Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1467879
MD5:0b147a2bc6013c0de94e6e30a8c419db
SHA1:12ea4e8059b4c38fd1810a4847951a96b5305d38
SHA256:7cf88e667498e50034c25767aaf38bca971a5c995f61fe686b44f7bcc0f71851
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RedLine Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6060 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 0B147A2BC6013C0DE94E6E30A8C419DB)
    • RegAsm.exe (PID: 2732 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • WerFault.exe (PID: 876 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6060 -s 272 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "77.105.135.107:3445", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000002.00000002.2246916102.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Process Memory Space: file.exe PID: 6060JoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 2 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.file.exe.f35ae0.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.file.exe.f35ae0.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    2.2.RegAsm.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      0.2.file.exe.f00000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                        Sigma Signatures

                        No Sigma rule has matched

                        Snort Signatures

                        Timestamp:07/05/24-00:25:02.988901
                        SID:2046056
                        Source Port:3445
                        Destination Port:49711
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:07/05/24-00:24:57.551670
                        SID:2046045
                        Source Port:49711
                        Destination Port:3445
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:07/05/24-00:25:09.628865
                        SID:2043231
                        Source Port:49711
                        Destination Port:3445
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:07/05/24-00:24:57.748151
                        SID:2043234
                        Source Port:3445
                        Destination Port:49711
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Found malware configuration
                        Source: 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "77.105.135.107:3445", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}
                        Multi AV Scanner detection for submitted file
                        Source: file.exeReversingLabs: Detection: 55%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for sample
                        Source: file.exeJoe Sandbox ML: detected
                        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1F6FD FindFirstFileExW,0_2_00F1F6FD

                        Networking

                        barindex
                        Snort IDS alert for network traffic
                        Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.6:49711 -> 77.105.135.107:3445
                        Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.6:49711 -> 77.105.135.107:3445
                        Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 77.105.135.107:3445 -> 192.168.2.6:49711
                        Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 77.105.135.107:3445 -> 192.168.2.6:49711
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: 77.105.135.107:3445
                        Source: global trafficTCP traffic: 192.168.2.6:49711 -> 77.105.135.107:3445
                        Source: Joe Sandbox ViewIP Address: 77.105.135.107 77.105.135.107
                        Source: Joe Sandbox ViewASN Name: PLUSTELECOM-ASRU PLUSTELECOM-ASRU
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: unknownTCP traffic detected without corresponding DNS query: 77.105.135.107
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                        Source: RegAsm.exe, 00000002.00000002.2247362351.0000000000E1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://purl.oen
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002B1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002DF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002B1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002B1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002B1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002DF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16V
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002DF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2247954383.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002DF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002B1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002B1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002DF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002B1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                        Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003A7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: file.exe, 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000002.00000002.2246916102.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003A7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003A7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003A7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003A7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003A7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003A7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003A7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003A7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F028800_2_00F02880
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1B11C0_2_00F1B11C
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1125C0_2_00F1125C
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F033200_2_00F03320
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F115A40_2_00F115A4
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F19D960_2_00F19D96
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F155700_2_00F15570
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F21D310_2_00F21D31
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F236B50_2_00F236B5
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00ECDC742_2_00ECDC74
                        Source: C:\Users\user\Desktop\file.exeCode function: String function: 00F0B8C0 appears 54 times
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6060 -s 272
                        Source: file.exe, 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePunningly.exe8 vs file.exe
                        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/6@0/1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\SystemCacheJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6060
                        Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\738493fb-b533-4fe4-b840-7c8d1cdaed67Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                        Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: RegAsm.exe, 00000002.00000002.2247954383.0000000002FC8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2247954383.0000000002EB6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2247954383.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2247954383.0000000002EA0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2247954383.0000000002F34000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2247954383.0000000002F4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                        Source: file.exeReversingLabs: Detection: 55%
                        Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6060 -s 272
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32Jump to behavior
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0B288 push ecx; ret 0_2_00F0B29B
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: E90000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2A40000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 4A40000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 1944Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6996Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4136Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1F6FD FindFirstFileExW,0_2_00F1F6FD
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                        Source: Amcache.hve.5.drBinary or memory string: VMware
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                        Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                        Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                        Source: Amcache.hve.5.drBinary or memory string: vmci.sys
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                        Source: Amcache.hve.5.drBinary or memory string: VMware20,1
                        Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
                        Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
                        Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                        Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                        Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                        Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
                        Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
                        Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                        Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                        Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                        Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
                        Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
                        Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                        Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
                        Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                        Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                        Source: Amcache.hve.5.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
                        Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                        Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                        Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                        Source: RegAsm.exe, 00000002.00000002.2247629301.0000000000FD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{
                        Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
                        Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                        Source: RegAsm.exe, 00000002.00000002.2247954383.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2247954383.0000000002C0C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2247954383.0000000002CE5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2247954383.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2247954383.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2247954383.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2247954383.0000000002E67000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2247954383.0000000002FE4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsuA+iYIJO4a+Hmq+9ONtmOcMMYl7TbktlwpTMf366yxqm+uPbWY4CHOTnXrwGvPjnt7OfVwg2HHr8jHcJ5uzn/JOx/BvEfztbLR
                        Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                        Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                        Source: RegAsm.exe, 00000002.00000002.2251488982.0000000003DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F12C23 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F12C23
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F19B12 mov eax, dword ptr fs:[00000030h]0_2_00F19B12
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F169CE mov ecx, dword ptr fs:[00000030h]0_2_00F169CE
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F19B56 mov eax, dword ptr fs:[00000030h]0_2_00F19B56
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F22E46 GetProcessHeap,0_2_00F22E46
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0B905 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00F0B905
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F12C23 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F12C23
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0B69A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F0B69A
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0B7F6 SetUnhandledExceptionFilter,0_2_00F0B7F6
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Allocates memory in foreign processes
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                        Contains functionality to inject code into remote processes
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_030F018D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_030F018D
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                        Writes to foreign memory regions
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44E000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: AB7008Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0B380 cpuid 0_2_00F0B380
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00F228E6
                        Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00F189E6
                        Source: C:\Users\user\Desktop\file.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00F22280
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00F22A0F
                        Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00F22BE4
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00F22B15
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00F2247B
                        Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00F2256D
                        Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00F22522
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00F22693
                        Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00F22608
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00F18F4C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0B594 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00F0B594
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                        Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
                        Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                        Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                        Source: RegAsm.exe, 00000002.00000002.2257609176.0000000006A6C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.file.exe.f35ae0.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.f35ae0.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.f00000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000002.00000002.2246916102.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 6060, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2732, type: MEMORYSTR
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                        Tries to steal Crypto Currency Wallets
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                        Source: Yara matchFile source: 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2732, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.file.exe.f35ae0.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.f35ae0.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.f00000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000002.00000002.2246916102.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 6060, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2732, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		411
                        Process Injection                        		1
                        Masquerading                        		1
                        OS Credential Dumping                        		1
                        System Time Discovery                        		Remote Services1
                        Archive Collected Data                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		LSASS Memory251
                        Security Software Discovery                        		Remote Desktop Protocol2
                        Data from Local System                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                        Virtualization/Sandbox Evasion                        		Security Account Manager1
                        Process Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive1
                        Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
                        Process Injection                        		NTDS241
                        Virtualization/Sandbox Evasion                        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Deobfuscate/Decode Files or Information                        		LSA Secrets1
                        Application Window Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                        Obfuscated Files or Information                        		Cached Domain Credentials1
                        File and Directory Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        DLL Side-Loading                        		DCSync134
                        System Information Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        file.exe55%ReversingLabsWin32.Trojan.Zusy
                        file.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                        http://tempuri.org/0%URL Reputationsafe
                        http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%URL Reputationsafe
                        http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                        http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                        https://api.ip.sb/ip0%URL Reputationsafe
                        http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                        https://www.ecosia.org/newtab/0%URL Reputationsafe
                        http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%URL Reputationsafe
                        http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%URL Reputationsafe
                        http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id8Response0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id14ResponseD0%Avira URL Cloudsafe
                        https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%Avira URL Cloudsafe
                        77.105.135.107:34450%Avira URL Cloudsafe
                        https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id6ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%Avira URL Cloudsafe
                        http://purl.oen0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id13ResponseD0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/sc0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%Avira URL Cloudsafe
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id21ResponseD0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/trust0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id10ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id15ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/Renew0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id11ResponseD0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.00%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2006/02/addressingidentity0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id17ResponseD0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        No contacted domains info

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        77.105.135.107:3445true
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/sc/sctRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://duckduckgo.com/chrome_newtabRegAsm.exe, 00000002.00000002.2251488982.0000000003A7B000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://duckduckgo.com/ac/?q=RegAsm.exe, 00000002.00000002.2251488982.0000000003A7B000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id14ResponseDRegAsm.exe, 00000002.00000002.2247954383.0000000002B1A000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id23ResponseDRegAsm.exe, 00000002.00000002.2247954383.0000000002DF9000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id12ResponseRegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id2ResponseRegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id21ResponseRegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id9RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id8RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id6ResponseDRegAsm.exe, 00000002.00000002.2247954383.0000000002B1A000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id5RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id4RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id7RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://purl.oenRegAsm.exe, 00000002.00000002.2247362351.0000000000E1E000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id6RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id19ResponseRegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceRegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id13ResponseDRegAsm.exe, 00000002.00000002.2247954383.0000000002B1A000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/faultRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsatRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id15ResponseRegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id5ResponseDRegAsm.exe, 00000002.00000002.2247954383.0000000002B1A000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000002.00000002.2247954383.0000000002B1A000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id6ResponseRegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://api.ip.sb/ipfile.exe, 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000002.00000002.2246916102.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/scRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id1ResponseDRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id9ResponseRegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegAsm.exe, 00000002.00000002.2251488982.0000000003A7B000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id20RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id21RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id22RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id23RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id24RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id24ResponseRegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.ecosia.org/newtab/RegAsm.exe, 00000002.00000002.2251488982.0000000003A7B000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id1ResponseRegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedRegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id21ResponseDRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/08/addressingRegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/trustRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id10RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id11RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id10ResponseDRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id12RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id16ResponseRegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id13RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id14RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id15RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id16RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/NonceRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id17RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id18RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id5ResponseRegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id19RegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsRegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id15ResponseDRegAsm.exe, 00000002.00000002.2247954383.0000000002B1A000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id10ResponseRegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RenewRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id11ResponseDRegAsm.exe, 00000002.00000002.2247954383.0000000002DF9000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id8ResponseRegAsm.exe, 00000002.00000002.2247954383.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0RegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2006/02/addressingidentityRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id17ResponseDRegAsm.exe, 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        77.105.135.107
                        		unknownRussian Federation
                        		42031PLUSTELECOM-ASRUtrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1467879
                        Start date and time:2024-07-05 00:24:06 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 5m 1s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:9
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:file.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@4/6@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 26
                        • Number of non-executed functions: 60
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 13.89.179.12
                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        • VT rate limit hit for: file.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        18:24:57API Interceptor1x Sleep call for process: WerFault.exe modified
                        18:25:07API Interceptor11x Sleep call for process: RegAsm.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        77.105.135.107file.exeGet hashmaliciousRedLineBrowse
                          file.exeGet hashmaliciousRedLineBrowse
                            file.exeGet hashmaliciousRedLineBrowse
                              setup.exeGet hashmaliciousRedLineBrowse
                                1719859269.0326595_setup.exeGet hashmaliciousLummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, XmrigBrowse

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  PLUSTELECOM-ASRUvGUfP1M4Q6.elfGet hashmaliciousUnknownBrowse
                                  • 77.105.135.60
                                  dM258lnwNu.elfGet hashmaliciousUnknownBrowse
                                  • 77.105.135.60
                                  file.exeGet hashmaliciousRedLineBrowse
                                  • 77.105.135.107
                                  file.exeGet hashmaliciousRedLineBrowse
                                  • 77.105.135.107
                                  file.exeGet hashmaliciousRedLineBrowse
                                  • 77.105.135.107
                                  file.exeGet hashmaliciousUnknownBrowse
                                  • 77.105.133.27
                                  setup.exeGet hashmaliciousRedLineBrowse
                                  • 77.105.135.107
                                  1719859269.0326595_setup.exeGet hashmaliciousLummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, XmrigBrowse
                                  • 77.105.135.107
                                  zyJWi2vy29.exeGet hashmaliciousLummaC, PureLog Stealer, RisePro Stealer, Vidar, zgRATBrowse
                                  • 77.105.132.27
                                  1719520929.094843_setup.exeGet hashmaliciousLummaC Stealer, Mars Stealer, PrivateLoader, PureLog Stealer, Socks5Systemz, Stealc, VidarBrowse
                                  • 77.105.132.27

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_77195de72e43971d48d6de71c532aaf1a8604b66_05e236d2_6637171a-30ad-41d5-b2b5-4ea79d4d8a51\Report.wer

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):0.7046310291679819
                                  Encrypted:false
                                  SSDEEP:192:MshTWWstoS1vQPlYt50c2tj03juGzuiF1Z24IO8ThBwR:fQWgQNuac2tIjfzuiF1Y4IO8LU
                                  MD5:D517F7C4C591ABC51B8D3280574A1FC0
                                  SHA1:A658A25580E08805B097243D95967AAF23F750CD
                                  SHA-256:F7D065D0996B763F35B10D62631AE5AA67D1E18E11C82A95C0FF9E71313C27E8
                                  SHA-512:4EF42A501E204AC38230A4CAD872CD7758ACD215284ED583836D1DBDD0230925C4EC02CC945CEE6ED3F7274586DD0BCCA1E853F935A124ED514A54A5E6F0424E
                                  Malicious:true
                                  Reputation:low
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.6.0.5.4.9.4.4.6.5.0.7.6.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.6.0.5.4.9.5.4.6.5.0.7.5.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.6.3.7.1.7.1.a.-.3.0.a.d.-.4.1.d.5.-.b.2.b.5.-.4.e.a.7.9.d.4.d.8.a.5.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.b.7.b.e.7.f.d.-.1.2.7.3.-.4.2.7.3.-.b.8.2.2.-.9.6.e.5.b.c.b.0.c.8.6.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.a.c.-.0.0.0.1.-.0.0.1.5.-.7.e.3.2.-.2.a.f.e.6.0.c.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.1.2.e.a.4.e.8.0.5.9.b.4.c.3.8.f.d.1.8.1.0.a.4.8.4.7.9.5.1.a.9.6.b.5.3.0.5.d.3.8.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.7.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERB989.tmp.dmp

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 14 streams, Thu Jul 4 22:24:54 2024, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):52764
                                  Entropy (8bit):1.8967416394315122
                                  Encrypted:false
                                  SSDEEP:192:j2O6AgcwNwbhtOlv2hb9oYrnUiRLt4djfmf/zu7Ojj6eZmEgaLtDTcM9i:j4PabylvzYzUwL65fmf/YzKmEFtD4
                                  MD5:291841BB1F2AF3889FFD6629EBEC700F
                                  SHA1:B94473F303879903BEB18EF5C13A6C9522D92B92
                                  SHA-256:6CEFE13A874A2BCC45CC041FA247C3EBEBC1779661FAB185F175A314F52E6821
                                  SHA-512:76356E237C51AD3D33159B08871FEC5E1AFB0099127184155D5C51666EE2E03CF862199A0890FDC1399FE1DF3F701DACE07DC7A3401FF8C2892134615C1D4ACD
                                  Malicious:false
                                  Reputation:low
                                  Preview:MDMP..a..... .......6!.f........................0...........T...b$..........T.......8...........T...............,...........,...........................................................................................eJ..............GenuineIntel............T...........5!.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA65.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8260
                                  Entropy (8bit):3.6872818743363704
                                  Encrypted:false
                                  SSDEEP:192:R6l7wVeJYCP6H6Y2DDSU90p18/gmfByjv4pDH89b6Nsfx9em:R6lXJ36H6YuSU90p18/gmfkvN6GfL
                                  MD5:E9F3870981B04BDFC743089D23BF2296
                                  SHA1:A1A510C9FB9734872521FB82C68AF1A66F827435
                                  SHA-256:ED93051EE0E356A17E90869D7CF566F9581912B0DA631CC312060CE4AF3BB46C
                                  SHA-512:B5EB9C9B0BB9680DB91FF791627AB51E403FA40532CE9B7B9F06F8F2131493301DA7DD4EB880BDA8914DF28BF3C56B4CE8DD0D76CFF9C57AF1329AF5CF5103D9
                                  Malicious:false
                                  Reputation:low
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.6.0.<./.P.i.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERBAA5.tmp.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4537
                                  Entropy (8bit):4.426041368373842
                                  Encrypted:false
                                  SSDEEP:48:cvIwWl8zs5Jg77aI9AzWpW8VYW5Ym8M4JvsFBu1P+q8mcn8KVd:uIjfLI7qC7VyJBPQn5Vd
                                  MD5:DA5157DF9CD036978718C34E81A6E12B
                                  SHA1:3107E5F382C3A753DE8990927795D7757ABF1FF5
                                  SHA-256:9A4812FF00EB486F1B2AEDFD490592E2D64C075C6B236E9B12D1BCCDC5A4598C
                                  SHA-512:582DEEEC93E6912194E6B7B7091F7EBB4A1EC8B725681C8A2C7B009D76FC5215FD2EE83D5E36B0114D343A3233AFEA82C5ED35B7C76C0FB3AC18F16D5D875C39
                                  Malicious:false
                                  Reputation:low
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="396807" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                                  Download File
                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):3094
                                  Entropy (8bit):5.33145931749415
                                  Encrypted:false
                                  SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                                  MD5:3FD5C0634443FB2EF2796B9636159CB6
                                  SHA1:366DDE94AEFCFFFAB8E03AD8B448E05D7489EB48
                                  SHA-256:58307E94C67E2348F5A838DE4FF668983B38B7E9A3B1D61535D3A392814A57D6
                                  SHA-512:8535E7C0777C6B0876936D84BDE2BDC59963CF0954D4E50D65808E6E806E8B131DF5DB8FA0E030FAE2702143A7C3A70698A2B9A80519C9E2FFC286A71F0B797C
                                  Malicious:false
                                  Reputation:high, very likely benign file
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                  C:\Windows\appcompat\Programs\Amcache.hve

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:MS Windows registry file, NT/2000 or above
                                  Category:dropped
                                  Size (bytes):1835008
                                  Entropy (8bit):4.468439030221739
                                  Encrypted:false
                                  SSDEEP:6144:rzZfpi6ceLPx9skLmb0fGZWSP3aJG8nAgeiJRMMhA2zX4WABluuNbjDH5S:HZHtGZWOKnMM6bFp9j4
                                  MD5:996901F8E2D57FA25531DD94AE2F030F
                                  SHA1:7EC53A80BACEA1521795786EA81398AA954D2FA6
                                  SHA-256:B655261F344F7C1CF2BC5C51A43FCA1492B9C3288145992463CFEFA5B52FD3FC
                                  SHA-512:CA30DA276001E4EEAAA075ED3E147353FB2EA7B1E87084B9E75888BBE5C983B02E795975E6535554FAFBD46521016AAEE6B554E07F415442E298E00167169836
                                  Malicious:false
                                  Reputation:low
                                  Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.X..`...............................................................................................................................................................................................................................................................................................................................................D...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.630645733267501
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:file.exe
                                  File size:530'432 bytes
                                  MD5:0b147a2bc6013c0de94e6e30a8c419db
                                  SHA1:12ea4e8059b4c38fd1810a4847951a96b5305d38
                                  SHA256:7cf88e667498e50034c25767aaf38bca971a5c995f61fe686b44f7bcc0f71851
                                  SHA512:066b3dbea66c6d7487998862dc90fb469d623a40227236d84271f54e07f613c4e7d9a510a0c5d926f4f9aa2fa7a7bed9323b00fc0785e9d4416c46674a0085ec
                                  SSDEEP:12288:E/U6a+H7rj53HjNjZOLJXz9A0UsyHOr0pyh:E/oc7xZjZqj952HOwc
                                  TLSH:F0B4E00175C08432E573123709E4EBB6AA7EF9700F655ECB6B880F6F8F612D1DA3165A
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........1.kxb.kxb.kxbj.{c.kxbj.}c.kxbj.|c.kxb{.|c.kxb{.{c.kxbj.yc.kxb.kyb8kxb{.}c.kxbJ.qc.kxbJ.xc.kxbJ..b.kxbJ.zc.kxbRich.kxb.......

