ab63b09129214feb
                            • Opcode Fuzzy Hash: 5761f9629e92b604292b468f7a011b563681cf9d7a3dcb46cb9c10cbe50cce3e
                            • Instruction Fuzzy Hash: 7611A2316407149FC325CF2AD940947BBEAEFC9310B04897EE54AC7A62DA31EC46CB94
                            Function 060F5660 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a3a86fa7740460949a2a4da1ec37268f7d2633dffb5432486216a0fa8a90cfbf
                            • Instruction ID: 34f9eb570e288035b4aad99e5b7e23e25605482094c881fdd8a726904c2fb74c
                            • Opcode Fuzzy Hash: a3a86fa7740460949a2a4da1ec37268f7d2633dffb5432486216a0fa8a90cfbf
                            • Instruction Fuzzy Hash: 25218C32A106089FC795EF68D540D9BBBF8FF49210F10856EE146DBA50EB30F984CB90
                            Function 0295D005 Relevance: .1, Instructions: 60COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2197443997.000000000295D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0295D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_295d000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1cc7c9d7fc9bfb9dbc6916dd7e514e2d1bfe52dad9b13a549ba51ef912a6e457
                            • Instruction ID: 07778895d32c16f26350444cfc97e34523d2af9d6b12111e10a260e5634121e8
                            • Opcode Fuzzy Hash: 1cc7c9d7fc9bfb9dbc6916dd7e514e2d1bfe52dad9b13a549ba51ef912a6e457
                            • Instruction Fuzzy Hash: E721A1755093C08FDB02CF20D994B15BF71EF46214F28C5EAD8498B6A7C33A980ACB62
                            Function 060F5098 Relevance: .1, Instructions: 59COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 05d0bdece73dac58cc6b165a3cdd35680ade9eae224ab28742b9382dcda79050
                            • Instruction ID: 7a279941ee9b84edf3ba5663d55b130eafb8998370630dc816a89f353fc3968d
                            • Opcode Fuzzy Hash: 05d0bdece73dac58cc6b165a3cdd35680ade9eae224ab28742b9382dcda79050
                            • Instruction Fuzzy Hash: 95210431E106088FDB58DFA9D958ADDBBF2FF8C311F54806AD505B7260EB719984CBA0
                            Function 0294D3D3 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2197365991.000000000294D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0294D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_294d000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 07d586b370810bf15e8d939e07fb0dccd80900219e7a08ccebccaf9c83e80135
                            • Instruction ID: cb009a38932542c9b8961807ef263fddd4cedbeeb3ec006540568e1fd9dba1ba
                            • Opcode Fuzzy Hash: 07d586b370810bf15e8d939e07fb0dccd80900219e7a08ccebccaf9c83e80135
                            • Instruction Fuzzy Hash: 88112676404280CFDB06CF10D9C4B16BF71FB84324F24C6A9D9090B656C33AE45ACBA2
                            Function 060FEA0A Relevance: .1, Instructions: 55COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 63e300006bc839668cda9f184628abafabcb866d9b141e0ab4fde0c19baaad4e
                            • Instruction ID: 53a0975c668e5effd7f6b89ece80fe48459a35b019e2bf25b8f4eb0b06feab56
                            • Opcode Fuzzy Hash: 63e300006bc839668cda9f184628abafabcb866d9b141e0ab4fde0c19baaad4e
                            • Instruction Fuzzy Hash: DE115E75710210AFDB55CF19D888A6ABBFAFF88711B088065F9098B665C731EC50CBA0
                            Function 060F0520 Relevance: .1, Instructions: 54COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 82862aa4977366de0534e1b64f10183284a5ae021585fa0fa3272af4aefcdac6
                            • Instruction ID: 7b6a4f7f35723af8980bc6aa718f921e83dd2c4f43e283ef2879fed79591e8e5
                            • Opcode Fuzzy Hash: 82862aa4977366de0534e1b64f10183284a5ae021585fa0fa3272af4aefcdac6
                            • Instruction Fuzzy Hash: C411A975A002049FCB00DF78D844DAEBFF5FF89310B10066AE945D7321D7709945CBA0