                                  File Icon

                                  Icon Hash:00928e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0x40afb9
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x6686FB84 [Thu Jul 4 19:44:04 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:6
                                  OS Version Minor:0
                                  File Version Major:6
                                  File Version Minor:0
                                  Subsystem Version Major:6
                                  Subsystem Version Minor:0
                                  Import Hash:811cfc8e0687b9bcab4d19d1ac4a7df0

                                  Entrypoint Preview

                                  Instruction
                                  call 00007F4B74E239C8h
                                  jmp 00007F4B74E23219h
                                  cmp ecx, dword ptr [00435040h]
                                  jne 00007F4B74E233A3h
                                  ret
                                  jmp 00007F4B74E23D01h
                                  jmp 00007F4B74E23ED1h
                                  push ebp
                                  mov ebp, esp
                                  jmp 00007F4B74E233AFh
                                  push dword ptr [ebp+08h]
                                  call 00007F4B74E30686h
                                  pop ecx
                                  test eax, eax
                                  je 00007F4B74E233B1h
                                  push dword ptr [ebp+08h]
                                  call 00007F4B74E2C8B7h
                                  pop ecx
                                  test eax, eax
                                  je 00007F4B74E23388h
                                  pop ebp
                                  ret
                                  cmp dword ptr [ebp+08h], FFFFFFFFh
                                  je 00007F4B74E23EACh
                                  jmp 00007F4B74E1FEC4h
                                  push ebp
                                  mov ebp, esp
                                  push dword ptr [ebp+08h]
                                  call 00007F4B74E23E96h
                                  pop ecx
                                  pop ebp
                                  ret
                                  push ebp
                                  mov ebp, esp
                                  test byte ptr [ebp+08h], 00000001h
                                  push esi
                                  mov esi, ecx
                                  mov dword ptr [esi], 0042B35Ch
                                  je 00007F4B74E233ACh
                                  push 0000000Ch
                                  push esi
                                  call 00007F4B74E2337Dh
                                  pop ecx
                                  pop ecx
                                  mov eax, esi
                                  pop esi
                                  pop ebp
                                  retn 0004h
                                  push ebp
                                  mov ebp, esp
                                  mov eax, dword ptr [ebp+08h]
                                  push esi
                                  mov ecx, dword ptr [eax+3Ch]
                                  add ecx, eax
                                  movzx eax, word ptr [ecx+14h]
                                  lea edx, dword ptr [ecx+18h]
                                  add edx, eax
                                  movzx eax, word ptr [ecx+06h]
                                  imul esi, eax, 28h
                                  add esi, edx
                                  cmp edx, esi
                                  je 00007F4B74E233BBh
                                  mov ecx, dword ptr [ebp+0Ch]
                                  cmp ecx, dword ptr [edx+0Ch]
                                  jc 00007F4B74E233ACh
                                  mov eax, dword ptr [edx+08h]
                                  add eax, dword ptr [edx+0Ch]
                                  cmp ecx, eax
                                  jc 00007F4B74E233AEh
                                  add edx, 28h
                                  cmp edx, esi
                                  jne 00007F4B74E2338Ch
                                  xor eax, eax
                                  pop esi
                                  pop ebp
                                  ret
                                  mov eax, edx
                                  jmp 00007F4B74E2339Bh
                                  push esi
                                  call 00007F4B74E23E48h

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x341600x48.rdata
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x341a80x3c.rdata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x820000x1e0.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x830000x1f9c.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x31fc00x1c.rdata
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x31f000x40.rdata
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x2a0000x164.rdata
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000x278170x27a0054e50506ee3457079b01d8f8d092f653False0.549475059148265data6.642285110957014IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .BSS0x290000xdfd0xe00c8931465090505085f9d58aac99abd6bFalse0.6422991071428571data6.405204159056983IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rdata0x2a0000xa9c20xaa00e520793fbdebdfa7a5b431864d88f430False0.4309512867647059data4.9597660102339365IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .data0x350000x4cf840x4c0006109adfbd26aaed69f45fedc418a8d27False0.9866654245476973data7.9888590462917035IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0x820000x1e00x200c35d66eb0330df7b21d6f51c26172ee0False0.52734375data4.704363013479242IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x830000x1f9c0x2000f19030931ad014e1637fe69a8d9b1875False0.749267578125data6.52060000230319IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_MANIFEST0x820600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                  Imports

                                  DLLImport
                                  USER32.dllOffsetRect, GetUpdateRgn
                                  KERNEL32.dllCreateFileW, HeapSize, GetProcessHeap, SetStdHandle, SetEnvironmentVariableW, VirtualAlloc, WaitForSingleObject, CreateThread, GetThreadId, MultiByteToWideChar, GetStringTypeW, WideCharToMultiByte, GetCurrentThreadId, CloseHandle, WaitForSingleObjectEx, GetExitCodeThread, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, ReleaseSRWLockExclusive, WakeAllConditionVariable, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, GetCPInfo, IsProcessorFeaturePresent, GetCurrentProcessId, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, FreeEnvironmentStringsW, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, WriteConsoleW

                                  Exports

                                  NameOrdinalAddress
                                  AwakeSound10x429c70

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishUnited States

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  07/05/24-00:25:02.988901TCP2046056ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)34454971177.105.135.107192.168.2.6
                                  07/05/24-00:24:57.551670TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)497113445192.168.2.677.105.135.107
                                  07/05/24-00:25:09.628865TCP2043231ET TROJAN Redline Stealer TCP CnC Activity497113445192.168.2.677.105.135.107
                                  07/05/24-00:24:57.748151TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response34454971177.105.135.107192.168.2.6

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jul 5, 2024 00:24:56.861207962 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:24:56.866141081 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:24:56.866341114 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:24:56.875458002 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:24:56.880289078 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:24:57.518420935 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:24:57.551670074 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:24:57.558710098 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:24:57.748151064 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:24:57.789652109 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:02.793450117 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:02.798338890 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:02.988900900 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:02.988918066 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:02.988929987 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:02.988940954 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:02.988956928 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:02.988981009 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:02.989026070 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:03.116671085 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:03.121659994 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:03.310323000 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:03.332257032 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:03.338807106 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:03.527614117 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:03.534584045 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:03.541009903 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:03.729015112 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:03.730165958 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:03.735016108 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:03.934433937 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:03.962364912 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:03.974562883 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:04.162867069 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:04.166950941 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:04.173273087 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:04.361680031 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:04.365156889 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:04.369946957 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:04.558756113 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:04.602210045 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:04.642009974 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:04.867803097 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:05.180274010 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:05.623369932 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:05.623440027 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:05.623795986 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:05.623847008 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:05.624063969 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:05.624109030 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:05.626759052 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:05.626770020 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:05.629364014 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:05.814239979 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:05.817399979 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:05.825125933 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.014308929 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.055299044 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.072004080 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.078633070 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.078701973 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.087337017 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.087393045 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.089128017 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.089181900 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.093566895 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.093619108 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.095299959 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.095359087 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.095980883 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.096030951 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.096874952 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.096921921 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.100900888 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.102046967 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.103559971 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.103885889 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.104688883 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.104751110 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.104760885 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.377827883 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.430278063 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.475140095 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.483033895 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.483052015 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.483059883 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.483072996 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.483098984 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.483124971 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.483129025 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.483203888 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.485474110 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.485483885 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.485516071 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.485529900 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.487095118 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.487149954 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.489332914 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.489346981 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.489382982 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.489397049 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.490106106 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.490155935 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.491012096 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.491020918 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.491067886 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.491081953 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.492742062 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.492750883 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.492796898 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.494420052 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.494471073 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.497073889 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.497136116 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.498898029 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.498950005 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.499984026 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.500041962 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.501707077 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.501763105 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.505026102 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.505163908 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.505217075 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.506210089 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.506269932 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.509037971 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.509108067 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.511943102 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.512008905 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.515090942 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.515167952 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.517457962 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.517509937 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.517616034 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.517710924 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.518531084 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.518549919 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.518558979 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.518585920 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.518609047 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.519109011 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.519160032 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.521440983 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.521451950 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.521460056 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.521492958 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.521512032 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.524529934 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.524601936 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.525638103 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.525656939 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.525703907 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.525708914 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.525719881 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.525753975 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.525769949 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.526288033 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.526298046 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.526360035 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.528000116 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.528053045 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.528055906 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.528067112 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.528104067 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.530839920 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.530889988 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.531955004 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.531992912 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.532001972 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.532011032 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.532016039 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.532035112 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.532064915 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.533080101 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.533090115 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.533144951 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.534254074 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.534264088 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.534312010 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.534565926 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.534677029 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.537115097 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.537163019 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.538193941 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.538243055 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.538248062 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.538269997 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.538296938 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.538316011 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.538690090 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.538700104 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.538747072 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.539810896 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.539896965 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.539933920 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.541245937 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.541255951 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.541265011 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.541301966 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.541322947 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.543205976 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.543266058 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.545030117 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.545039892 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.545048952 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.545089006 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.545108080 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.546046972 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.546056986 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.546104908 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.546875954 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.546885967 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.546936035 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.547885895 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.547940016 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.547960043 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.547970057 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.547981024 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.548007011 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.548038960 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.549397945 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.549453974 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.551702023 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.551729918 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.551738977 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.551763058 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.551781893 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.552808046 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.552866936 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.552881956 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.552941084 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.553993940 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.554048061 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.554392099 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.554445982 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.554828882 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.554877043 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.554882050 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.554898024 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.554929972 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.554944038 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.555643082 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.555696011 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.556180000 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.556231022 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.557940006 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.557950020 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.558003902 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.558075905 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.558125973 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.559648037 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.559700966 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.559891939 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.559933901 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.560702085 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.560745955 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.560770988 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.560808897 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.561100006 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.561144114 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.561889887 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.561898947 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.561908007 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.561947107 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.561964989 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.562423944 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.562467098 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.563534021 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.563671112 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.564188004 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.564198971 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.564249039 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.565279007 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.565347910 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.566418886 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.566428900 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.566478968 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.567709923 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.567720890 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.567729950 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.567771912 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.567800999 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.569706917 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.569756031 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.569787979 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.569797039 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.569845915 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.570544004 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.570590973 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.570991039 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.571036100 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.571038961 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.571049929 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.571079969 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.571118116 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.571754932 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.571764946 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.571815014 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.572913885 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.572968960 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.573087931 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.573142052 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.574500084 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.574513912 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.574523926 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.574558973 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.574585915 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.576119900 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.576180935 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.576208115 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.576231956 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.576276064 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.576318026 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.577166080 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.577228069 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.577856064 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.577878952 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.577888966 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.577909946 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.577941895 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.578870058 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.578908920 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.578929901 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.579140902 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.580583096 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.580595016 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.580636024 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.581151962 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.581166983 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.581218004 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.581372023 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.581419945 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.582966089 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.583012104 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.583029985 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.583084106 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.583592892 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.583642006 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.584084988 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.584135056 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.584947109 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.584958076 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.584966898 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.584975958 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.585005999 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.585026979 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.585832119 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.585875988 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.585877895 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.585932016 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.587595940 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.587605953 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.587614059 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.587622881 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.587651968 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.587677956 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.587681055 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.587723017 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.590038061 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.590090990 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.590859890 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.590909004 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.591660976 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.591718912 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.591742039 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.591860056 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.593314886 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.593355894 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.593465090 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.593475103 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.593513012 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.594253063 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.594306946 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.595195055 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.595205069 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.595213890 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.595222950 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.595233917 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.595258951 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.595268965 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.595285892 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.595304966 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.595335007 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.595385075 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.596679926 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.596726894 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.597136974 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.597196102 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.597795010 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.597845078 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.598917961 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.598927021 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.598972082 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.600004911 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.600056887 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.600572109 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.600581884 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.600626945 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.600641012 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.601135969 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.601188898 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.601835966 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.601845980 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.601859093 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.601867914 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.601890087 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.601910114 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.602256060 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.602266073 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.602277040 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.602308035 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.602328062 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.603385925 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.603430033 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.603955984 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.604012966 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.605076075 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.605140924 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.605653048 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.605695009 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.605725050 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.605767012 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.606801987 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.606851101 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.607357025 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.607398033 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.607412100 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.607460976 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.607947111 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.607995987 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.608510017 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.608561993 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.608578920 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.608606100 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.608614922 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.608637094 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.608665943 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.609267950 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.609311104 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.609361887 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.609371901 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.609380960 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.609430075 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.609446049 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.609999895 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.610053062 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.611496925 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.611593008 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.612905025 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.612962961 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.613059998 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.613070011 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.613111019 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.615104914 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.615160942 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.615192890 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.615201950 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.615231037 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.615237951 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.615242004 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.615251064 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.615258932 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.615261078 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.615278006 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.615288973 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.615305901 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.615322113 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.616045952 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.616091967 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.616595030 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.616605043 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.616650105 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.616790056 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.616854906 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.618047953 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.618119955 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.618510962 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.618552923 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.619359970 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.619405031 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.619925976 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.619966984 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.619975090 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.620004892 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.621695995 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.621721029 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.621766090 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.621824980 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.621834993 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.621845961 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.621855021 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.621865988 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.621870995 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.621900082 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.621915102 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.622240067 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.622282028 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.622714996 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.622767925 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.623439074 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.623449087 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.623497009 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.623519897 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.623528004 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.623572111 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.623878956 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.623927116 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.624452114 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.624497890 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.625027895 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.625077009 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.625622034 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.625669003 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.626209021 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.626255989 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.626266956 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.626296997 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.627897024 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.627907991 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.627959013 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.628454924 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.628500938 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.628561974 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.628571987 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.628612041 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.628631115 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.628639936 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.628674984 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.628698111 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.629621029 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.629663944 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.629674911 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.629697084 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.630175114 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.630230904 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.630251884 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.630275965 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.630285025 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.630300045 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.630331039 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.630769014 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.630820990 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.630860090 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.630913973 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.631308079 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.631355047 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.631885052 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.631933928 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.633008003 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.633078098 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.633102894 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.633148909 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.634237051 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.634248018 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.634288073 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.634309053 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.634772062 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.634783983 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.634793043 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.634803057 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.634823084 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.634839058 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.634856939 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.634870052 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.636523008 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.636533022 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.636544943 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.636554956 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.636564970 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.636607885 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.636630058 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.637090921 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.637146950 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.637622118 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.637665033 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.637667894 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.637698889 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.638206959 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.638216019 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.638262033 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.638278008 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.640033007 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.640081882 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.640084982 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.640124083 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.641109943 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.641160011 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.641221046 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.641230106 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.641238928 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.641251087 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.641264915 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.641280890 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.641309977 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.641323090 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.641371012 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.642797947 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.642808914 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.642818928 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.642859936 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.642882109 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.643361092 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.643369913 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.643418074 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.643960953 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.644006968 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.644548893 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.644558907 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.644587994 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.644618988 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.645029068 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.645076036 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.645247936 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.645294905 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.646362066 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.646374941 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.646385908 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.646425009 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.646447897 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.647351980 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.647403002 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.647960901 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.647970915 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.647978067 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.647988081 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.648025990 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.648045063 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.649127960 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.649138927 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.649197102 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.649617910 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.649693012 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.649702072 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.649719954 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.649739027 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.650213003 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.650223017 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.650259972 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.650269032 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.650307894 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.651410103 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.651421070 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.651429892 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.651484013 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.651506901 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.651962042 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.652014017 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.653085947 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.653096914 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.653103113 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.653167009 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.654220104 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.654289007 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.654299021 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.654303074 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.654306889 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.654339075 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.654371023 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.655338049 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.655404091 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.655436039 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.655478954 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.655994892 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.656042099 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.656058073 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.656069040 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.656097889 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.656111002 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.657109022 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.657120943 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.657131910 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.657165051 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.657354116 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.657668114 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.657686949 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.657696009 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.657705069 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.657711029 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.657736063 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.657753944 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.658895016 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.659003973 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.659388065 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.659455061 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.659518957 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.659632921 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.660573959 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.660588980 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.660608053 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.660617113 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.660624981 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.660650969 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.660684109 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.661087990 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.661143064 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.662236929 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.662291050 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.662297964 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.662328959 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.662830114 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.662880898 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.662882090 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.662923098 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.662964106 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.663008928 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.663465023 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.663475990 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.663541079 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.663968086 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.664031029 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.664539099 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.664613962 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.664659977 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.664669991 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.664680004 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.664709091 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.664727926 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.665102005 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.665175915 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.665723085 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.665800095 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.666296959 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.666368008 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.666970015 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.666980982 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.666991949 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.667001009 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.667018890 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.667035103 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.667062044 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.668032885 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.668092012 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.668649912 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.668658972 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.668708086 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.668741941 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.669234991 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.669244051 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.669286013 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.669287920 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.669332981 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.670417070 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.670427084 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.670485020 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.670897007 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.670945883 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.670969009 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.670979023 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.671010017 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.671045065 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.671453953 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.671514034 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.671514988 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.671539068 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.671554089 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.671557903 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.671578884 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.671591043 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.672677040 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.672949076 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.673316002 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.673363924 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.673365116 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.673376083 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.673386097 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.673412085 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.673444986 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.674381018 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.674395084 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.674433947 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.674441099 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.675532103 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.675596952 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.675616980 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.676141977 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.676177979 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.676187992 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.676211119 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.676229000 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.676245928 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.677237988 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.677263021 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.677318096 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.677855968 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.677910089 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.677939892 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.677989960 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.678272963 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.678323030 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.678482056 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.678527117 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.678539991 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.678549051 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.678563118 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.678585052 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.678616047 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.679555893 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.679600000 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.680161953 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.680171013 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.680177927 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.680187941 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.680233002 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.680270910 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.681257010 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.681297064 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.681345940 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.682456970 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.682466984 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.682480097 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.682488918 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.682518005 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.682519913 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.682532072 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.682540894 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.682543993 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.682569027 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.682588100 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.684313059 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.684334040 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.684360027 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.684381962 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.684756041 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.684766054 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.684804916 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.684840918 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.684899092 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.685357094 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.685367107 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.685378075 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.685388088 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.685417891 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.685452938 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.686472893 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.686526060 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.687021017 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.687078953 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.687089920 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.687099934 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.687108994 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.687134027 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.687148094 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.687596083 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.687652111 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.687706947 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.688721895 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.688771963 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.688805103 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.688873053 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.688926935 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.689354897 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.689373970 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.689409018 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.689421892 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.689429045 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.689433098 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.689476013 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.691247940 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.691268921 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.691277981 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.691287994 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.691298962 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.691328049 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.691330910 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.691345930 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.691386938 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.692821026 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.692831039 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.692876101 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.692902088 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.692987919 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.693955898 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.694022894 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.694530964 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.694540024 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.694591045 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.695640087 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.695673943 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.695703030 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.695719004 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.695732117 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.695784092 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.696662903 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.696722984 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.697365999 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.697422981 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.697725058 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.697773933 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.699131966 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.699189901 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.699551105 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.699615955 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.700251102 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.700298071 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.700870037 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.700923920 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.701188087 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.701271057 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.702564955 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.702614069 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.702616930 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.702625990 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.702676058 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.703711033 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.703767061 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.704303980 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.704354048 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.705426931 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.705487967 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.706006050 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.706058025 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.706559896 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.706950903 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.707163095 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.707720041 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.707772970 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.708318949 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.708374023 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.708436012 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.709517002 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.709527016 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.709573984 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.709585905 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.710629940 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.710675955 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:06.711227894 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.712460995 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.712472916 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.713485956 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.714148045 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.714164019 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.714813948 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.714824915 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.715843916 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.715899944 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.717597008 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:06.717679977 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:07.291667938 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:07.329546928 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:07.335810900 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:07.526336908 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:07.536931038 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:07.543884993 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:07.755296946 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:07.761091948 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:07.767693043 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:07.767709970 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:07.767721891 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:07.769382000 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:08.055335045 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:08.102153063 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:08.205730915 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:08.212218046 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:08.400497913 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:08.445904016 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:08.838000059 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:08.843045950 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:09.031867981 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:09.036209106 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:09.041033983 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:09.229330063 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:09.231057882 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:09.235902071 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:09.433779001 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:09.434288979 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:09.439208984 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:09.628062010 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:09.628865004 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:09.634329081 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:09.823968887 CEST34454971177.105.135.107192.168.2.6
                                  Jul 5, 2024 00:25:09.867891073 CEST497113445192.168.2.677.105.135.107
                                  Jul 5, 2024 00:25:09.886683941 CEST497113445192.168.2.677.105.135.107

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:18:24:53
                                  Start date:04/07/2024
                                  Path:C:\Users\user\Desktop\file.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                  Imagebase:0xf00000
                                  File size:530'432 bytes
                                  MD5 hash:0B147A2BC6013C0DE94E6E30A8C419DB
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:2
                                  Start time:18:24:54
                                  Start date:04/07/2024
                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                  Imagebase:0x840000
                                  File size:65'440 bytes
                                  MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.2246916102.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.2247954383.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:5
                                  Start time:18:24:54
                                  Start date:04/07/2024
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6060 -s 272
                                  Imagebase:0x8f0000
                                  File size:483'680 bytes
                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:2.8%
                                    Dynamic/Decrypted Code Coverage:0.3%
                                    Signature Coverage:3.4%
                                    Total number of Nodes:2000
                                    Total number of Limit Nodes:19
                                    execution_graph 22632 f196ee 22633 f196f9 22632->22633 22634 f19709 22632->22634 22638 f1970f 22633->22638 22637 f1899f ___free_lconv_mon 14 API calls 22637->22634 22639 f19724 22638->22639 22640 f1972a 22638->22640 22641 f1899f ___free_lconv_mon 14 API calls 22639->22641 22642 f1899f ___free_lconv_mon 14 API calls 22640->22642 22641->22640 22643 f19736 22642->22643 22644 f1899f ___free_lconv_mon 14 API calls 22643->22644 22645 f19741 22644->22645 22646 f1899f ___free_lconv_mon 14 API calls 22645->22646 22647 f1974c 22646->22647 22648 f1899f ___free_lconv_mon 14 API calls 22647->22648 22649 f19757 22648->22649 22650 f1899f ___free_lconv_mon 14 API calls 22649->22650 22651 f19762 22650->22651 22652 f1899f ___free_lconv_mon 14 API calls 22651->22652 22653 f1976d 22652->22653 22654 f1899f ___free_lconv_mon 14 API calls 22653->22654 22655 f19778 22654->22655 22656 f1899f ___free_lconv_mon 14 API calls 22655->22656 22657 f19783 22656->22657 22658 f1899f ___free_lconv_mon 14 API calls 22657->22658 22659 f19791 22658->22659 22664 f1953b 22659->22664 22665 f19547 ___scrt_is_nonwritable_in_current_image 22664->22665 22680 f12f71 EnterCriticalSection 22665->22680 22667 f1957b 22681 f1959a 22667->22681 22670 f19551 22670->22667 22671 f1899f ___free_lconv_mon 14 API calls 22670->22671 22671->22667 22672 f195a6 22673 f195b2 ___scrt_is_nonwritable_in_current_image 22672->22673 22685 f12f71 EnterCriticalSection 22673->22685 22675 f195bc 22676 f197dc __dosmaperr 14 API calls 22675->22676 22677 f195cf 22676->22677 22686 f195ef 22677->22686 22680->22670 22684 f12fb9 LeaveCriticalSection 22681->22684 22683 f19588 22683->22672 22684->22683 22685->22675 22689 f12fb9 LeaveCriticalSection 22686->22689 22688 f195dd 22688->22637 22689->22688 23028 f010c6 23029 f010cf 23028->23029 23036 f07cfe 23029->23036 23031 f010de 23042 f081b8 23031->23042 23037 f07d0a __EH_prolog3 23036->23037 23038 f0afd6 std::_Facet_Register 3 API calls 23037->23038 23039 f07d3f 23038->23039 23041 f07d50 codecvt 23039->23041 23049 f08f97 23039->23049 23041->23031 23043 f081d7 23042->23043 23044 f010f2 23043->23044 23087 f0f612 23043->23087 23046 f0b273 23044->23046 23094 f0b246 23046->23094 23050 f08fa3 __EH_prolog3 23049->23050 23051 f07865 std::_Lockit::_Lockit 7 API calls 23050->23051 23052 f08fae 23051->23052 23056 f08fdf 23052->23056 23061 f090fa 23052->23061 23054 f078bd std::_Lockit::~_Lockit 2 API calls 23057 f0901c codecvt 23054->23057 23055 f08fc1 23067 f0911d 23055->23067 23056->23054 23057->23041 23060 f08eef _Yarn 14 API calls 23060->23056 23062 f0afd6 std::_Facet_Register 3 API calls 23061->23062 23063 f09105 23062->23063 23064 f09119 23063->23064 23071 f08e2b 23063->23071 23064->23055 23068 f09129 23067->23068 23069 f08fc9 23067->23069 23074 f0aa8c 23068->23074 23069->23060 23072 f08eef _Yarn 14 API calls 23071->23072 23073 f08e65 23072->23073 23073->23055 23075 f12fe7 23074->23075 23076 f0aa9c EncodePointer 23074->23076 23077 f1b830 CallUnexpected 2 API calls 23075->23077 23076->23069 23076->23075 23078 f12fec 23077->23078 23079 f1b875 CallUnexpected 43 API calls 23078->23079 23082 f12ff7 23078->23082 23079->23082 23080 f13001 IsProcessorFeaturePresent 23083 f1300d 23080->23083 23081 f16a9f CallUnexpected 23 API calls 23084 f1302a 23081->23084 23082->23080 23086 f13020 23082->23086 23085 f12c23 CallUnexpected 8 API calls 23083->23085 23085->23086 23086->23081 23088 f0f633 23087->23088 23089 f0f61e 23087->23089 23088->23044 23090 f12f1d __strnicoll 14 API calls 23089->23090 23091 f0f623 23090->23091 23092 f12e1f __strnicoll 43 API calls 23091->23092 23093 f0f62e 23092->23093 23093->23044 23095 f0b255 23094->23095 23096 f0b25c 23094->23096 23100 f185df 23095->23100 23103 f1865c 23096->23103 23099 f010fc 23101 f1865c 46 API calls 23100->23101 23102 f185f1 23101->23102 23102->23099 23106 f183a8 23103->23106 23107 f183b4 ___scrt_is_nonwritable_in_current_image 23106->23107 23114 f12f71 EnterCriticalSection 23107->23114 23109 f183c2 23115 f18403 23109->23115 23111 f183cf 23125 f183f7 23111->23125 23114->23109 23116 f1841e 23115->23116 23120 f18491 std::_Locinfo::_Locinfo_dtor 23115->23120 23117 f18471 23116->23117 23118 f22dd9 46 API calls 23116->23118 23116->23120 23119 f22dd9 46 API calls 23117->23119 23117->23120 23121 f18467 23118->23121 23122 f18487 23119->23122 23120->23111 23124 f1899f ___free_lconv_mon 14 API calls 23121->23124 23123 f1899f ___free_lconv_mon 14 API calls 23122->23123 23123->23120 23124->23117 23128 f12fb9 LeaveCriticalSection 23125->23128 23127 f183e0 23127->23099 23128->23127 19676 30f018d 19677 30f01c5 CreateProcessA VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 19676->19677 19679 30f03a2 WriteProcessMemory 19677->19679 19680 30f03e7 19679->19680 19681 30f03ec WriteProcessMemory 19680->19681 19682 30f0429 WriteProcessMemory Wow64SetThreadContext ResumeThread 19680->19682 19681->19680 24265 f1945d 24266 f19469 ___scrt_is_nonwritable_in_current_image 24265->24266 24277 f12f71 EnterCriticalSection 24266->24277 24268 f19470 24278 f20928 24268->24278 24276 f1948e 24302 f194b4 24276->24302 24277->24268 24279 f20934 ___scrt_is_nonwritable_in_current_image 24278->24279 24280 f2095e 24279->24280 24281 f2093d 24279->24281 24305 f12f71 EnterCriticalSection 24280->24305 24283 f12f1d __strnicoll 14 API calls 24281->24283 24284 f20942 24283->24284 24285 f12e1f __strnicoll 43 API calls 24284->24285 24286 f1947f 24285->24286 24286->24276 24291 f192f7 GetStartupInfoW 24286->24291 24289 f20996 24313 f209bd 24289->24313 24290 f2096a 24290->24289 24306 f20878 24290->24306 24292 f19314 24291->24292 24293 f193a8 24291->24293 24292->24293 24294 f20928 44 API calls 24292->24294 24297 f193ad 24293->24297 24295 f1933c 24294->24295 24295->24293 24296 f1936c GetFileType 24295->24296 24296->24295 24298 f193b4 24297->24298 24299 f193f7 GetStdHandle 24298->24299 24300 f19459 24298->24300 24301 f1940a GetFileType 24298->24301 24299->24298 24300->24276 24301->24298 24317 f12fb9 LeaveCriticalSection 24302->24317 24304 f1949f 24305->24290 24307 f18942 __dosmaperr 14 API calls 24306->24307 24308 f2088a 24307->24308 24310 f18fc7 6 API calls 24308->24310 24312 f20897 24308->24312 24309 f1899f ___free_lconv_mon 14 API calls 24311 f208ec 24309->24311 24310->24308 24311->24290 24312->24309 24316 f12fb9 LeaveCriticalSection 24313->24316 24315 f209c4 24315->24286 24316->24315 24317->24304 20879 f0ae37 20880 f0ae43 ___scrt_is_nonwritable_in_current_image 20879->20880 20905 f0b0ad 20880->20905 20882 f0ae4a 20883 f0afa3 20882->20883 20893 f0ae74 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock CallUnexpected 20882->20893 20942 f0b69a IsProcessorFeaturePresent 20883->20942 20885 f0afaa 20946 f16adb 20885->20946 20888 f16a9f CallUnexpected 23 API calls 20889 f0afb8 20888->20889 20890 f0ae93 20891 f0af14 20913 f16719 20891->20913 20893->20890 20893->20891 20924 f16ab5 20893->20924 20895 f0af1a 20917 f29d30 GetThreadId 20895->20917 20897 f0af31 20931 f0b7b4 GetModuleHandleW 20897->20931 20900 f0af3f 20901 f0af48 20900->20901 20933 f16a90 20900->20933 20936 f0b21e 20901->20936 20906 f0b0b6 20905->20906 20949 f0b380 IsProcessorFeaturePresent 20906->20949 20910 f0b0c7 20911 f0b0cb 20910->20911 20959 f0e11d 20910->20959 20911->20882 20914 f16722 20913->20914 20915 f16727 20913->20915 21019 f16473 20914->21019 20915->20895 20918 f0afd6 std::_Facet_Register 3 API calls 20917->20918 20919 f29d71 20918->20919 21255 f29c80 20919->21255 20921 f29d7b 20923 f29d90 codecvt 20921->20923 21289 f01210 20921->21289 20923->20897 20925 f1215b ___scrt_is_nonwritable_in_current_image 20924->20925 20926 f16acb std::_Locinfo::_Locinfo_dtor 20924->20926 20927 f19827 _unexpected 43 API calls 20925->20927 20926->20891 20930 f1216c 20927->20930 20928 f12fe7 CallUnexpected 43 API calls 20929 f12196 20928->20929 20930->20928 20932 f0af3b 20931->20932 20932->20885 20932->20900 21816 f168c3 20933->21816 20937 f0b22a 20936->20937 20941 f0af51 20937->20941 21891 f1879c 20937->21891 20939 f0b238 20940 f0e11d ___scrt_uninitialize_crt 7 API calls 20939->20940 20940->20941 20941->20890 20943 f0b6b0 CallUnexpected codecvt 20942->20943 20944 f0b75b IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 20943->20944 20945 f0b79f CallUnexpected 20944->20945 20945->20885 20947 f168c3 CallUnexpected 23 API calls 20946->20947 20948 f0afb0 20947->20948 20948->20888 20950 f0b0c2 20949->20950 20951 f0e0fe 20950->20951 20965 f0f1d7 20951->20965 20954 f0e107 20954->20910 20956 f0e10f 20957 f0e11a 20956->20957 20979 f0f213 20956->20979 20957->20910 20960 f0e130 20959->20960 20961 f0e126 20959->20961 20960->20911 20962 f0e296 ___vcrt_uninitialize_ptd 6 API calls 20961->20962 20963 f0e12b 20962->20963 20964 f0f213 ___vcrt_uninitialize_locks DeleteCriticalSection 20963->20964 20964->20960 20966 f0f1e0 20965->20966 20968 f0f209 20966->20968 20969 f0e103 20966->20969 20983 f0f41c 20966->20983 20970 f0f213 ___vcrt_uninitialize_locks DeleteCriticalSection 20968->20970 20969->20954 20971 f0e263 20969->20971 20970->20969 21000 f0f32d 20971->21000 20974 f0e278 20974->20956 20977 f0e293 20977->20956 20980 f0f23d 20979->20980 20981 f0f21e 20979->20981 20980->20954 20982 f0f228 DeleteCriticalSection 20981->20982 20982->20980 20982->20982 20988 f0f242 20983->20988 20986 f0f454 InitializeCriticalSectionAndSpinCount 20987 f0f43f 20986->20987 20987->20966 20989 f0f25f 20988->20989 20992 f0f263 20988->20992 20989->20986 20989->20987 20990 f0f2cb GetProcAddress 20990->20989 20992->20989 20992->20990 20993 f0f2bc 20992->20993 20995 f0f2e2 LoadLibraryExW 20992->20995 20993->20990 20994 f0f2c4 FreeLibrary 20993->20994 20994->20990 20996 f0f2f9 GetLastError 20995->20996 20997 f0f329 20995->20997 20996->20997 20998 f0f304 ___vcrt_InitializeCriticalSectionEx 20996->20998 20997->20992 20998->20997 20999 f0f31a LoadLibraryExW 20998->20999 20999->20992 21001 f0f242 ___vcrt_InitializeCriticalSectionEx 5 API calls 21000->21001 21002 f0f347 21001->21002 21003 f0f360 TlsAlloc 21002->21003 21004 f0e26d 21002->21004 21004->20974 21005 f0f3de 21004->21005 21006 f0f242 ___vcrt_InitializeCriticalSectionEx 5 API calls 21005->21006 21007 f0f3f8 21006->21007 21008 f0f413 TlsSetValue 21007->21008 21009 f0e286 21007->21009 21008->21009 21009->20977 21010 f0e296 21009->21010 21011 f0e2a0 21010->21011 21013 f0e2a6 21010->21013 21014 f0f368 21011->21014 21013->20974 21015 f0f242 ___vcrt_InitializeCriticalSectionEx 5 API calls 21014->21015 21016 f0f382 21015->21016 21017 f0f39a TlsFree 21016->21017 21018 f0f38e 21016->21018 21017->21018 21018->21013 21020 f1647c 21019->21020 21023 f16492 21019->21023 21020->21023 21025 f1649f 21020->21025 21022 f16489 21022->21023 21042 f1660a 21022->21042 21023->20915 21026 f164a8 21025->21026 21027 f164ab 21025->21027 21026->21022 21050 f2014e 21027->21050 21032 f164c8 21077 f164f9 21032->21077 21033 f164bc 21034 f1899f ___free_lconv_mon 14 API calls 21033->21034 21036 f164c2 21034->21036 21036->21022 21038 f1899f ___free_lconv_mon 14 API calls 21039 f164ec 21038->21039 21040 f1899f ___free_lconv_mon 14 API calls 21039->21040 21041 f164f2 21040->21041 21041->21022 21043 f1667b 21042->21043 21048 f16619 21042->21048 21043->21023 21044 f1f09e WideCharToMultiByte _Fputc 21044->21048 21045 f18942 __dosmaperr 14 API calls 21045->21048 21046 f1667f 21047 f1899f ___free_lconv_mon 14 API calls 21046->21047 21047->21043 21048->21043 21048->21044 21048->21045 21048->21046 21049 f1899f ___free_lconv_mon 14 API calls 21048->21049 21049->21048 21051 f20157 21050->21051 21055 f164b1 21050->21055 21099 f198e2 21051->21099 21056 f20450 GetEnvironmentStringsW 21055->21056 21057 f20468 21056->21057 21058 f164b6 21056->21058 21059 f1f09e _Fputc WideCharToMultiByte 21057->21059 21058->21032 21058->21033 21060 f20485 21059->21060 21061 f2049a 21060->21061 21062 f2048f FreeEnvironmentStringsW 21060->21062 21063 f19b87 std::_Locinfo::_Locinfo_dtor 15 API calls 21061->21063 21062->21058 21064 f204a1 21063->21064 21065 f204ba 21064->21065 21066 f204a9 21064->21066 21068 f1f09e _Fputc WideCharToMultiByte 21065->21068 21067 f1899f ___free_lconv_mon 14 API calls 21066->21067 21069 f204ae FreeEnvironmentStringsW 21067->21069 21070 f204ca 21068->21070 21069->21058 21071 f204d1 21070->21071 21072 f204d9 21070->21072 21073 f1899f ___free_lconv_mon 14 API calls 21071->21073 21074 f1899f ___free_lconv_mon 14 API calls 21072->21074 21075 f204d7 FreeEnvironmentStringsW 21073->21075 21074->21075 21075->21058 21078 f1650e 21077->21078 21079 f18942 __dosmaperr 14 API calls 21078->21079 21080 f16535 21079->21080 21081 f1653d 21080->21081 21090 f16547 21080->21090 21082 f1899f ___free_lconv_mon 14 API calls 21081->21082 21098 f164cf 21082->21098 21083 f165a4 21084 f1899f ___free_lconv_mon 14 API calls 21083->21084 21084->21098 21085 f18942 __dosmaperr 14 API calls 21085->21090 21086 f165b3 21249 f165db 21086->21249 21088 f1882b ___std_exception_copy 43 API calls 21088->21090 21090->21083 21090->21085 21090->21086 21090->21088 21092 f165ce 21090->21092 21095 f1899f ___free_lconv_mon 14 API calls 21090->21095 21091 f1899f ___free_lconv_mon 14 API calls 21094 f165c0 21091->21094 21093 f12e4c __Getctype 11 API calls 21092->21093 21096 f165da 21093->21096 21097 f1899f ___free_lconv_mon 14 API calls 21094->21097 21095->21090 21097->21098 21098->21038 21100 f198f3 21099->21100 21101 f198ed 21099->21101 21103 f18f0a __dosmaperr 6 API calls 21100->21103 21119 f198f9 21100->21119 21102 f18ecb __dosmaperr 6 API calls 21101->21102 21102->21100 21104 f1990d 21103->21104 21106 f18942 __dosmaperr 14 API calls 21104->21106 21104->21119 21105 f12fe7 CallUnexpected 43 API calls 21107 f19977 21105->21107 21108 f1991d 21106->21108 21109 f19925 21108->21109 21110 f1993a 21108->21110 21112 f18f0a __dosmaperr 6 API calls 21109->21112 21111 f18f0a __dosmaperr 6 API calls 21110->21111 21113 f19946 21111->21113 21120 f19931 21112->21120 21114 f19959 21113->21114 21115 f1994a 21113->21115 21118 f19655 __dosmaperr 14 API calls 21114->21118 21117 f18f0a __dosmaperr 6 API calls 21115->21117 21116 f1899f ___free_lconv_mon 14 API calls 21116->21119 21117->21120 21121 f19964 21118->21121 21119->21105 21123 f198fe 21119->21123 21120->21116 21122 f1899f ___free_lconv_mon 14 API calls 21121->21122 21122->21123 21124 f1ff59 21123->21124 21125 f200ae __strnicoll 43 API calls 21124->21125 21126 f1ff83 21125->21126 21147 f1fcd9 21126->21147 21129 f1ff9c 21129->21055 21130 f19b87 std::_Locinfo::_Locinfo_dtor 