                            Function 060FDF8A Relevance: .1, Instructions: 52COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 22b57a23fda0087d3cb3375e4f121488156becac259ac3f11fc64751fa8f698e
                            • Instruction ID: 8f8bc13b9bf5a5aa7c1b4b937b820091b63b43b2ba9906dfcc2447e75cba0d51
                            • Opcode Fuzzy Hash: 22b57a23fda0087d3cb3375e4f121488156becac259ac3f11fc64751fa8f698e
                            • Instruction Fuzzy Hash: 87114874E601189BDF44DFA8D985AECBBF2FF48311F54402AE504B7760CB3198448F60
                            Function 060F5651 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1d83c5aba44b55d4c8bba8ffe35b9869de6576ee2fb727e5394c6e478ba0e88f
                            • Instruction ID: 92250aae7bf6927b446cfc4eac6a82434c5731344e38e1881ee82de3fb9c7fe2
                            • Opcode Fuzzy Hash: 1d83c5aba44b55d4c8bba8ffe35b9869de6576ee2fb727e5394c6e478ba0e88f
                            • Instruction Fuzzy Hash: A301D231A14304AFC796DF64D840E977FE9EF45210F10459EE146DB551DA34E886CBA1
                            Function 060FDF98 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c435378e523a765ee8e9dbb0c24a67cd91c0e7a60bf789acd8dad7b97c1c2b1f
                            • Instruction ID: 3581a68ccb67d55373aa4ba014c05eead2a8bea24ddca8a26371ceb23ce0b7fe
                            • Opcode Fuzzy Hash: c435378e523a765ee8e9dbb0c24a67cd91c0e7a60bf789acd8dad7b97c1c2b1f
                            • Instruction Fuzzy Hash: FD111270E502189FCB44DFA8E994ADDBBF2FF89310F54402AE504B7360CB31A844CBA4
                            Function 060FE980 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6cb8e02942d1605738315b2fa5f8d70289f00fc60f11a0169619e8edd95c59d2
                            • Instruction ID: bd9ab60befeeb5981ead9a955fb6a01df17338c829c2861702a67b8163c994e8
                            • Opcode Fuzzy Hash: 6cb8e02942d1605738315b2fa5f8d70289f00fc60f11a0169619e8edd95c59d2
                            • Instruction Fuzzy Hash: A911C875A04208FFCB81CFA8D9449ADBFF1EF08210F1484A9E949D7261D732DA51EF61
                            Function 060F0530 Relevance: .0, Instructions: 48COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 145f59d8d87d6108a464f74db73b1eb0670f92b6d37afd7dd1cee849e3aa22c5
                            • Instruction ID: 1ab511e433404145f8411c9c7a45a450c26cd64a0072d6af17dcb2eec817f8c7
                            • Opcode Fuzzy Hash: 145f59d8d87d6108a464f74db73b1eb0670f92b6d37afd7dd1cee849e3aa22c5
                            • Instruction Fuzzy Hash: 50014075A106099FCB44DFA8D888CAEBBF9FF89311B10456AE905D7320DB70A944CBA0
                            Function 060FE8D2 Relevance: .0, Instructions: 47COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3fee6e5befd10610af4f6e3ab2be0c7fbf2710d95a80bc58a2e51a25f27380f5
                            • Instruction ID: ce11c8d771365f28df15be7769ea00120775e28596d9004689d52eefa03f35be
                            • Opcode Fuzzy Hash: 3fee6e5befd10610af4f6e3ab2be0c7fbf2710d95a80bc58a2e51a25f27380f5
                            • Instruction Fuzzy Hash: 4C01C431D44265ABCB658FA6C814AAEBFF6AF48300F04446AD652B76A0CF359901DBB0
                            Function 060F76A8 Relevance: .0, Instructions: 46COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 44461ea0715ffb7120d15ffcb1aa22c0c5c49a903863c273566fec9348ab7d36
                            • Instruction ID: 6cb76c93d20f18b90ff4f804f259c78942ec04d4de07d97f91c7f342dbd0b222
                            • Opcode Fuzzy Hash: 44461ea0715ffb7120d15ffcb1aa22c0c5c49a903863c273566fec9348ab7d36
                            • Instruction Fuzzy Hash: 6301DF712503006BC319AB78E900C9EBF9EEFC5360B108A3DD1068F624DE71E84ACBE5
                            Function 060FCE50 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9e0310a342ae28929ce35db7e659c1e8bb9df34c36c91e568123ae19a3e4b91f
                            • Instruction ID: 309e63f3d5182a147de2856c3326f290f00a2bef1804ef5f0df957cdbe02ca9a
                            • Opcode Fuzzy Hash: 9e0310a342ae28929ce35db7e659c1e8bb9df34c36c91e568123ae19a3e4b91f