15 API calls 21131 f1ffad 21130->21131 21132 f1ffc3 21131->21132 21133 f1ffb5 21131->21133 21154 f201a9 21132->21154 21134 f1899f ___free_lconv_mon 14 API calls 21133->21134 21134->21129 21137 f20016 21142 f20042 21137->21142 21145 f1899f ___free_lconv_mon 14 API calls 21137->21145 21138 f1fffb 21139 f12f1d __strnicoll 14 API calls 21138->21139 21140 f20000 21139->21140 21141 f1899f ___free_lconv_mon 14 API calls 21140->21141 21141->21129 21143 f2008b 21142->21143 21165 f1fbcb 21142->21165 21144 f1899f ___free_lconv_mon 14 API calls 21143->21144 21144->21129 21145->21142 21148 f154e1 __strnicoll 43 API calls 21147->21148 21149 f1fceb 21148->21149 21150 f1fcfa GetOEMCP 21149->21150 21151 f1fd0c 21149->21151 21153 f1fd23 21150->21153 21152 f1fd11 GetACP 21151->21152 21151->21153 21152->21153 21153->21129 21153->21130 21155 f1fcd9 45 API calls 21154->21155 21156 f201c9 21155->21156 21158 f20206 IsValidCodePage 21156->21158 21162 f20242 codecvt 21156->21162 21157 f0afc3 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 21159 f1fff0 21157->21159 21160 f20218 21158->21160 21158->21162 21159->21137 21159->21138 21161 f20247 GetCPInfo 21160->21161 21164 f20221 codecvt 21160->21164 21161->21162 21161->21164 21162->21157 21173 f1fdad 21164->21173 21166 f1fbd7 ___scrt_is_nonwritable_in_current_image 21165->21166 21223 f12f71 EnterCriticalSection 21166->21223 21168 f1fbe1 21224 f1fc18 21168->21224 21174 f1fdd5 GetCPInfo 21173->21174 21176 f1fe9e 21173->21176 21175 f1fded 21174->21175 21174->21176 21177 f1eb99 std::_Locinfo::_Locinfo_dtor 46 API calls 21175->21177 21178 f0afc3 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 21176->21178 21179 f1fe55 21177->21179 21180 f1ff57 21178->21180 21184 f1ee90 21179->21184 21180->21162 21183 f1ee90 47 API calls 21183->21176 21185 f154e1 __strnicoll 43 API calls 21184->21185 21186 f1eea3 21185->21186 21189 f1eca2 21186->21189 21190 f1ecbd __strnicoll 21189->21190 21191 f1f022 __strnicoll MultiByteToWideChar 21190->21191 21195 f1ed03 21191->21195 21192 f1ee7b 21193 f0afc3 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 21192->21193 21194 f1ee8e 21193->21194 21194->21183 21195->21192 21196 f19b87 std::_Locinfo::_Locinfo_dtor 15 API calls 21195->21196 21198 f1ed29 __alloca_probe_16 21195->21198 21205 f1edaf 21195->21205 21196->21198 21197 f0acdd __freea 14 API calls 21197->21192 21199 f1f022 __strnicoll MultiByteToWideChar 21198->21199 21198->21205 21200 f1ed6e 21199->21200 21200->21205 21217 f19089 21200->21217 21203 f1eda0 21203->21205 21209 f19089 std::_Locinfo::_Locinfo_dtor 6 API calls 21203->21209 21204 f1edd8 21206 f1ee63 21204->21206 21207 f19b87 std::_Locinfo::_Locinfo_dtor 15 API calls 21204->21207 21210 f1edea __alloca_probe_16 21204->21210 21205->21197 21208 f0acdd __freea 14 API calls 21206->21208 21207->21210 21208->21205 21209->21205 21210->21206 21211 f19089 std::_Locinfo::_Locinfo_dtor 6 API calls 21210->21211 21212 f1ee2d 21211->21212 21212->21206 21213 f1f09e _Fputc WideCharToMultiByte 21212->21213 21214 f1ee47 21213->21214 21214->21206 21215 f1ee50 21214->21215 21216 f0acdd __freea 14 API calls 21215->21216 21216->21205 21218 f18b7b std::_Locinfo::_Locinfo_dtor 5 API calls 21217->21218 21219 f19094 21218->21219 21220 f190e6 __strnicoll 5 API calls 21219->21220 21222 f1909a 21219->21222 21221 f190da LCMapStringW 21220->21221 21221->21222 21222->21203 21222->21204 21222->21205 21223->21168 21234 f13ac5 21224->21234 21226 f1fc3a 21227 f13ac5 __fread_nolock 43 API calls 21226->21227 21228 f1fc59 21227->21228 21229 f1899f ___free_lconv_mon 14 API calls 21228->21229 21230 f1fbee 21228->21230 21229->21230 21231 f1fc0c 21230->21231 21248 f12fb9 LeaveCriticalSection 21231->21248 21233 f1fbfa 21233->21143 21235 f13ad6 21234->21235 21238 f13ad2 codecvt 21234->21238 21236 f13add 21235->21236 21240 f13af0 codecvt 21235->21240 21237 f12f1d __strnicoll 14 API calls 21236->21237 21239 f13ae2 21237->21239 21238->21226 21241 f12e1f __strnicoll 43 API calls 21239->21241 21240->21238 21242 f13b1e 21240->21242 21244 f13b27 21240->21244 21241->21238 21243 f12f1d __strnicoll 14 API calls 21242->21243 21245 f13b23 21243->21245 21244->21238 21246 f12f1d __strnicoll 14 API calls 21244->21246 21247 f12e1f __strnicoll 43 API calls 21245->21247 21246->21245 21247->21238 21248->21233 21250 f165b9 21249->21250 21251 f165e8 21249->21251 21250->21091 21252 f165ff 21251->21252 21254 f1899f ___free_lconv_mon 14 API calls 21251->21254 21253 f1899f ___free_lconv_mon 14 API calls 21252->21253 21253->21250 21254->21251 21256 f01210 74 API calls 21255->21256 21257 f29c94 21256->21257 21258 f0afd6 std::_Facet_Register 3 API calls 21257->21258 21259 f29c9b 21258->21259 21260 f0afd6 std::_Facet_Register 3 API calls 21259->21260 21261 f29ca4 21260->21261 21293 f0f7dc 21261->21293 21263 f29cbf 21264 f29d03 21263->21264 21265 f29cc8 21263->21265 21314 f079d4 21264->21314 21267 f29d10 21265->21267 21268 f29ccd GetCurrentThreadId 21265->21268 21271 f079d4 std::_Throw_Cpp_error 49 API calls 21267->21271 21269 f29cd6 21268->21269 21270 f29d17 21268->21270 21308 f0a7f2 WaitForSingleObjectEx 21269->21308 21273 f079d4 std::_Throw_Cpp_error 49 API calls 21270->21273 21271->21270 21275 f29d1e 21273->21275 21277 f079d4 std::_Throw_Cpp_error 49 API calls 21275->21277 21276 f29ce9 21278 f29cf2 codecvt 21276->21278 21279 f29d25 21276->21279 21277->21279 21278->20921 21320 f1215b 21279->21320 21290 f0121c 21289->21290 21413 f12076 21290->21413 21294 f0f7e9 21293->21294 21295 f0f7fd 21293->21295 21297 f12f1d __strnicoll 14 API calls 21294->21297 21326 f0f78c 21295->21326 21299 f0f7ee 21297->21299 21301 f12e1f __strnicoll 43 API calls 21299->21301 21300 f0f812 CreateThread 21302 f0f831 GetLastError 21300->21302 21303 f0f83d 21300->21303 21351 f0f680 21300->21351 21304 f0f7f9 21301->21304 21335 f12ec3 21302->21335 21340 f0f6fe 21303->21340 21304->21263 21309 f0a809 21308->21309 21312 f0a83b 21308->21312 21310 f0a810 GetExitCodeThread 21309->21310 21311 f0a826 CloseHandle 21309->21311 21310->21312 21313 f0a821 21310->21313 21311->21312 21312->21275 21312->21276 21313->21311 21315 f079ea std::_Throw_Cpp_error 21314->21315 21391 f078f4 21315->21391 21321 f12167 ___scrt_is_nonwritable_in_current_image 21320->21321 21322 f19827 _unexpected 43 API calls 21321->21322 21323 f1216c 21322->21323 21324 f12fe7 CallUnexpected 43 API calls 21323->21324 21325 f12196 21324->21325 21327 f18942 __dosmaperr 14 API calls 21326->21327 21328 f0f79d 21327->21328 21329 f1899f ___free_lconv_mon 14 API calls 21328->21329 21330 f0f7aa 21329->21330 21331 f0f7b1 GetModuleHandleExW 21330->21331 21332 f0f7ce 21330->21332 21331->21332 21333 f0f6fe 16 API calls 21332->21333 21334 f0f7d6 21333->21334 21334->21300 21334->21303 21348 f12f0a 21335->21348 21337 f12ece __dosmaperr 21338 f12f1d __strnicoll 14 API calls 21337->21338 21339 f12ee1 21338->21339 21339->21303 21341 f0f70a 21340->21341 21347 f0f72e 21340->21347 21342 f0f710 CloseHandle 21341->21342 21343 f0f719 21341->21343 21342->21343 21344 f0f728 21343->21344 21345 f0f71f FreeLibrary 21343->21345 21346 f1899f ___free_lconv_mon 14 API calls 21344->21346 21345->21344 21346->21347 21347->21263 21349 f19978 __dosmaperr 14 API calls 21348->21349 21350 f12f0f 21349->21350 21350->21337 21352 f0f68c ___scrt_is_nonwritable_in_current_image 21351->21352 21353 f0f6a0 21352->21353 21354 f0f693 GetLastError ExitThread 21352->21354 21355 f19827 _unexpected 43 API calls 21353->21355 21356 f0f6a5 21355->21356 21365 f19b12 21356->21365 21359 f0f6bc 21373 f0f85f 21359->21373 21366 f19b24 GetPEB 21365->21366 21368 f0f6b0 21365->21368 21367 f19b37 21366->21367 21366->21368 21376 f18d3d 21367->21376 21368->21359 21370 f19117 21368->21370 21371 f18c7a std::_Locinfo::_Locinfo_dtor 5 API calls 21370->21371 21372 f19133 21371->21372 21372->21359 21379 f0f735 21373->21379 21377 f18c7a std::_Locinfo::_Locinfo_dtor 5 API calls 21376->21377 21378 f18d59 21377->21378 21378->21368 21380 f19978 __dosmaperr 14 API calls 21379->21380 21382 f0f740 21380->21382 21381 f0f782 ExitThread 21382->21381 21383 f0f759 21382->21383 21388 f19152 21382->21388 21385 f0f76c 21383->21385 21386 f0f765 CloseHandle 21383->21386 21385->21381 21387 f0f778 FreeLibraryAndExitThread 21385->21387 21386->21385 21387->21381 21389 f18c7a std::_Locinfo::_Locinfo_dtor 5 API calls 21388->21389 21390 f1916b 21389->21390 21390->21383 21392 f07900 __EH_prolog3_GS 21391->21392 21401 f027d0 21392->21401 21395 f014d0 std::_Throw_Cpp_error 49 API calls 21396 f07929 21395->21396 21405 f026d0 21396->21405 21398 f07931 21410 f0b29c 21398->21410 21402 f027f1 21401->21402 21402->21402 21403 f05560 std::ios_base::_Init 49 API calls 21402->21403 21404 f02803 21403->21404 21404->21395 21406 f026db 21405->21406 21407 f026f6 codecvt 21405->21407 21406->21407 21408 f12e2f std::_Throw_Cpp_error 43 API calls 21406->21408 21407->21398 21409 f0271a 21408->21409 21411 f0afc3 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 21410->21411 21412 f0b2a6 21411->21412 21412->21412 21414 f1208a _Fputc 21413->21414 21415 f120ac 21414->21415 21416 f120d3 21414->21416 21417 f12da2 __strnicoll 43 API calls 21415->21417 21422 f0f8b6 21416->21422 21418 f120c7 21417->21418 21420 f106a0 _Fputc 43 API calls 21418->21420 21421 f01237 21420->21421 21421->20923 21423 f0f8c2 ___scrt_is_nonwritable_in_current_image 21422->21423 21430 f0f658 EnterCriticalSection 21423->21430 21425 f0f8d0 21431 f1071a 21425->21431 21430->21425 21445 f1ab60 21431->21445 21433 f10741 21452 f10a14 21433->21452 21440 f0afc3 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 21441 f0f8dd 21440->21441 21442 f0f905 21441->21442 21815 f0f66c LeaveCriticalSection 21442->21815 21444 f0f8ee 21444->21418 21474 f1ab25 21445->21474 21447 f1ab71 21448 f1abd4 21447->21448 21449 f19b87 std::_Locinfo::_Locinfo_dtor 15 API calls 21447->21449 21448->21433 21450 f1abcb 21449->21450 21451 f1899f ___free_lconv_mon 14 API calls 21450->21451 21451->21448 21496 f11df6 21452->21496 21455 f10a3d 21456 f12da2 __strnicoll 43 API calls 21455->21456 21457 f10788 21456->21457 21467 f106dc 21457->21467 21460 f11d80 _Fputc 43 API calls 21462 f10a68 std::_Locinfo::_Locinfo_dtor 21460->21462 21462->21457 21462->21460 21463 f10c45 21462->21463 21502 f1099c 21462->21502 21505 f10fa0 21462->21505 21539 f1125c 21462->21539 21464 f12da2 __strnicoll 43 API calls 21463->21464 21465 f10c61 21464->21465 21466 f12da2 __strnicoll 43 API calls 21465->21466 21466->21457 21468 f1899f ___free_lconv_mon 14 API calls 21467->21468 21469 f106ec 21468->21469 21470 f1ac0c 21469->21470 21471 f1ac17 21470->21471 21472 f107a2 21470->21472 21471->21472 21717 f133bd 21471->21717 21472->21440 21475 f1ab31 21474->21475 21476 f1ab52 21475->21476 21480 f1aae9 21475->21480 21476->21447 21478 f1ab4c 21487 f24e15 21478->21487 21481 f1aaf5 21480->21481 21482 f1ab0a 21480->21482 21483 f12f1d __strnicoll 14 API calls 21481->21483 21482->21478 21484 f1aafa 21483->21484 21485 f12e1f __strnicoll 43 API calls 21484->21485 21486 f1ab05 21485->21486 21486->21478 21488 f24e22 21487->21488 21489 f24e2f 21487->21489 21490 f12f1d __strnicoll 14 API calls 21488->21490 21491 f24e3b 21489->21491 21492 f12f1d __strnicoll 14 API calls 21489->21492 21494 f24e27 21490->21494 21491->21476 21493 f24e5c 21492->21493 21495 f12e1f __strnicoll 43 API calls 21493->21495 21494->21476 21495->21494 21497 f11e01 21496->21497 21498 f11e23 21496->21498 21500 f12da2 __strnicoll 43 API calls 21497->21500 21568 f11e5f 21498->21568 21501 f10a2f 21500->21501 21501->21455 21501->21457 21501->21462 21576 f0fc1f 21502->21576 21504 f109d7 21504->21462 21506 f10fa7 21505->21506 21507 f10fbe 21505->21507 21508 f112f1 21506->21508 21509 f11280 21506->21509 21511 f10ffd 21506->21511 21510 f12da2 __strnicoll 43 API calls 21507->21510 21507->21511 21514 f11344 21508->21514 21515 f112f6 21508->21515 21512 f11286 21509->21512 21513 f1131e 21509->21513 21516 f10ff2 21510->21516 21511->21462 21521 f112c3 21512->21521 21524 f1128c 21512->21524 21605 f0ffc9 21513->21605 21514->21513 21514->21521 21525 f112a8 21514->21525 21517 f11338 21515->21517 21518 f112f8 21515->21518 21516->21462 21622 f11ca0 21517->21622 21522 f112fd 21518->21522 21523 f1129a 21518->21523 21538 f112bc 21521->21538 21586 f10146 21521->21586 21522->21513 21528 f11302 21522->21528 21523->21525 21523->21538 21612 f119e0 21523->21612 21524->21523 21524->21525 21527 f112d8 21524->21527 21525->21538 21625 f1a7db 21525->21625 21527->21538 21593 f11b6a 21527->21593 21530 f11315 21528->21530 21531 f11307 21528->21531 21601 f11bff 21530->21601 21531->21538 21597 f11c83 21531->21597 21534 f0afc3 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 21536 f115a2 21534->21536 21536->21462 21538->21534 21540 f112f1 21539->21540 21541 f11280 21539->21541 21544 f11344 21540->21544 21545 f112f6 21540->21545 21542 f11286 21541->21542 21543 f1131e 21541->21543 21548 f112c3 21542->21548 21555 f1128c 21542->21555 21549 f0ffc9 44 API calls 21543->21549 21544->21543 21544->21548 21566 f112a8 21544->21566 21546 f11338 21545->21546 21547 f112f8 21545->21547 21552 f11ca0 44 API calls 21546->21552 21550 f112fd 21547->21550 21551 f1129a 21547->21551 21553 f112bc 21548->21553 21558 f10146 44 API calls 21548->21558 21549->21566 21550->21543 21557 f11302 21550->21557 21551->21553 21556 f119e0 46 API calls 21551->21556 21551->21566 21552->21566 21563 f0afc3 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 21553->21563 21554 f112d8 21554->21553 21562 f11b6a 45 API calls 21554->21562 21555->21551 21555->21554 21555->21566 21556->21566 21559 f11315 21557->21559 21560 f11307 21557->21560 21558->21566 21561 f11bff 43 API calls 21559->21561 21560->21553 21564 f11c83 44 API calls 21560->21564 21561->21566 21562->21566 21565 f115a2 21563->21565 21564->21566 21565->21462 21566->21553 21567 f1a7db _Fputc 45 API calls 21566->21567 21567->21566 21569 f11e73 21568->21569 21575 f11edd 21568->21575 21570 f1aae9 _Ungetc 43 API calls 21569->21570 21571 f11e7a 21570->21571 21572 f12f1d __strnicoll 14 API calls 21571->21572 21571->21575 21573 f11ed2 21572->21573 21574 f12e1f __strnicoll 43 API calls 21573->21574 21574->21575 21575->21501 21577 f11ddb std::_Locinfo::_Locinfo_dtor 43 API calls 21576->21577 21578 f0fc31 21577->21578 21579 f0fc46 21578->21579 21582 f0fc79 21578->21582 21585 f0fc61 std::_Locinfo::_Locinfo_dtor 21578->21585 21580 f12da2 __strnicoll 43 API calls 21579->21580 21580->21585 21581 f0fd10 21583 f11d27 43 API calls 21581->21583 21582->21581 21584 f11d27 43 API calls 21582->21584 21583->21585 21584->21581 21585->21504 21587 f1015a 21586->21587 21588 f1017c 21587->21588 21590 f101a3 21587->21590 21589 f12da2 __strnicoll 43 API calls 21588->21589 21592 f10199 21589->21592 21590->21592 21635 f0fb3c 21590->21635 21592->21525 21595 f11b85 21593->21595 21594 f11bbc 21594->21525 21595->21594 21596 f1a7db _Fputc 45 API calls 21595->21596 21596->21594 21598 f11c8f 21597->21598 21649 f0fe4c 21598->21649 21600 f11c9f 21600->21525 21602 f11c14 21601->21602 21603 f12da2 __strnicoll 43 API calls 21602->21603 21604 f11c35 21602->21604 21603->21604 21604->21525 21606 f0ffdd 21605->21606 21607 f0ffff 21606->21607 21609 f10026 21606->21609 21608 f12da2 __strnicoll 43 API calls 21607->21608 21611 f1001c 21608->21611 21610 f0fb3c 15 API calls 21609->21610 21609->21611 21610->21611 21611->21525 21613 f119fa 21612->21613 21614 f0fb3c 15 API calls 21613->21614 21615 f11a3b 21614->21615 21656 f1a65a 21615->21656 21618 f11d80 _Fputc 43 API calls 21619 f11ae9 21618->21619 21620 f11d80 _Fputc 43 API calls 21619->21620 21621 f11b1c 21619->21621 21620->21621 21621->21525 21621->21621 21623 f10146 44 API calls 21622->21623 21624 f11cb5 21623->21624 21624->21525 21626 f1a7f0 21625->21626 21627 f1a831 21626->21627 21628 f11d80 _Fputc 43 API calls 21626->21628 21633 f1a7f4 codecvt _Fputc 21626->21633 21634 f1a81d codecvt 21626->21634 21630 f1f09e _Fputc WideCharToMultiByte 21627->21630 21627->21633 21627->21634 21628->21627 21629 f12da2 __strnicoll 43 API calls 21629->21633 21631 f1a8ec 21630->21631 21632 f1a902 GetLastError 21631->21632 21631->21633 21632->21633 21632->21634 21633->21525 21634->21629 21634->21633 21636 f0fb63 21635->21636 21637 f0fb51 21635->21637 21636->21637 21638 f19b87 std::_Locinfo::_Locinfo_dtor 15 API calls 21636->21638 21637->21592 21639 f0fb87 21638->21639 21640 f0fb9a 21639->21640 21641 f0fb8f 21639->21641 21646 f106f6 21640->21646 21642 f1899f ___free_lconv_mon 14 API calls 21641->21642 21642->21637 21645 f1899f ___free_lconv_mon 14 API calls 21645->21637 21647 f1899f ___free_lconv_mon 14 API calls 21646->21647 21648 f0fba5 21647->21648 21648->21645 21650 f0fe60 21649->21650 21651 f0fe82 21650->21651 21653 f0fea9 21650->21653 21652 f12da2 __strnicoll 43 API calls 21651->21652 21655 f0fe9f 21652->21655 21654 f0fb3c 15 API calls 21653->21654 21653->21655 21654->21655 21655->21600 21657 f1a68f 21656->21657 21659 f1a66b 21656->21659 21657->21659 21660 f1a6c2 21657->21660 21658 f12da2 __strnicoll 43 API calls 21674 f11ac5 21658->21674 21659->21658 21661 f1a6fb 21660->21661 21664 f1a72a 21660->21664 21675 f1a4fe 21661->21675 21662 f1a753 21667 f1a780 21662->21667 21668 f1a7ba 21662->21668 21663 f1a758 21683 f19d96 21663->21683 21664->21662 21664->21663 21670 f1a7a0 21667->21670 21671 f1a785 21667->21671 21710 f1a0c2 21668->21710 21703 f1a2ab 21670->21703 21693 f1a42f 21671->21693 21674->21618 21674->21619 21676 f1a514 21675->21676 21677 f1a51f 21675->21677 21676->21674 21678 f1882b ___std_exception_copy 43 API calls 21677->21678 21679 f1a57a 21678->21679 21680 f1a584 21679->21680 21681 f12e4c __Getctype 11 API calls 21679->21681 21680->21674 21682 f1a592 21681->21682 21684 f19da9 21683->21684 21685 f19db8 21684->21685 21686 f19dda 21684->21686 21687 f12da2 __strnicoll 43 API calls 21685->21687 21688 f19df4 21686->21688 21690 f19e49 21686->21690 21692 f19dd0 __alldvrm codecvt _strrchr 21687->21692 21689 f1a0c2 45 API calls 21688->21689 21689->21692 21691 f11d80 _Fputc 43 API calls 21690->21691 21690->21692 21691->21692 21692->21674 21694 f236b5 45 API calls 21693->21694 21695 f1a45f 21694->21695 21696 f235bb 43 API calls 21695->21696 21697 f1a49d 21696->21697 21698 f1a4dd 21697->21698 21699 f1a4b6 21697->21699 21701 f1a4a4 21697->21701 21700 f1a166 43 API calls 21698->21700 21702 f1a341 43 API calls 21699->21702 21700->21701 21701->21674 21702->21701 21704 f236b5 45 API calls 21703->21704 21705 f1a2da 21704->21705 21706 f235bb 43 API calls 21705->21706 21707 f1a31b 21706->21707 21708 f1a322 21707->21708 21709 f1a341 43 API calls 21707->21709 21708->21674 21709->21708 21711 f236b5 45 API calls 21710->21711 21712 f1a0ec 21711->21712 21713 f235bb 43 API calls 21712->21713 21714 f1a13a 21713->21714 21715 f1a166 43 API calls 21714->21715 21716 f1a141 21714->21716 21715->21716 21716->21674 21718 f133d6 21717->21718 21722 f133fd 21717->21722 21719 f1aae9 _Ungetc 43 API calls 21718->21719 21718->21722 21720 f133f2 21719->21720 21723 f1c544 21720->21723 21722->21472 21725 f1c550 ___scrt_is_nonwritable_in_current_image 21723->21725 21724 f1c614 21726 f12da2 __strnicoll 43 API calls 21724->21726 21725->21724 21727 f1c5a5 21725->21727 21733 f1c558 21725->21733 21726->21733 21734 f209c6 EnterCriticalSection 21727->21734 21729 f1c5ab 21730 f1c5c8 21729->21730 21735 f1c64c 21729->21735 21761 f1c60c 21730->21761 21733->21722 21734->21729 21736 f1c671 21735->21736 21759 f1c694 __fread_nolock 21735->21759 21737 f1c675 21736->21737 21739 f1c6d3 21736->21739 21738 f12da2 __strnicoll 43 API calls 21737->21738 21738->21759 21740 f1c6ea 21739->21740 21764 f1e1dd 21739->21764 21767 f1c1d0 21740->21767 21744 f1c73a 21748 f1c79d WriteFile 21744->21748 21749 f1c74e 21744->21749 21745 f1c6fa 21746 f1c701 21745->21746 21747 f1c724 21745->21747 21746->21759 21748->21759 21759->21730 21814 f209e9 LeaveCriticalSection 21761->21814 21763 f1c612 21763->21733 21765 f1e0bc __fread_nolock 45 API calls 21764->21765 21766 f1e1f6 21765->21766 21766->21740 21768 f24e15 __fread_nolock 43 API calls 21767->21768 21771 f1c1e2 21768->21771 21769 f1c243 21769->21744 21769->21745 21770 f1c210 21770->21769 21773 f1c22a GetConsoleMode 21770->21773 21771->21769 21771->21770 21772 f11d80 _Fputc 43 API calls 21771->21772 21772->21770 21773->21769 21814->21763 21815->21444 21817 f168f0 21816->21817 21818 f16901 21816->21818 21827 f1698b GetModuleHandleW 21817->21827 21834 f1678b 21818->21834 21823 f1693f 21823->20901 21828 f168f5 21827->21828 21828->21818 21829 f169f0 GetModuleHandleExW 21828->21829 21830 f16a2f GetProcAddress 21829->21830 21833 f16a43 21829->21833 21830->21833 21831 f16a56 FreeLibrary 21832 f16a5f 21831->21832 21832->21818 21833->21831 21833->21832 21835 f16797 ___scrt_is_nonwritable_in_current_image 21834->21835 21849 f12f71 EnterCriticalSection 21835->21849 21837 f167a1 21850 f167d8 21837->21850 21839 f167ae 21854 f167cc 21839->21854 21842 f1695a 21879 f169ce 21842->21879 21845 f16978 21847 f169f0 CallUnexpected 3 API calls 21845->21847 21846 f16968 GetCurrentProcess TerminateProcess 21846->21845 21848 f16980 ExitProcess 21847->21848 21849->21837 21851 f167e4 ___scrt_is_nonwritable_in_current_image 21850->21851 21853 f1684b CallUnexpected 21851->21853 21857 f185f5 21851->21857 21853->21839 21878 f12fb9 LeaveCriticalSection 21854->21878 21856 f167ba 21856->21823 21856->21842 21858 f18601 __EH_prolog3 21857->21858 21861 f1834d 21858->21861 21860 f18628 codecvt 21860->21853 21862 f18359 ___scrt_is_nonwritable_in_current_image 21861->21862 21869 f12f71 EnterCriticalSection 21862->21869 21864 f18367 21870 f18505 21864->21870 21869->21864 21871 f18524 21870->21871 21872 f18374 21870->21872 21871->21872 21873 f1899f ___free_lconv_mon 14 API calls 21871->21873 21874 f1839c 21872->21874 21873->21872 21877 f12fb9 LeaveCriticalSection 21874->21877 21876 f18385 21876->21860 21877->21876 21878->21856 21884 f19b56 GetPEB 21879->21884 21882 f169d8 GetPEB 21883 f16964 21882->21883 21883->21845 21883->21846 21885 f19b70 21884->21885 21886 f169d3 21884->21886 21888 f18cfd 21885->21888 21886->21882 21886->21883 21889 f18c7a std::_Locinfo::_Locinfo_dtor 5 API calls 21888->21889 21890 f18d19 21889->21890 21890->21886 21892 f187a7 21891->21892 21893 f187b9 ___scrt_uninitialize_crt 21891->21893 21894 f187b5 21892->21894 21896 f1348b 21892->21896 21893->20939 21894->20939 21899 f13318 21896->21899 21902 f1320c 21899->21902 21903 f13218 ___scrt_is_nonwritable_in_current_image 21902->21903 21910 f12f71 EnterCriticalSection 21903->21910 21905 f1328e 21919 f132ac 21905->21919 21906 f13222 ___scrt_uninitialize_crt 21906->21905 21911 f13180 21906->21911 21910->21906 21912 f1318c ___scrt_is_nonwritable_in_current_image 21911->21912 21922 f0f658 EnterCriticalSection 21912->21922 21914 f13196 ___scrt_uninitialize_crt 21915 f131cf 21914->21915 21923 f13426 21914->21923 21936 f13200 21915->21936 21981 f12fb9 LeaveCriticalSection 21919->21981 21921 f1329a 21921->21894 21922->21914 21924 f1343b _Fputc 21923->21924 21925 f13442 21924->21925 21926 f1344d 21924->21926 21927 f13318 ___scrt_uninitialize_crt 72 API calls 21925->21927 21928 f133bd ___scrt_uninitialize_crt 68 API calls 21926->21928 21929 f13448 21927->21929 21930 f13457 21928->21930 21931 f106a0 _Fputc 43 API calls 21929->21931 21930->21929 21933 f1aae9 _Ungetc 43 API calls 21930->21933 21932 f13485 21931->21932 21932->21915 21934 f1346e 21933->21934 21939 f1bd19 21934->21939 21980 f0f66c LeaveCriticalSection 21936->21980 21938 f131ee 21938->21906 21940 f1bd37 21939->21940 21941 f1bd2a 21939->21941 21943 f1bd80 21940->21943 21946 f1bd5e 21940->21946 21942 f12f1d __strnicoll 14 API calls 21941->21942 21945 f1bd2f 21942->21945 21944 f12f1d __strnicoll 14 API calls 21943->21944 21947 f1bd85 21944->21947 21945->21929 21950 f1bc77 21946->21950 21949 f12e1f __strnicoll 43 API calls 21947->21949 21949->21945 21951 f1bc83 ___scrt_is_nonwritable_in_current_image 21950->21951 21963 f209c6 EnterCriticalSection 21951->21963 21953 f1bc92 21961 f1bcd7 21953->21961 21964 f20a9d 21953->21964 21955 f12f1d __strnicoll 14 API calls 21957 f1bcde 21955->21957 21956 f1bcbe FlushFileBuffers 21956->21957 21958 f1bcca GetLastError 21956->21958 21977 f1bd0d 21957->21977 21959 f12f0a __dosmaperr 14 API calls 21958->21959 21959->21961 21961->21955 21963->21953 21965 f20aaa 21964->21965 21966 f20abf 21964->21966 21967 f12f0a __dosmaperr 14 API calls 21965->21967 21968 f12f0a __dosmaperr 14 API calls 21966->21968 21970 f20ae4 21966->21970 21969 f20aaf 21967->21969 21971 f20aef 21968->21971 21972 f12f1d __strnicoll 14 API calls 21969->21972 21970->21956 21973 f12f1d __strnicoll 14 API calls 21971->21973 21975 f20ab7 21972->21975 21974 f20af7 21973->21974 21976 f12e1f __strnicoll 43 API calls 21974->21976 21975->21956 21976->21975 21978 f209e9 ___scrt_uninitialize_crt LeaveCriticalSection 21977->21978 21979 f1bcf6 21978->21979 21979->21945 21980->21938 21981->21921 25312 f0f5c6 25313 f1348b ___scrt_uninitialize_crt 72 API calls 25312->25313 25314 f0f5ce 25313->25314 25322 f1920c 25314->25322 25316 f0f5d3 25317 f192b7 14 API calls 25316->25317 25318 f0f5e2 DeleteCriticalSection 25317->25318 25318->25316 25319 f0f5fd 25318->25319 25320 f1899f ___free_lconv_mon 14 API calls 25319->25320 25321 f0f608 25320->25321 25323 f19218 ___scrt_is_nonwritable_in_current_image 25322->25323 25332 f12f71 EnterCriticalSection 25323->25332 25325 f1928f 25333 f192ae 25325->25333 25326 f19223 25326->25325 25328 f19263 DeleteCriticalSection 25326->25328 25330 f13150 73 API calls 25326->25330 25331 f1899f ___free_lconv_mon 14 API calls 25328->25331 25330->25326 25331->25326 25332->25326 25336 f12fb9 LeaveCriticalSection 25333->25336 25335 f1929b 25335->25316 25336->25335 19683 f29b20 19696 f07630 19683->19696 19685 f29b60 19712 f0afd6 19685->19712 19693 f29bdc codecvt 19765 f0afc3 19693->19765 19695 f29c37 19697 f07640 19696->19697 19698 f07663 19696->19698 19700 f07647 19697->19700 19701 f0767a 19697->19701 19699 f07674 19698->19699 19702 f0afd6 std::_Facet_Register 3 API calls 19698->19702 19699->19685 19704 f0afd6 std::_Facet_Register 3 API calls 19700->19704 19772 f01370 19701->19772 19705 f0766d 19702->19705 19706 f0764d 19704->19706 19705->19685 19707 f07656 19706->19707 19778 f12e2f 19706->19778 19707->19685 19715 f0afdb _Yarn 19712->19715 19713 f0aff5 19719 f296b0 19713->19719 19714 f182c4 std::_Facet_Register 2 API calls 19714->19715 19715->19713 19715->19714 19716 f0aff7 std::_Facet_Register 19715->19716 19717 f0bc00 CallUnexpected RaiseException 19716->19717 19718 f0bb23 19717->19718 19720 f298f9 19719->19720 19723 f296da codecvt 19719->19723 19721 f0afc3 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 19720->19721 19722 f2990a VirtualAlloc GetUpdateRgn 19721->19722 19729 f29960 19722->19729 19723->19720 19724 f12ac1 46 API calls 19723->19724 19726 f29910 19723->19726 20062 f06200 19723->20062 19724->19723 19727 f12e2f std::_Throw_Cpp_error 43 API calls 19726->19727 19728 f29915 19727->19728 19730 f0afd6 std::_Facet_Register 3 API calls 19729->19730 19731 f29979 19730->19731 19733 f299f3 19731->19733 20093 f07410 19731->20093 20119 f29000 19733->20119 19735 f29ab9 codecvt 19736 f29aea codecvt 19735->19736 19738 f29b11 19735->19738 19737 f0afc3 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 19736->19737 19739 f29b03 19737->19739 19740 f12e2f std::_Throw_Cpp_error 43 API calls 19738->19740 19742 f29190 19739->19742 19741 f29b16 19740->19741 19743 f0afd6 std::_Facet_Register 3 API calls 19742->19743 19747 f291bb 19743->19747 19758 f2927e codecvt 19747->19758 20351 f05030 19747->20351 20359 f04e90 19747->20359 20398 f06e90 19747->20398 20405 f04a80 19747->20405 19749 f29315 OffsetRect 19749->19758 19750 f04e90 76 API calls 19750->19758 19751 f06e90 49 API calls 19751->19758 19752 f04a80 49 API calls 19752->19758 19753 f12ac1 46 API calls 19753->19758 19754 f02300 76 API calls 19754->19758 19757 f02460 76 API calls 19757->19758 19758->19749 19758->19750 19758->19751 19758->19752 19758->19753 19758->19754 19758->19757 19759 f2969c 19758->19759 19762 f29667 codecvt 19758->19762 20413 f06490 19758->20413 20440 f06d20 19758->20440 19760 f12e2f std::_Throw_Cpp_error 43 API calls 19759->19760 19761 f296a1 19760->19761 19763 f0afc3 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 19762->19763 19764 f29698 19763->19764 19764->19693 19766 f0afcb 19765->19766 19767 f0afcc IsProcessorFeaturePresent 19765->19767 19766->19695 19769 f0b942 19767->19769 20878 f0b905 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 19769->20878 19771 f0ba25 19771->19695 19773 f0137b std::_Facet_Register 19772->19773 19783 f0bc00 19773->19783 19775 f0138a 19786 f0bb5b 19775->19786 19779 f12d6b __strnicoll 43 API calls 19778->19779 19780 f12e3e 19779->19780 19781 f12e4c __Getctype 11 API calls 19780->19781 19782 f12e4b 19781->19782 19784 f0bc47 RaiseException 19783->19784 19785 f0bc1a 19783->19785 19784->19775 19785->19784 19787 f0bb68 _Yarn 19786->19787 19791 f013b1 19786->19791 19788 f0bb95 19787->19788 19787->19791 19792 f1882b 19787->19792 19801 f121bf 19788->19801 19791->19706 19793 f18839 19792->19793 19794 f18847 19792->19794 19793->19794 19799 f1885f 19793->19799 19804 f12f1d 19794->19804 19796 f1884f 19807 f12e1f 19796->19807 19798 f18859 19798->19788 19799->19798 19800 f12f1d __strnicoll 14 API calls 19799->19800 19800->19796 19802 f1899f ___free_lconv_mon 14 API calls 19801->19802 19803 f121d7 19802->19803 19803->19791 19810 f19978 GetLastError 19804->19810 19806 f12f22 19806->19796 19947 f12d6b 19807->19947 19811 f19994 19810->19811 19812 f1998e 19810->19812 19830 f19998 SetLastError 19811->19830 19838 f18f0a 19811->19838 19833 f18ecb 19812->19833 19819 f199cd 19821 f18f0a __dosmaperr 6 API calls 19819->19821 19820 f199de 19822 f18f0a __dosmaperr 6 API calls 19820->19822 19823 f199db 19821->19823 19824 f199ea 19822->19824 19852 f1899f 19823->19852 19825 f19a05 19824->19825 19826 f199ee 19824->19826 19858 f19655 19825->19858 19827 f18f0a __dosmaperr 6 API calls 19826->19827 19827->19823 19830->19806 19832 f1899f ___free_lconv_mon 12 API calls 19832->19830 19863 f18c7a 19833->19863 19836 f18ef0 19836->19811 19837 f18f02 TlsGetValue 19839 f18c7a std::_Locinfo::_Locinfo_dtor 5 API calls 19838->19839 19840 f18f26 19839->19840 19841 f18f44 TlsSetValue 19840->19841 19842 f18f2f 19840->19842 19842->19830 19843 f18942 19842->19843 19844 f1894f 19843->19844 19845 f1898f 19844->19845 19846 f1897a HeapAlloc 19844->19846 19850 f18963 __dosmaperr 19844->19850 19848 f12f1d __strnicoll 13 API calls 19845->19848 19847 f1898d 19846->19847 19846->19850 19849 f18994 19847->19849 19848->19849 19849->19819 19849->19820 19850->19845 19850->19846 19878 f182c4 19850->19878 19853 f189d4 19852->19853 19854 f189aa HeapFree 19852->19854 19853->19830 19854->19853 19855 f189bf GetLastError 19854->19855 19856 f189cc __dosmaperr 19855->19856 19857 f12f1d __strnicoll 12 API calls 19856->19857 19857->19853 19891 f194e9 19858->19891 19864 f18ca4 19863->19864 19865 f18ca8 19863->19865 19864->19836 19864->19837 19865->19864 19870 f18baf 19865->19870 19868 f18cc2 GetProcAddress 19868->19864 19869 f18cd2 std::_Locinfo::_Locinfo_dtor 19868->19869 19869->19864 19876 f18bc0 ___vcrt_InitializeCriticalSectionEx 19870->19876 19871 f18c56 19871->19864 19871->19868 19872 f18bde LoadLibraryExW 19873 f18bf9 GetLastError 19872->19873 19874 f18c5d 19872->19874 19873->19876 19874->19871 19875 f18c6f FreeLibrary 19874->19875 19875->19871 19876->19871 19876->19872 19877 f18c2c LoadLibraryExW 19876->19877 19877->19874 19877->19876 19881 f182f1 19878->19881 19882 f182fd ___scrt_is_nonwritable_in_current_image 19881->19882 19887 f12f71 EnterCriticalSection 19882->19887 19884 f18308 19888 f18344 19884->19888 19887->19884 19889 f12fb9 std::_Lockit::~_Lockit LeaveCriticalSection 19888->19889 19890 f182cf 19889->19890 19890->19850 19892 f194f5 ___scrt_is_nonwritable_in_current_image 19891->19892 19905 f12f71 EnterCriticalSection 19892->19905 19894 f194ff 19906 f1952f 19894->19906 19897 f195fb 19898 f19607 ___scrt_is_nonwritable_in_current_image 19897->19898 19910 f12f71 EnterCriticalSection 19898->19910 