                            • Instruction Fuzzy Hash: 8701C4353606148FC744DF69D449C56BBE9FF89B6231640AAEA05CB731DA32EC41CB90
                            Function 0294D655 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2197365991.000000000294D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0294D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_294d000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5d2cf775f4bdadd71b38839f534ebfc9fee01ca7155a48656378764fe5ec2657
                            • Instruction ID: 9fa3ac06dcaa0296e510cd60c35a5cc92a6ddd045cd6b5c932dc15826dca9585
                            • Opcode Fuzzy Hash: 5d2cf775f4bdadd71b38839f534ebfc9fee01ca7155a48656378764fe5ec2657
                            • Instruction Fuzzy Hash: B60126350047449AE7208A29CE84F67BF9CEF42328F18C82AED0C0A246CB79D840CAB1
                            Function 060FA6A0 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f9d8bc407adfb23ea639818627b1f2a7ae87bcb9d913e8e124ecaaf54a2ff6bf
                            • Instruction ID: 40bc6133f10f61b4cf6a9b47685638f2abb9ca18a9f839e24a570d0b211e76ba
                            • Opcode Fuzzy Hash: f9d8bc407adfb23ea639818627b1f2a7ae87bcb9d913e8e124ecaaf54a2ff6bf
                            • Instruction Fuzzy Hash: 6D01AD76B101149FDB149B68E888AAABFFAEB89311F040529E606D33A1CA719845CBD0
                            Function 060FEB38 Relevance: .0, Instructions: 42COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: aec8107f1bf632c16223233fa82b01a1784f357de460ec681acc6bc2bcad61e7
                            • Instruction ID: b04ff26b390be23b71ad3fc7d73d58b425a534887d5b2736e5c2cf6453a0ca2c
                            • Opcode Fuzzy Hash: aec8107f1bf632c16223233fa82b01a1784f357de460ec681acc6bc2bcad61e7
                            • Instruction Fuzzy Hash: B901FB75604215AFD755CF4DD884D9ABBE9FB48320B05C96AFA09CB311DA71E842CB90
                            Function 060FE8E0 Relevance: .0, Instructions: 42COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9d7251f8246c34e59697e58cd2e6ad65762ccac79f977a9ac08d9b8c0aa3026c
                            • Instruction ID: 7f4beaafc51f1a5a50df0a51853ce9258baa53e97da57c16d33c064080ed4019
                            • Opcode Fuzzy Hash: 9d7251f8246c34e59697e58cd2e6ad65762ccac79f977a9ac08d9b8c0aa3026c
                            • Instruction Fuzzy Hash: 0901D8319443659FDB65CFA5C8146AEBFF2AF88300F04446ED651B76A0CF359900DBB0
                            Function 060F05E0 Relevance: .0, Instructions: 41COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0071904ad10e88206933d9c9550b4d63b6416b768679c9ceab62d81e7381f3be
                            • Instruction ID: 8ad4d71d12d5d27fbda13faa9191451c16689725afe59f146fef527042873f90
                            • Opcode Fuzzy Hash: 0071904ad10e88206933d9c9550b4d63b6416b768679c9ceab62d81e7381f3be
                            • Instruction Fuzzy Hash: 36018F3690000AAFCB00CF94CD04DDEBBB6EF49310B108165E614EB171D7329A15CBA1
                            Function 060FA630 Relevance: .0, Instructions: 37COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fbe868d29b2ca199a1b3a24b972de196f1e3b1bc03f9bc046a0142023a9bd152
                            • Instruction ID: 4fb125959ca7c65069e24492800f54a464f3dd9209471bbce916b1227a7148af
                            • Opcode Fuzzy Hash: fbe868d29b2ca199a1b3a24b972de196f1e3b1bc03f9bc046a0142023a9bd152
                            • Instruction Fuzzy Hash: C5F0AF31761200CFC7658B29D408A667BEAEF89751B0A006DE54AC77A1CB75C842CB90
                            Function 060F769D Relevance: .0, Instructions: 37COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c68d4c5a85168b67b0766ac3c1cd933bf62485d4f8b2ce016d4c99916b74b924
                            • Instruction ID: 3766dfe359edc3cf60322bfcb2385e6e37cad9361c5ccb758a5bdb10eb6ee929
                            • Opcode Fuzzy Hash: c68d4c5a85168b67b0766ac3c1cd933bf62485d4f8b2ce016d4c99916b74b924