19900 f19611 19911 f197dc 19900->19911 19902 f19629 19915 f19649 19902->19915 19905->19894 19909 f12fb9 LeaveCriticalSection 19906->19909 19908 f1951d 19908->19897 19909->19908 19910->19900 19912 f19812 __Getctype 19911->19912 19913 f197eb __Getctype 19911->19913 19912->19902 19913->19912 19918 f21867 19913->19918 19946 f12fb9 LeaveCriticalSection 19915->19946 19917 f19637 19917->19832 19926 f2187d 19918->19926 19943 f218e7 19918->19943 19919 f21935 19920 f219d8 __Getctype 14 API calls 19919->19920 19935 f21943 19920->19935 19921 f1899f ___free_lconv_mon 14 API calls 19923 f21909 19921->19923 19922 f218b0 19924 f218d2 19922->19924 19930 f1899f ___free_lconv_mon 14 API calls 19922->19930 19925 f1899f ___free_lconv_mon 14 API calls 19923->19925 19928 f1899f ___free_lconv_mon 14 API calls 19924->19928 19927 f2191c 19925->19927 19926->19922 19929 f1899f ___free_lconv_mon 14 API calls 19926->19929 19926->19943 19931 f1899f ___free_lconv_mon 14 API calls 19927->19931 19932 f218dc 19928->19932 19934 f218a5 19929->19934 19936 f218c7 19930->19936 19937 f2192a 19931->19937 19938 f1899f ___free_lconv_mon 14 API calls 19932->19938 19933 f219a3 19939 f1899f ___free_lconv_mon 14 API calls 19933->19939 19940 f20b1d ___free_lconv_mon 14 API calls 19934->19940 19935->19933 19945 f1899f 14 API calls ___free_lconv_mon 19935->19945 19941 f20fd1 __Getctype 14 API calls 19936->19941 19942 f1899f ___free_lconv_mon 14 API calls 19937->19942 19938->19943 19944 f219a9 19939->19944 19940->19922 19941->19924 19942->19919 19943->19919 19943->19921 19944->19912 19945->19935 19946->19917 19948 f12d7d _Fputc 19947->19948 19953 f12da2 19948->19953 19950 f12d95 19964 f106a0 19950->19964 19954 f12db2 19953->19954 19955 f12db9 19953->19955 19970 f108f0 GetLastError 19954->19970 19960 f12dc7 19955->19960 19974 f12bfa 19955->19974 19958 f12dee 19958->19960 19977 f12e4c IsProcessorFeaturePresent 19958->19977 19960->19950 19961 f12e1e 19962 f12d6b __strnicoll 43 API calls 19961->19962 19963 f12e2b 19962->19963 19963->19950 19965 f106ac 19964->19965 19966 f106c3 19965->19966 20009 f10940 19965->20009 19968 f106d6 19966->19968 19969 f10940 _Fputc 43 API calls 19966->19969 19968->19798 19969->19968 19971 f10909 19970->19971 19981 f19a29 19971->19981 19975 f12c05 GetLastError SetLastError 19974->19975 19976 f12c1e 19974->19976 19975->19958 19976->19958 19978 f12e58 19977->19978 20003 f12c23 19978->20003 19982 f19a42 19981->19982 19983 f19a3c 19981->19983 19984 f18f0a __dosmaperr 6 API calls 19982->19984 20002 f10925 SetLastError 19982->20002 19985 f18ecb __dosmaperr 6 API calls 19983->19985 19986 f19a5c 19984->19986 19985->19982 19987 f18942 __dosmaperr 14 API calls 19986->19987 19986->20002 19988 f19a6c 19987->19988 19989 f19a74 19988->19989 19990 f19a89 19988->19990 19992 f18f0a __dosmaperr 6 API calls 19989->19992 19991 f18f0a __dosmaperr 6 API calls 19990->19991 19993 f19a95 19991->19993 19999 f19a80 19992->19999 19994 f19a99 19993->19994 19995 f19aa8 19993->19995 19996 f18f0a __dosmaperr 6 API calls 19994->19996 19997 f19655 __dosmaperr 14 API calls 19995->19997 19996->19999 20000 f19ab3 19997->20000 19998 f1899f ___free_lconv_mon 14 API calls 19998->20002 19999->19998 20001 f1899f ___free_lconv_mon 14 API calls 20000->20001 20001->20002 20002->19955 20004 f12c3f CallUnexpected codecvt 20003->20004 20005 f12c6b IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 20004->20005 20008 f12d3c CallUnexpected 20005->20008 20006 f0afc3 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 20007 f12d5a GetCurrentProcess TerminateProcess 20006->20007 20007->19961 20008->20006 20010 f1098f 20009->20010 20011 f1094e GetLastError 20009->20011 20010->19966 20012 f1095d 20011->20012 20013 f19a29 _Fputc 14 API calls 20012->20013 20014 f1097a SetLastError 20013->20014 20014->20010 20015 f10996 20014->20015 20018 f12fe7 20015->20018 20029 f1b830 20018->20029 20021 f12ff7 20023 f13001 IsProcessorFeaturePresent 20021->20023 20028 f13020 20021->20028 20025 f1300d 20023->20025 20027 f12c23 CallUnexpected 8 API calls 20025->20027 20027->20028 20059 f16a9f 20028->20059 20030 f1b762 CallUnexpected EnterCriticalSection LeaveCriticalSection 20029->20030 20031 f12fec 20030->20031 20031->20021 20032 f1b875 20031->20032 20033 f1b881 ___scrt_is_nonwritable_in_current_image 20032->20033 20034 f19978 __dosmaperr 14 API calls 20033->20034 20035 f1b8a8 CallUnexpected 20033->20035 20038 f1b8ae CallUnexpected 20033->20038 20034->20035 20036 f1b8f5 20035->20036 20035->20038 20058 f1b8df 20035->20058 20037 f12f1d __strnicoll 14 API calls 20036->20037 20039 f1b8fa 20037->20039 20040 f1b921 20038->20040 20042 f12f71 std::_Lockit::_Lockit EnterCriticalSection 20038->20042 20041 f12e1f __strnicoll 43 API calls 20039->20041 20044 f1b963 20040->20044 20045 f1ba54 20040->20045 20055 f1b992 20040->20055 20041->20058 20042->20040 20043 f1ba01 CallUnexpected LeaveCriticalSection 20046 f1b9d8 20043->20046 20051 f19827 _unexpected 43 API calls 20044->20051 20044->20055 20047 f1ba5f 20045->20047 20048 f12fb9 std::_Lockit::~_Lockit LeaveCriticalSection 20045->20048 20052 f19827 _unexpected 43 API calls 20046->20052 20056 f1b9e7 20046->20056 20046->20058 20049 f16a9f CallUnexpected 23 API calls 20047->20049 20048->20047 20050 f1ba67 20049->20050 20053 f1b987 20051->20053 20052->20056 20054 f19827 _unexpected 43 API calls 20053->20054 20054->20055 20055->20043 20057 f19827 _unexpected 43 API calls 20056->20057 20056->20058 20057->20058 20058->20021 20060 f168c3 CallUnexpected 23 API calls 20059->20060 20061 f1302a 20060->20061 20063 f06316 20062->20063 20064 f0621a 20062->20064 20077 f013f0 20063->20077 20068 f06283 20064->20068 20069 f06276 20064->20069 20071 f0622d 20064->20071 20066 f0631b 20067 f01370 std::_Throw_Cpp_error 44 API calls 20066->20067 20075 f0623d codecvt 20067->20075 20072 f0afd6 std::_Facet_Register 3 API calls 20068->20072 20068->20075 20069->20066 20069->20071 20070 f0afd6 std::_Facet_Register 3 API calls 20070->20075 20071->20070 20072->20075 20073 f12e2f std::_Throw_Cpp_error 43 API calls 20074 f06325 20073->20074 20075->20073 20076 f062dc codecvt 20075->20076 20076->19723 20082 f07b42 20077->20082 20087 f07a65 20082->20087 20085 f0bc00 CallUnexpected RaiseException 20086 f07b61 20085->20086 20090 f01280 20087->20090 20091 f0bb5b ___std_exception_copy 43 API calls 20090->20091 20092 f012ae 20091->20092 20092->20085 20094 f075a6 20093->20094 20096 f0745d 20093->20096 20130 f07000 20094->20130 20100 f0afd6 std::_Facet_Register 3 API calls 20096->20100 20097 f12e2f std::_Throw_Cpp_error 43 API calls 20098 f075b0 20097->20098 20164 f04c10 20098->20164 20105 f074b7 codecvt 20100->20105 20101 f075bb 20102 f0bc00 CallUnexpected RaiseException 20101->20102 20103 f075c4 20102->20103 20104 f07623 20103->20104 20106 f075e9 20103->20106 20107 f0760c 20103->20107 20108 f01370 std::_Throw_Cpp_error 44 API calls 20104->20108 20105->20097 20118 f0756b codecvt 20105->20118 20106->20104 20110 f075f0 20106->20110 20111 f0761d 20107->20111 20114 f0afd6 std::_Facet_Register 3 API calls 20107->20114 20109 f075f6 20108->20109 20112 f12e2f std::_Throw_Cpp_error 43 API calls 20109->20112 20117 f075ff 20109->20117 20113 f0afd6 std::_Facet_Register 3 API calls 20110->20113 20111->19731 20115 f0762d 20112->20115 20113->20109 20116 f07616 20114->20116 20116->19731 20117->19731 20118->19731 20122 f29147 20119->20122 20127 f2901f 20119->20127 20120 f29170 codecvt 20120->19735 20121 f05030 49 API calls 20121->20127 20122->20120 20123 f12e2f std::_Throw_Cpp_error 43 API calls 20122->20123 20124 f29188 20123->20124 20125 f04e90 76 API calls 20125->20127 20126 f06e90 49 API calls 20126->20127 20127->20121 20127->20122 20127->20125 20127->20126 20128 f04a80 49 API calls 20127->20128 20169 f12ac1 20127->20169 20128->20127 20131 f07b42 std::_Throw_Cpp_error 44 API calls 20130->20131 20135 f0700a 20131->20135 20132 f071a6 20133 f07000 44 API calls 20132->20133 20150 f070ba codecvt 20133->20150 20134 f071a1 20136 f01370 std::_Throw_Cpp_error 44 API calls 20134->20136 20135->20132 20135->20134 20137 f070d6 20135->20137 20138 f070a9 20135->20138 20136->20132 20144 f0afd6 std::_Facet_Register 3 API calls 20137->20144 20137->20150 20138->20134 20141 f070b4 20138->20141 20139 f12e2f std::_Throw_Cpp_error 43 API calls 20140 f071b0 20139->20140 20142 f04c10 43 API calls 20140->20142 20143 f0afd6 std::_Facet_Register 3 API calls 20141->20143 20145 f071bb 20142->20145 20143->20150 20144->20150 20146 f0bc00 CallUnexpected RaiseException 20145->20146 20147 f071c4 20146->20147 20148 f07219 20147->20148 20149 f0735e 20147->20149 20152 f07233 20148->20152 20155 f07281 20148->20155 20156 f07271 20148->20156 20151 f07000 44 API calls 20149->20151 20150->20139 20153 f0716c codecvt 20150->20153 20154 f07363 20151->20154 20158 f0afd6 std::_Facet_Register 3 API calls 20152->20158 20153->20105 20157 f01370 std::_Throw_Cpp_error 44 API calls 20154->20157 20159 f0afd6 std::_Facet_Register 3 API calls 20155->20159 20162 f07246 codecvt 20155->20162 20156->20152 20156->20154 20157->20162 20158->20162 20159->20162 20160 f12e2f std::_Throw_Cpp_error 43 API calls 20161 f0736d 20160->20161 20162->20160 20163 f07315 codecvt 20162->20163 20163->20105 20165 f04c27 20164->20165 20166 f04c37 codecvt 20164->20166 20165->20166 20167 f12e2f std::_Throw_Cpp_error 43 API calls 20165->20167 20166->20101 20168 f04c4b 20167->20168 20170 f12ad4 _Fputc 20169->20170 20175 f121da 20170->20175 20172 f12aee 20173 f106a0 _Fputc 43 API calls 20172->20173 20174 f12afb 20173->20174 20174->20127 20189 f11ddb 20175->20189 20177 f12234 20183 f12258 20177->20183 20196 f11d80 20177->20196 20178 f121ec 20178->20177 20179 f12201 20178->20179 20188 f1221c std::_Locinfo::_Locinfo_dtor 20178->20188 20180 f12da2 __strnicoll 43 API calls 20179->20180 20180->20188 20185 f1227c 20183->20185 20203 f12a2b 20183->20203 20184 f12304 20186 f11d27 43 API calls 20184->20186 20185->20184 20210 f11d27 20185->20210 20186->20188 20188->20172 20190 f11de0 20189->20190 20191 f11df3 20189->20191 20192 f12f1d __strnicoll 14 API calls 20190->20192 20191->20178 20193 f11de5 20192->20193 20194 f12e1f __strnicoll 43 API calls 20193->20194 20195 f11df0 20194->20195 20195->20178 20197 f10940 _Fputc 43 API calls 20196->20197 20198 f11d90 20197->20198 20216 f19c02 20198->20216 20204 f12a37 20203->20204 20208 f12a4d 20203->20208 20294 f14e6d 20204->20294 20206 f12a5d 20206->20183 20207 f12a42 std::_Locinfo::_Locinfo_dtor 20207->20183 20208->20206 20299 f1acb3 20208->20299 20211 f11d38 20210->20211 20212 f11d4c 20210->20212 20211->20212 20213 f12f1d __strnicoll 14 API calls 20211->20213 20212->20184 20214 f11d41 20213->20214 20215 f12e1f __strnicoll 43 API calls 20214->20215 20215->20212 20217 f11dad 20216->20217 20218 f19c19 20216->20218 20220 f19c60 20217->20220 20218->20217 20224 f21ab3 20218->20224 20221 f19c77 20220->20221 20222 f11dba 20220->20222 20221->20222 20273 f20196 20221->20273 20222->20183 20225 f21abf ___scrt_is_nonwritable_in_current_image 20224->20225 20237 f19827 GetLastError 20225->20237 20228 f21b0e 20228->20217 20230 f21ae6 20265 f21b34 20230->20265 20235 f12fe7 CallUnexpected 43 API calls 20236 f21b33 20235->20236 20238 f19843 20237->20238 20239 f1983d 20237->20239 20241 f18f0a __dosmaperr 6 API calls 20238->20241 20243 f19847 SetLastError 20238->20243 20240 f18ecb __dosmaperr 6 API calls 20239->20240 20240->20238 20242 f1985f 20241->20242 20242->20243 20245 f18942 __dosmaperr 14 API calls 20242->20245 20247 f198d7 20243->20247 20248 f198dc 20243->20248 20246 f19874 20245->20246 20249 f1988d 20246->20249 20250 f1987c 20246->20250 20247->20228 20264 f12f71 EnterCriticalSection 20247->20264 20251 f12fe7 CallUnexpected 41 API calls 20248->20251 20253 f18f0a __dosmaperr 6 API calls 20249->20253 20252 f18f0a __dosmaperr 6 API calls 20250->20252 20254 f198e1 20251->20254 20255 f1988a 20252->20255 20256 f19899 20253->20256 20261 f1899f ___free_lconv_mon 14 API calls 20255->20261 20257 f198b4 20256->20257 20258 f1989d 20256->20258 20259 f19655 __dosmaperr 14 API calls 20257->20259 20260 f18f0a __dosmaperr 6 API calls 20258->20260 20262 f198bf 20259->20262 20260->20255 20261->20243 20263 f1899f ___free_lconv_mon 14 API calls 20262->20263 20263->20243 20264->20230 20266 f21af7 20265->20266 20267 f21b42 __Getctype 20265->20267 20269 f21b13 20266->20269 20267->20266 20268 f21867 __Getctype 14 API calls 20267->20268 20268->20266 20272 f12fb9 LeaveCriticalSection 20269->20272 20271 f21b0a 20271->20228 20271->20235 20272->20271 20274 f19827 _unexpected 43 API calls 20273->20274 20275 f2019b 20274->20275 20278 f200ae 20275->20278 20279 f200ba ___scrt_is_nonwritable_in_current_image 20278->20279 20286 f200d4 20279->20286 20289 f12f71 EnterCriticalSection 20279->20289 20281 f20110 20290 f2012d 20281->20290 20282 f200e4 20282->20281 20288 f1899f ___free_lconv_mon 14 API calls 20282->20288 20284 f12fe7 CallUnexpected 43 API calls 20287 f2014d 20284->20287 20285 f200db 20285->20222 20286->20284 20286->20285 20288->20281 20289->20282 20293 f12fb9 LeaveCriticalSection 20290->20293 20292 f20134 20292->20286 20293->20292 20295 f19827 _unexpected 43 API calls 20294->20295 20296 f14e78 20295->20296 20306 f19bd5 20296->20306 20310 f154e1 20299->20310 20303 f1ace0 20304 f0afc3 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 20303->20304 20305 f1ad7c 20304->20305 20305->20206 20307 f19be8 20306->20307 20308 f14e88 20306->20308 20307->20308 20309 f21ab3 __Getctype 43 API calls 20307->20309 20308->20207 20309->20308 20311 f154f8 20310->20311 20312 f154ff 20310->20312 20311->20303 20318 f1eb99 20311->20318 20312->20311 20313 f19827 _unexpected 43 API calls 20312->20313 20314 f15520 20313->20314 20315 f19bd5 __Getctype 43 API calls 20314->20315 20316 f15536 20315->20316 20333 f19c33 20316->20333 20319 f154e1 __strnicoll 43 API calls 20318->20319 20320 f1ebb9 20319->20320 20337 f1f022 20320->20337 20322 f1ec7d 20325 f0afc3 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 20322->20325 20323 f1ec75 20347 f0acdd 20323->20347 20324 f1ebe6 20324->20322 20324->20323 20329 f1ec0b __alloca_probe_16 codecvt 20324->20329 20340 f19b87 20324->20340 20328 f1eca0 20325->20328 20328->20303 20329->20323 20330 f1f022 __strnicoll MultiByteToWideChar 20329->20330 20331 f1ec56 20330->20331 20331->20323 20332 f1ec61 GetStringTypeW 20331->20332 20332->20323 20334 f19c46 20333->20334 20335 f19c5b 20333->20335 20334->20335 20336 f20196 __strnicoll 43 API calls 20334->20336 20335->20311 20336->20335 20338 f1f033 MultiByteToWideChar 20337->20338 20338->20324 20341 f19bc5 20340->20341 20346 f19b95 __dosmaperr 20340->20346 20342 f12f1d __strnicoll 14 API calls 20341->20342 20344 f19bc3 20342->20344 20343 f19bb0 RtlAllocateHeap 20343->20344 20343->20346 20344->20329 20345 f182c4 std::_Facet_Register 2 API calls 20345->20346 20346->20341 20346->20343 20346->20345 20348 f0ace7 20347->20348 20349 f0acf8 20347->20349 20348->20349 20350 f121bf ___vcrt_freefls@4 14 API calls 20348->20350 20349->20322 20350->20349 20352 f05071 20351->20352 20352->20352 20447 f03230 20352->20447 20355 f05212 20355->19747 20356 f051ff 20356->20355 20462 f04b80 20356->20462 20357 f050c6 20452 f02230 20357->20452 20540 f07865 20359->20540 20362 f07865 std::_Lockit::_Lockit 7 API calls 20364 f04ebc 20362->20364 20363 f04f00 20365 f078bd std::_Lockit::~_Lockit 2 API calls 20363->20365 20546 f078bd 20364->20546 20366 f04f09 20365->20366 20366->19747 20367 f04edd 20367->20363 20368 f04f2f 20367->20368 20370 f04f33 20368->20370 20371 f04f48 20368->20371 20373 f078bd std::_Lockit::~_Lockit 2 API calls 20370->20373 20372 f0afd6 std::_Facet_Register 3 API calls 20371->20372 20374 f04f4f 20372->20374 20375 f04f3e 20373->20375 20376 f07865 std::_Lockit::_Lockit 7 API calls 20374->20376 20375->19747 20377 f04f7b 20376->20377 20378 f04fc1 20377->20378 20379 f0501f 20377->20379 20553 f09095 20378->20553 20589 f07b82 20379->20589 20399 f03230 49 API calls 20398->20399 20400 f06ece 20399->20400 20401 f02230 std::ios_base::_Init 49 API calls 20400->20401 20403 f06f53 