                            • Instruction Fuzzy Hash: 13F04B35B50205CBCB55DB68E4149AC37F6AF88221B110069E6029B760CF31DD09CBD1
                            Function 060FA6B0 Relevance: .0, Instructions: 37COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 776f2cddeedac06b3d660b2a54021195ac61322c150aea76e5338c5a37e2df5b
                            • Instruction ID: 676e8eb53de48ae06c351bf448e60f5d606101f7507645ae4f4cad847f0fcd73
                            • Opcode Fuzzy Hash: 776f2cddeedac06b3d660b2a54021195ac61322c150aea76e5338c5a37e2df5b
                            • Instruction Fuzzy Hash: C5F0AF71B106149FCB14DB69E888AAEBFFAEB88310F040129E606D3361CB709C45CB90
                            Function 060F781F Relevance: .0, Instructions: 37COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f116572b10b2b449a506ae0ba7aadc1678a9eec783640d68167637bcc6d83610
                            • Instruction ID: 9a405e5efe34efc3939eb94fc41d73185125d5e5ff77dd8e26338f1994378cbb
                            • Opcode Fuzzy Hash: f116572b10b2b449a506ae0ba7aadc1678a9eec783640d68167637bcc6d83610
                            • Instruction Fuzzy Hash: 7CF02E32B142046BDB258E55EC40ADF7FA9DBC8360F00447AFA12E7350DB719C1686E2
                            Function 060F76B8 Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c7175c329a79100edb3800617d82dbfdfd93bb9b0505f2c764cd60936f1e1d17
                            • Instruction ID: 8efc564b0752684c43ee948bdddfae8d6488dcd4c66dfc34279a8caf3fe0a7a3
                            • Opcode Fuzzy Hash: c7175c329a79100edb3800617d82dbfdfd93bb9b0505f2c764cd60936f1e1d17
                            • Instruction Fuzzy Hash: FDF03C312503005BC359EB78E940C9EBBAEEEC53607508A39D1464B628DF75F94ACBD4
                            Function 0294D654 Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2197365991.000000000294D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0294D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_294d000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 769ac983e5a16762abce02eba607b6148aa6a05f32c2081faa528bd5186989c4
                            • Instruction ID: fc72810557b52ac0e867d36ce96f216d09964d965627c3c9547ff38d4f9e4caa
                            • Opcode Fuzzy Hash: 769ac983e5a16762abce02eba607b6148aa6a05f32c2081faa528bd5186989c4
                            • Instruction Fuzzy Hash: 0FF0F6710043449EE7108E1ACD88B62FFACEF41734F18C45AED0C4B286C7799840CBB0
                            Function 060FA640 Relevance: .0, Instructions: 35COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 161d3c8a0a3895b159232ffa455aba0ff32c62b79322c6c5f8421a02fd474be2
                            • Instruction ID: 5487763f45611ece9ca1326e5fd2902367c2c86702576a9bfd7df2613b315d59
                            • Opcode Fuzzy Hash: 161d3c8a0a3895b159232ffa455aba0ff32c62b79322c6c5f8421a02fd474be2
                            • Instruction Fuzzy Hash: 91F06D31760600CFC7A59B6DD40852A77EBEFC9211B1A4069E60AC77A1CF75CC42CB90
                            Function 060F05F0 Relevance: .0, Instructions: 35COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b7ef877d5f4c494dcab998a59d51839c8c0d3b49d0e0efecda633ff34a3d3ec3
                            • Instruction ID: 574ad053862beb4472d2b726d0f2474992549ea5ffd2139aece35aa98a76d7a6
                            • Opcode Fuzzy Hash: b7ef877d5f4c494dcab998a59d51839c8c0d3b49d0e0efecda633ff34a3d3ec3
                            • Instruction Fuzzy Hash: 9CF0193690010AAFCB40DF98D904CDEBBB6EF49310B104165E618AB270D732AA15CB91
                            Function 060F16C7 Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b67c7ec9d5d70083a04db16866fad432058dc0a712567262d25cf427c654e396
                            • Instruction ID: 8500d8bd59282c777724bbb0c987d1e781090615db81b26dac831309bb9e0d45
                            • Opcode Fuzzy Hash: b67c7ec9d5d70083a04db16866fad432058dc0a712567262d25cf427c654e396
                            • Instruction Fuzzy Hash: E5F05C323483445BC79663A9EC10A4A7B6A9BC1750F1582B9E51DCB791DE31DC01CBF5
                            Function 060F4FF2 Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e6603af3870baf5f993252d37923c804b0f8e480cfd2c47e1c4b324d1133381d
                            • Instruction ID: 20a8e93e6905c764cb536ca2aac8e87608b8faaac5134549730043238f836da9
                            • Opcode Fuzzy Hash: e6603af3870baf5f993252d37923c804b0f8e480cfd2c47e1c4b324d1133381d
                            • Instruction Fuzzy Hash: 62F03471C142199ECB40EFBCE9005DEBFB8AF05240F108526D919E7211E7309A648BD2
                            Function 060FFA29 Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 518bed9a1c9830bab3e628af241dac7704676a7a8497416e508232c9d4cd7b21
                            • Instruction ID: 50e323cd966d07b82c490d5ca8ac0acd91f9d6346ae2d41ff174d5421f6b1666
                            • Opcode Fuzzy Hash: 518bed9a1c9830bab3e628af241dac7704676a7a8497416e508232c9d4cd7b21
                            • Instruction Fuzzy Hash: 9FF03070E10219AF8B90DF79D8445DE7FF9EE08251F108626E919E7210E7709A108BE1
                            Function 060FA969 Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 67ba4308ea12aa974e6f9f873624a58af1317bbe0333c8206fc3dda2fd95d8dd
                            • Instruction ID: 73c51ad2a435820ba7d30878400b4d0ae9bebf56200ab70ed0a82be1fcaf3c2a
                            • Opcode Fuzzy Hash: 67ba4308ea12aa974e6f9f873624a58af1317bbe0333c8206fc3dda2fd95d8dd
                            • Instruction Fuzzy Hash: 2CE09276F142186FC714C66AA8049EEBFEADBC8230B1681BEE408E3241EE7484028750
                            Function 060F1679 Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bb5e9ceeaab84d60a0377f0ce3ff5a16525045078245b039375b7689eb23a682
                            • Instruction ID: 27877e3a206a9344c11a1f3a8cc601cdfc06093e7cfbec394e9e9441f88e21ef
                            • Opcode Fuzzy Hash: bb5e9ceeaab84d60a0377f0ce3ff5a16525045078245b039375b7689eb23a682
                            • Instruction Fuzzy Hash: 77E06532AB425147D7B58358E4143B52FD68B85314F0D41B6E549CFF81C595C8518BD1
                            Function 060FFD17 Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 972531832a3b58964e09d0a518567923e782ff690790d017c32d4e7e024c29bb
                            • Instruction ID: f8a71326e45f9cbf25ba1f9b6c8e34f546700f1a0287da4607750fbd697500ef
                            • Opcode Fuzzy Hash: 972531832a3b58964e09d0a518567923e782ff690790d017c32d4e7e024c29bb
                            • Instruction Fuzzy Hash: 76E02231B942151FE3549A6CC840B573BCDAF09341F080438A245CBAE0EE10D802C7A0
                            Function 060F3F60 Relevance: .0, Instructions: 24COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3685a1c15a845b710bf5a3e0c3c84737a71a3c263340667c670743f911b1c684
                            • Instruction ID: 6cc7d8b40c9663907c9f969ecd9fb5d4e28a47a2561258ef40a195d0f82c6f9e
                            • Opcode Fuzzy Hash: 3685a1c15a845b710bf5a3e0c3c84737a71a3c263340667c670743f911b1c684
                            • Instruction Fuzzy Hash: 8EE04F337600505FC7144E69D4449A6BBEB9FCD62272501AAE585C3222CA65DC43CB91
                            Function 060FFD28 Relevance: .0, Instructions: 24COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2fa2da0585d60d941909795bc69a37f1264e529a5add63de7703c820703d9aa1
                            • Instruction ID: 0a9f370e33e07fdcac7901edb4a3905d5e4d0e16f131af7938ec64180ceb1b89
                            • Opcode Fuzzy Hash: 2fa2da0585d60d941909795bc69a37f1264e529a5add63de7703c820703d9aa1
                            • Instruction Fuzzy Hash: C3E04F32B943085BD354A6A9D444B66BBDDAF45360F48446AE205CB6A0DA65D840C7A4
                            Function 060F5000 Relevance: .0, Instructions: 24COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 90893eda4aae96f9d1df45922c32cddddb1ec270d420d659dc2f5d2c72627d41