20401->20403 20402 f06f66 20402->19747 20403->20402 20404 f04b80 49 API calls 20403->20404 20404->20402 20406 f04ac1 20405->20406 20410 f04b4e 20405->20410 20407 f03230 49 API calls 20406->20407 20408 f04aca 20407->20408 20409 f04b3d 20408->20409 20411 f02230 std::ios_base::_Init 49 API calls 20408->20411 20409->20410 20412 f04b80 49 API calls 20409->20412 20410->19747 20411->20409 20412->20410 20414 f07865 std::_Lockit::_Lockit 7 API calls 20413->20414 20415 f064a5 20414->20415 20416 f07865 std::_Lockit::_Lockit 7 API calls 20415->20416 20421 f064e0 20415->20421 20417 f064bf 20416->20417 20419 f078bd std::_Lockit::~_Lockit 2 API calls 20417->20419 20418 f078bd std::_Lockit::~_Lockit 2 API calls 20420 f0650f 20418->20420 20419->20421 20420->19758 20422 f0afd6 std::_Facet_Register 3 API calls 20421->20422 20439 f06506 20421->20439 20423 f06547 20422->20423 20424 f07865 std::_Lockit::_Lockit 7 API calls 20423->20424 20425 f06576 20424->20425 20426 f06644 20425->20426 20427 f065c8 20425->20427 20428 f07b82 codecvt 44 API calls 20426->20428 20429 f09095 std::_Locinfo::_Locinfo_ctor 70 API calls 20427->20429 20430 f0664e 20428->20430 20431 f065d3 20429->20431 20432 f0a413 __Getctype 43 API calls 20431->20432 20433 f065ea 20432->20433 20860 f0a58a 20433->20860 20436 f01a20 codecvt 70 API calls 20437 f06629 20436->20437 20870 f08f65 20437->20870 20439->20418 20441 f03230 49 API calls 20440->20441 20442 f06d5e 20441->20442 20443 f02230 std::ios_base::_Init 49 API calls 20442->20443 20444 f06deb 20443->20444 20445 f06dfe 20444->20445 20446 f04b80 49 API calls 20444->20446 20445->19758 20446->20445 20449 f0324c 20447->20449 20448 f03260 20448->20357 20449->20448 20450 f04a80 49 API calls 20449->20450 20451 f0327f 20450->20451 20451->20357 20453 f0224a 20452->20453 20453->20356 20454 f0bc00 CallUnexpected RaiseException 20453->20454 20455 f02262 std::ios_base::_Init 20453->20455 20454->20455 20466 f02160 20455->20466 20457 f02298 20458 f0bc00 CallUnexpected RaiseException 20457->20458 20459 f022a7 20458->20459 20460 f0bb5b ___std_exception_copy 43 API calls 20459->20460 20461 f022d2 20460->20461 20461->20356 20463 f04be3 20462->20463 20464 f04bbe 20462->20464 20463->20355 20464->20463 20537 f03cd0 20464->20537 20467 f021a8 20466->20467 20467->20467 20486 f05560 20467->20486 20469 f021be 20494 f014d0 20469->20494 20471 f021cf 20472 f021f7 codecvt 20471->20472 20475 f0221c 20471->20475 20473 f0afc3 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 20472->20473 20474 f02216 20473->20474 20474->20457 20476 f12e2f std::_Throw_Cpp_error 43 API calls 20475->20476 20477 f02221 20476->20477 20477->20457 20478 f0bc00 CallUnexpected RaiseException 20477->20478 20479 f02262 std::ios_base::_Init 20477->20479 20478->20479 20480 f02160 std::ios_base::_Init 49 API calls 20479->20480 20481 f02298 20480->20481 20482 f0bc00 CallUnexpected RaiseException 20481->20482 20483 f022a7 20482->20483 20484 f0bb5b ___std_exception_copy 43 API calls 20483->20484 20485 f022d2 20484->20485 20485->20457 20487 f05570 20486->20487 20488 f055e9 20486->20488 20491 f05575 codecvt 20487->20491 20492 f07630 std::_Throw_Cpp_error 49 API calls 20487->20492 20489 f013f0 std::_Throw_Cpp_error 44 API calls 20488->20489 20490 f055ee 20489->20490 20491->20469 20493 f055c3 codecvt 20492->20493 20493->20469 20495 f01515 20494->20495 20496 f01757 20495->20496 20499 f0152a 20495->20499 20497 f013f0 std::_Throw_Cpp_error 44 API calls 20496->20497 20498 f0175c 20497->20498 20501 f12e2f std::_Throw_Cpp_error 43 API calls 20498->20501 20502 f07630 std::_Throw_Cpp_error 49 API calls 20499->20502 20504 f0152f codecvt 20499->20504 20500 f015bc 20508 f06330 std::_Throw_Cpp_error 44 API calls 20500->20508 20510 f01634 codecvt 20500->20510 20503 f01761 20501->20503 20502->20504 20506 f12e2f std::_Throw_Cpp_error 43 API calls 20503->20506 20504->20500 20518 f06330 20504->20518 20507 f01766 20506->20507 20533 f0bbbe 20507->20533 20508->20510 20510->20498 20511 f0169d codecvt 20510->20511 20512 f0bb5b ___std_exception_copy 43 API calls 20511->20512 20514 f016f2 20512->20514 20513 f01782 codecvt 20513->20471 20514->20503 20515 f01723 codecvt 20514->20515 20516 f0afc3 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 20515->20516 20517 f01751 20516->20517 20517->20471 20519 f06472 20518->20519 20520 f0634d 20518->20520 20521 f013f0 std::_Throw_Cpp_error 44 API calls 20519->20521 20523 f063bc 20520->20523 20524 f063af 20520->20524 20526 f06366 20520->20526 20522 f06477 20521->20522 20525 f01370 std::_Throw_Cpp_error 44 API calls 20522->20525 20528 f0afd6 std::_Facet_Register 3 API calls 20523->20528 20531 f06376 codecvt 20523->20531 20524->20522 20524->20526 20525->20531 20527 f0afd6 std::_Facet_Register 3 API calls 20526->20527 20527->20531 20528->20531 20529 f12e2f std::_Throw_Cpp_error 43 API calls 20530 f06481 20529->20530 20531->20529 20532 f0642f codecvt 20531->20532 20532->20500 20534 f0bbd2 20533->20534 20535 f0bbcb 20533->20535 20534->20513 20536 f121bf ___vcrt_freefls@4 14 API calls 20535->20536 20536->20534 20538 f02230 std::ios_base::_Init 49 API calls 20537->20538 20539 f03cef 20538->20539 20539->20463 20541 f07874 20540->20541 20542 f0787b 20540->20542 20594 f12fd0 20541->20594 20543 f04ea2 20542->20543 20599 f0a8c8 EnterCriticalSection 20542->20599 20543->20362 20543->20367 20547 f12fde 20546->20547 20549 f078c7 20546->20549 20652 f12fb9 LeaveCriticalSection 20547->20652 20548 f078da 20548->20367 20549->20548 20651 f0a8d6 LeaveCriticalSection 20549->20651 20552 f12fe5 20552->20367 20653 f14762 20553->20653 20557 f090b9 20558 f090c9 20557->20558 20559 f14762 std::_Locinfo::_Locinfo_dtor 70 API calls 20557->20559 20560 f08eef _Yarn 14 API calls 20558->20560 20559->20558 20561 f04fcc 20560->20561 20562 f0a413 20561->20562 20827 f14fb4 20562->20827 20564 f0a41c __Getctype 20565 f0a454 20564->20565 20566 f0a436 20564->20566 20567 f14e6d __Getctype 43 API calls 20565->20567 20568 f14e6d __Getctype 43 API calls 20566->20568 20569 f0a43d 20567->20569 20568->20569 20832 f14fd9 20569->20832 20573 f04fe3 20574 f01a20 20573->20574 20853 f090e0 20574->20853 20577 f01a39 20579 f01a50 20577->20579 20581 f121bf ___vcrt_freefls@4 14 API calls 20577->20581 20578 f121bf ___vcrt_freefls@4 14 API calls 20578->20577 20580 f01a67 20579->20580 20582 f121bf ___vcrt_freefls@4 14 API calls 20579->20582 20583 f01a7e 20580->20583 20584 f121bf ___vcrt_freefls@4 14 API calls 20580->20584 20581->20579 20582->20580 20585 f01a95 20583->20585 20584->20583 20857 f07ad9 20589->20857 20592 f0bc00 CallUnexpected RaiseException 20593 f07ba1 20592->20593 20600 f1918b 20594->20600 20599->20543 20621 f18a91 20600->20621 20620 f191bd 20620->20620 20622 f18c7a std::_Locinfo::_Locinfo_dtor 5 API calls 20621->20622 20623 f18aa7 20622->20623 20624 f18aab 20623->20624 20625 f18c7a std::_Locinfo::_Locinfo_dtor 5 API calls 20624->20625 20626 f18ac1 20625->20626 20627 f18ac5 20626->20627 20628 f18c7a std::_Locinfo::_Locinfo_dtor 5 API calls 20627->20628 20629 f18adb 20628->20629 20630 f18adf 20629->20630 20631 f18c7a std::_Locinfo::_Locinfo_dtor 5 API calls 20630->20631 20632 f18af5 20631->20632 20633 f18af9 20632->20633 20634 f18c7a std::_Locinfo::_Locinfo_dtor 5 API calls 20633->20634 20635 f18b0f 20634->20635 20636 f18b13 20635->20636 20637 f18c7a std::_Locinfo::_Locinfo_dtor 5 API calls 20636->20637 20638 f18b29 20637->20638 20639 f18b2d 20638->20639 20640 f18c7a std::_Locinfo::_Locinfo_dtor 5 API calls 20639->20640 20641 f18b43 20640->20641 20642 f18b47 20641->20642 20643 f18c7a std::_Locinfo::_Locinfo_dtor 5 API calls 20642->20643 20644 f18b5d 20643->20644 20645 f18b7b 20644->20645 20646 f18c7a std::_Locinfo::_Locinfo_dtor 5 API calls 20645->20646 20647 f18b91 20646->20647 20648 f18b61 20647->20648 20649 f18c7a std::_Locinfo::_Locinfo_dtor 5 API calls 20648->20649 20650 f18b77 20649->20650 20650->20620 20651->20548 20652->20552 20654 f1918b std::_Locinfo::_Locinfo_dtor 5 API calls 20653->20654 20655 f1476f 20654->20655 20662 f1450d 20655->20662 20658 f08eef 20659 f08efd 20658->20659 20661 f08f09 _Yarn codecvt 20658->20661 20660 f121bf ___vcrt_freefls@4 14 API calls 20659->20660 20659->20661 20660->20661 20661->20557 20661->20661 20663 f14519 ___scrt_is_nonwritable_in_current_image 20662->20663 20670 f12f71 EnterCriticalSection 20663->20670 20665 f14527 20671 f14568 20665->20671 20670->20665 20696 f146c7 20671->20696 20673 f14583 20674 f19827 _unexpected 43 API calls 20673->20674 20692 f14534 20673->20692 20675 f14590 20674->20675 20720 f1e8c4 20675->20720 20678 f145bc 20681 f12e4c __Getctype 11 API calls 20678->20681 20678->20692 20679 f19b87 std::_Locinfo::_Locinfo_dtor 15 API calls 20680 f145e1 20679->20680 20683 f1e8c4 std::_Locinfo::_Locinfo_dtor 45 API calls 20680->20683 20680->20692 20682 f146c6 20681->20682 20684 f145fd 20683->20684 20685 f14604 20684->20685 20686 f1461f 20684->20686 20685->20678 20687 f14616 20685->20687 20689 f1899f ___free_lconv_mon 14 API calls 20686->20689 20690 f1464a 20686->20690 20688 f1899f ___free_lconv_mon 14 API calls 20687->20688 20688->20692 20689->20690 20691 f1899f ___free_lconv_mon 14 API calls 20690->20691 20690->20692 20691->20692 20693 f1455c 20692->20693 20826 f12fb9 LeaveCriticalSection 20693->20826 20695 f090a1 20695->20658 20697 f146e1 20696->20697 20698 f146d3 20696->20698 20741 f1e502 20697->20741 20726 f17598 20698->20726 20701 f146dd 20701->20673 20703 f14757 20705 f12e4c __Getctype 11 API calls 20703->20705 20704 f18942 __dosmaperr 14 API calls 20706 f14713 20704->20706 20707 f14761 20705->20707 20708 f1473b 20706->20708 20710 f1e502 std::_Locinfo::_Locinfo_dtor 45 API calls 20706->20710 20712 f1918b std::_Locinfo::_Locinfo_dtor 5 API calls 20707->20712 20709 f1899f ___free_lconv_mon 14 API calls 20708->20709 20711 f14750 20709->20711 20713 f1472a 20710->20713 20711->20673 20714 f1476f 20712->20714 20715 f14731 20713->20715 20716 f1473d 20713->20716 20718 f1450d std::_Locinfo::_Locinfo_dtor 70 API calls 20714->20718 20715->20703 20715->20708 20717 f17598 std::_Locinfo::_Locinfo_dtor 67 API calls 20716->20717 20717->20708 20719 f14798 20718->20719 20719->20673 20721 f1e8d8 _Fputc 20720->20721 20786 f1e53f 20721->20786 20724 f106a0 _Fputc 43 API calls 20725 f145b5 20724->20725 20725->20678 20725->20679 20727 f175c2 20726->20727 20728 f175ae 20726->20728 20729 f19827 _unexpected 43 API calls 20727->20729 20730 f12f1d __strnicoll 14 API calls 20728->20730 20731 f175c7 20729->20731 20732 f175b3 20730->20732 20733 f1918b std::_Locinfo::_Locinfo_dtor 5 API calls 20731->20733 20734 f12e1f __strnicoll 43 API calls 20732->20734 20736 f175cf 20733->20736 20735 f175be 20734->20735 20735->20701 20737 f21ab3 __Getctype 43 API calls 20736->20737 20738 f175d4 20737->20738 20747 f16ba0 20738->20747 20740 f17616 20740->20701 20742 f1e515 _Fputc 20741->20742 20758 f1e257 20742->20758 20745 f106a0 _Fputc 43 API calls 20746 f146f8 20745->20746 20746->20703 20746->20704 20748 f16bac ___scrt_is_nonwritable_in_current_image 20747->20748 20751 f16ccd 20748->20751 20750 f16bb8 std::_Locinfo::_Locinfo_dtor 20750->20740 20752 f18942 __dosmaperr 14 API calls 20751->20752 20753 f16ce5 20752->20753 20754 f1899f ___free_lconv_mon 14 API calls 20753->20754 20755 f16cf2 20754->20755 20756 f16d33 20755->20756 20757 f16b53 std::_Locinfo::_Locinfo_dtor 67 API calls 20755->20757 20756->20750 20757->20756 20759 f1e26a 20758->20759 20760 f1e26e 20759->20760 20763 f1e296 20759->20763 20761 f12da2 __strnicoll 43 API calls 20760->20761 20766 f1e28c 20761->20766 20762 f1e2bb 20765 f12da2 __strnicoll 43 API calls 20762->20765 20762->20766 20763->20762 20767 f1e337 20763->20767 20765->20766 20766->20745 20768 f1e36d 20767->20768 20769 f1e381 20768->20769 20770 f1e3a5 20768->20770 20779 f1e39a 20768->20779 20771 f12da2 __strnicoll 43 API calls 20769->20771 20772 f1e3b5 20770->20772 20773 f11d80 _Fputc 43 API calls 20770->20773 20771->20779 20774 f1e3ed 20772->20774 20775 f1e3cf 20772->20775 20773->20772 20777 f1e3f5 20774->20777 20778 f1e4ae 20774->20778 20776 f24d0d std::_Locinfo::_Locinfo_dtor 5 API calls 20775->20776 20776->20779 20777->20779 20780 f1f022 __strnicoll MultiByteToWideChar 20777->20780 20778->20779 20781 f1f022 __strnicoll MultiByteToWideChar 20778->20781 20779->20762 20782 f1e42c 20780->20782 20781->20779 20782->20779 20783 f1e437 GetLastError 20782->20783 20783->20779 20784 f1e457 20783->20784 20784->20779 20785 f1f022 __strnicoll MultiByteToWideChar 20784->20785 20785->20779 20787 f1e556 20786->20787 20788 f1e55a 20787->20788 20790 f1e582 20787->20790 20789 f12da2 __strnicoll 43 API calls 20788->20789 20793 f1e578 20789->20793 20794 f1e5a4 20790->20794 20795 f1e61d 20790->20795 20792 f12da2 __strnicoll 43 API calls 20792->20793 20793->20724 20794->20792 20794->20793 20796 f1e64d 20795->20796 20797 f1e67a 20796->20797 20798 f1e65c 20796->20798 20811 f1e651 20796->20811 20801 f11d80 _Fputc 43 API calls 20797->20801 20805 f1e687 20797->20805 20799 f12da2 __strnicoll 43 API calls 20798->20799 20799->20811 20800 f0afc3 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 20804 f1e8c2 20800->20804 20801->20805 20802 f1e6a1 20819 f24eb6 20802->20819 20803 f1e6bf 20807 f1e6d3 20803->20807 20808 f1e84f 20803->20808 20804->20794 20805->20802 20805->20803 20810 f1e76d 20807->20810 20807->20811 20815 f1e717 20807->20815 20809 f1f09e _Fputc WideCharToMultiByte 20808->20809 20808->20811 20809->20811 20812 f1f09e _Fputc WideCharToMultiByte 20810->20812 20811->20800 20813 f1e780 20812->20813 20813->20811 20816 f1e799 GetLastError 20813->20816 20823 f1f09e 20815->20823 20816->20811 20817 f1e7a8 20816->20817 20817->20811 20818 f1f09e _Fputc WideCharToMultiByte 20817->20818 20818->20817 20820 f24eed std::_Locinfo::_Locinfo_dtor codecvt 20819->20820 20821 f0afc3 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 20820->20821 20822 f24fc0 20821->20822 20822->20811 20825 f1f0b5 WideCharToMultiByte 20823->20825 20825->20811 20826->20695 20828 f19827 _unexpected 43 API calls 20827->20828 20829 f14fbf 20828->20829 20830 f19bd5 __Getctype 43 API calls 20829->20830 20831 f14fcf 20830->20831 20831->20564 20833 f19827 _unexpected 43 API calls 20832->20833 20834 f14fe4 20833->20834 20835 f19bd5 __Getctype 43 API calls 20834->20835 20836 f0a465 20835->20836 20836->20573 20837 f15482 20836->20837 20838 f154ca 20837->20838 20839 f1548f _Yarn 20837->20839 20838->20573 20839->20838 20844 f1eed9 20839->20844 20842 f12e4c __Getctype 11 API calls 20843 f154e0 20842->20843 20845 f1eee7 20844->20845 20846 f1eef5 20844->20846 20845->20846 20851 f1ef0f 20845->20851 20847 f12f1d __strnicoll 14 API calls 20846->20847 20848 f1eeff 20847->20848 20849 f12e1f __strnicoll 43 API calls 20848->20849 20850 f154c3 20849->20850 20850->20838 20850->20842 20851->20850 20852 f12f1d __strnicoll 14 API calls 20851->20852 20852->20848 20854 f01a29 20853->20854 20855 f090ec 20853->20855 20854->20577 20854->20578 20856 f14762 std::_Locinfo::_Locinfo_dtor 70 API calls 20855->20856 20856->20854 20858 f01280 std::invalid_argument::invalid_argument 43 API calls 20857->20858 20859 f07aeb 20858->20859 20859->20592 20861 f0a59d codecvt 20860->20861 20862 f14fb4 __Getctype 43 API calls 20861->20862 20863 f0a5a5 20862->20863 20873 f15000 20863->20873 20866 f14fd9 __Getctype 43 API calls 20867 f0a5b4 20866->20867 20868 f14e6d __Getctype 43 API calls 20867->20868 20869 f065fe 20867->20869 20868->20869 20869->20436 20871 f0afd6 std::_Facet_Register 3 API calls 20870->20871 20872 f08f70 20871->20872 20872->20439 20874 f19827 _unexpected 43 API calls 20873->20874 20875 f1500b 20874->20875 20876 f19bd5 __Getctype 43 API calls 20875->20876 20877 f0a5ac 20876->20877 20877->20866 20878->19771 26076 f16f19 26079 f16be5 26076->26079 26080 f16bf1 ___scrt_is_nonwritable_in_current_image 26079->26080 26087 f12f71 EnterCriticalSection 26080->26087 26082 f16bfb 26083 f16c29 26082->26083 26085 f21b34 __Getctype 14 API calls 26082->26085 26088 f16c47 26083->26088 26085->26082 26087->26082 26091 f12fb9 LeaveCriticalSection 26088->26091 26090 f16c35 26091->26090