                            • Instruction ID: 940c093dac348fa95c373791a10d3a028b9af4315a05d55e3ee272ee4fdb1055
                            • Opcode Fuzzy Hash: 90893eda4aae96f9d1df45922c32cddddb1ec270d420d659dc2f5d2c72627d41
                            • Instruction Fuzzy Hash: B0F01571D002198FCB40EFACD9001DEBBF4AF09300F108126D909E7210E7305A548BC1
                            Function 060FFA38 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fae6a224a8527c51ecfb5084245ee8f3ea80dd191b74af229a747f23ae87c7f4
                            • Instruction ID: a01aff2590435c7ed2e87aec4012c59d14212e59eb3cec8ad9d8c6769ca55677
                            • Opcode Fuzzy Hash: fae6a224a8527c51ecfb5084245ee8f3ea80dd191b74af229a747f23ae87c7f4
                            • Instruction Fuzzy Hash: 0BE01A71E00219AF8B80EFB9D8045EEBBF9EF48211F208166DA18E3200E7309E10CBD1
                            Function 060F6C77 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 73b87453d2e6700e08b22468f599f0d63de926ddceb31a9697078bc5bc4686f3
                            • Instruction ID: d3ea0ac572d1d1f41d67f6eeceb062b8c96fea209e776c4e6cd24c5a7bf8aa4d
                            • Opcode Fuzzy Hash: 73b87453d2e6700e08b22468f599f0d63de926ddceb31a9697078bc5bc4686f3
                            • Instruction Fuzzy Hash: E4E07D3272041057C7206618E8059EE3B4FDB94315F14413EF202DB3C0CF75880283F5
                            Function 060F5313 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5dc57bd5251259d07518827ea35943ff41a9def2d9d2a554730fa22561c0eddb
                            • Instruction ID: f2bb791cba3a9041b0a5dc352c08fc198b07132b85a3b4dc145167530f4e900e
                            • Opcode Fuzzy Hash: 5dc57bd5251259d07518827ea35943ff41a9def2d9d2a554730fa22561c0eddb
                            • Instruction Fuzzy Hash: CAF0ED308A460ACFDB82EFB4C8245ADBFB0BF0A304F100A19D402AB650DB305A81CB81
                            Function 060F60A8 Relevance: .0, Instructions: 21COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f127179fb702709643f9f9df113e6dcbc211cc5104bf4e8db863a95bc1bb06b0
                            • Instruction ID: bf85bb2aeb116439397cfae80a0816f3345cb383a32078177d654315565c849c
                            • Opcode Fuzzy Hash: f127179fb702709643f9f9df113e6dcbc211cc5104bf4e8db863a95bc1bb06b0
                            • Instruction Fuzzy Hash: 57E0CD35D04124DFC714DB68D8158857B75EF45610B1141FAE5145F331D672DC15CBE1
                            Function 060F3F70 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8fa2cabed5e0b37539670d6c57359ba23dd6eea35a056e224838c1e4264902fa
                            • Instruction ID: 144e8a0d25ce778e3c97b398c93970b74aa35c9eaac8783653585606de6474e6
                            • Opcode Fuzzy Hash: 8fa2cabed5e0b37539670d6c57359ba23dd6eea35a056e224838c1e4264902fa
                            • Instruction Fuzzy Hash: E5D05E327100209F87049F1EE50486ABBEFDFCA62232540ABE509C7322CA71EC03C7D0
                            Function 060F6C88 Relevance: .0, Instructions: 17COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3c304c18f66b2ccc6a7606e14dd8b5d067b1b2241272b32f21ad738305998c7c
                            • Instruction ID: 2d26ab8f15aa0a4e6c551caf962d8c3efa482f556c96dbcbb8e1bbd6b0e74f16
                            • Opcode Fuzzy Hash: 3c304c18f66b2ccc6a7606e14dd8b5d067b1b2241272b32f21ad738305998c7c
                            • Instruction Fuzzy Hash: 77D0A732720824478B246B18E4094AD375FDF94755B188136F706DF3C0CFB58C0287E8
                            Function 060FA8E8 Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b786daac0c0240d7f1df9c58dde9315202d95bcca028fbceaaec009cad42717a
                            • Instruction ID: 66b0f53942cb4f3d614a29dd57d767071ba898b2ae9273fcf1a07af509e6e3de
                            • Opcode Fuzzy Hash: b786daac0c0240d7f1df9c58dde9315202d95bcca028fbceaaec009cad42717a
                            • Instruction Fuzzy Hash: CDD0A7642085580BE3026B21A020A5E3E02DB84310F16498D80C14B687CF5588064692
                            Function 060FA610 Relevance: .0, Instructions: 12COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fb2d9842b687a0e8b38fd54591198d187451a701beefa4b9fcf1fb1abba7e264
                            • Instruction ID: 6dbbcd196e9dc1f31530bb6a6b3b9cfd034ce5f0e1ae4059a1e035a0d32bc581
                            • Opcode Fuzzy Hash: fb2d9842b687a0e8b38fd54591198d187451a701beefa4b9fcf1fb1abba7e264
                            • Instruction Fuzzy Hash: 52C080305E0104CFC7409B98F0048643BEDEF446153104091F71C47531E721DC008951
                            Function 060F14D9 Relevance: .0, Instructions: 12COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e53f47e67cc35f2f1804edca97f2ee4305bed39cdb08e674d8219f4625478433
                            • Instruction ID: a77e254c86636d8cc101b818c5474d06752c92bd2dab1886833db92b2740343f
                            • Opcode Fuzzy Hash: e53f47e67cc35f2f1804edca97f2ee4305bed39cdb08e674d8219f4625478433
                            • Instruction Fuzzy Hash: 90D0C73082A3D18FEF52DB20F9547563F75BB42345F0C1199D047CA16AD7784949C791
                            Function 060F015E Relevance: .0, Instructions: 11COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207701394.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60f0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7026fae200eb80b81b01aefa0bc071dc1218321d850bb69ab20a9486d1f62078
                            • Instruction ID: 81aa09179e0bb5749eb7f631e75ac2b76dc24cdff80c8667edd24c3ca6e6eaf0
                            • Opcode Fuzzy Hash: 7026fae200eb80b81b01aefa0bc071dc1218321d850bb69ab20a9486d1f62078
                            • Instruction Fuzzy Hash: 9ED0C97069120ACFE710DF50C179BAEBF71FF04319F600818D102BAA52C7768A85CBD1

                            Non-executed Functions

                            Function 060E3C92 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2207664226.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_60e0000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ce749238ec4b2ff2e5e74ebe3f5a60d38f45b5482b8e03d121cc816a2714c14f
                            • Instruction ID: 51a1598c0dfdbadf73443ea054e7d2f8f9abc40b27394c61939822570ce5b8e2
                            • Opcode Fuzzy Hash: ce749238ec4b2ff2e5e74ebe3f5a60d38f45b5482b8e03d121cc816a2714c14f
                            • Instruction Fuzzy Hash: 76017C75E80228DFCB84CF84D984AEDBBF5EB0A342F205499E519AB221C631DD50CB81
                            Function 0A013340 Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2211365357.000000000A010000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A010000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_a010000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5309fd29729e2dd937617e1564eb8ce1b50c59c02e22f4eb3e502b838ba26654
                            • Instruction ID: bb9ae0be7eecc56b339301a7f8bc1be62d38c07dc0ec70b2612c5846d34de2e0
                            • Opcode Fuzzy Hash: 5309fd29729e2dd937617e1564eb8ce1b50c59c02e22f4eb3e502b838ba26654
                            • Instruction Fuzzy Hash: D4E01230D4920EEAEB648F91D0557FFF6707B45348F60644584097B241DFB446458F6B
                            Function 0A01839C Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2211365357.000000000A010000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A010000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_a010000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 86901c5204a474c89d2b252393cc06b0174828c8eacc3fc6eed64557f9678719
                            • Instruction ID: 003bb0b95ef438bb456b156e1f9b93bbb84ddf3eb8b219af69ccc093d253c21a
                            • Opcode Fuzzy Hash: 86901c5204a474c89d2b252393cc06b0174828c8eacc3fc6eed64557f9678719
                            • Instruction Fuzzy Hash: A6F0AE70D4821DDBDB208F64D8CC7FEBAB0BB06309F10945AD10672680CBB40688CF84