                                    Executed Functions

                                    Function 030F018D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282threadinjectionmemoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,030F00FF,030F00EF), ref: 030F02FC
                                    • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 030F030F
                                    • Wow64GetThreadContext.KERNEL32(00000114,00000000), ref: 030F032D
                                    • ReadProcessMemory.KERNELBASE(0000010C,?,030F0143,00000004,00000000), ref: 030F0351
                                    • VirtualAllocEx.KERNELBASE(0000010C,?,?,00003000,00000040), ref: 030F037C
                                    • WriteProcessMemory.KERNELBASE(0000010C,00000000,?,?,00000000,?), ref: 030F03D4
                                    • WriteProcessMemory.KERNELBASE(0000010C,00400000,?,?,00000000,?,00000028), ref: 030F041F
                                    • WriteProcessMemory.KERNELBASE(0000010C,?,?,00000004,00000000), ref: 030F045D
                                    • Wow64SetThreadContext.KERNEL32(00000114,03100000), ref: 030F0499
                                    • ResumeThread.KERNELBASE(00000114), ref: 030F04A8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138394389.00000000030F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_30f0000_file.jbxd
                                    Similarity
                                    • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                                    • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                                    • API String ID: 2687962208-1257834847
                                    • Opcode ID: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
                                    • Instruction ID: c35369a4b656cf6c5c45e806a41948b4bf36472dc0fc1229005daba49f6ece4b
                                    • Opcode Fuzzy Hash: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
                                    • Instruction Fuzzy Hash: 8EB1F77264124AAFDB60CF68CC80BDA73A9FF88714F158564EA0CEB341D774FA418B94
                                    Function 00F19B12 Relevance: .0, Instructions: 29COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7a32428d224da878f8f57b6009f1a9ec6bb5a81043c30a534999c904bde2cab5
                                    • Instruction ID: 94b942e95f72079efeb415017932006810cae3c8c6ef4775438965063571dc57
                                    • Opcode Fuzzy Hash: 7a32428d224da878f8f57b6009f1a9ec6bb5a81043c30a534999c904bde2cab5
                                    • Instruction Fuzzy Hash: D2F0E531A18224EBCB12D74CD815AD9B3ACEB44B62F110096F801D7241C3B0EE41EBD0
                                    Function 00F05240 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00F0524D
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00F05267
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00F05288
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00F052B4
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00F052E9
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00F05326
                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00F05377
                                    • std::_Facet_Register.LIBCPMT ref: 00F05396
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00F053AF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::~_$Lockit::_$Facet_Locinfo::_Locinfo_ctorRegister
                                    • String ID: bad locale name
                                    • API String ID: 3434717313-1405518554
                                    • Opcode ID: 12483240db66fca855063443f307253b62f84edb917db2b958b3c3a0225caf64
                                    • Instruction ID: 24f69ab95d455746a9c582adcc37d5748ec29827d0f0cd6ce62044c149f2c550
                                    • Opcode Fuzzy Hash: 12483240db66fca855063443f307253b62f84edb917db2b958b3c3a0225caf64
                                    • Instruction Fuzzy Hash: 5341B131A043408FC310DF64D844BABB7E4FF90B20F54455DE88897291DB75E90AFBA2
                                    Function 00F29C80 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 111threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetCurrentThreadId.KERNEL32 ref: 00F29CCD
                                      • Part of subcall function 00F0A7F2: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000), ref: 00F0A7FE
                                      • Part of subcall function 00F0A7F2: GetExitCodeThread.KERNEL32(?,?), ref: 00F0A817
                                      • Part of subcall function 00F0A7F2: CloseHandle.KERNEL32(?), ref: 00F0A829
                                    • std::_Throw_Cpp_error.LIBCPMT ref: 00F29D0B
                                    • std::_Throw_Cpp_error.LIBCPMT ref: 00F29D12
                                    • std::_Throw_Cpp_error.LIBCPMT ref: 00F29D19
                                    • std::_Throw_Cpp_error.LIBCPMT ref: 00F29D20
                                    • GetThreadId.KERNEL32(00000000,26250299), ref: 00F29D5D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Cpp_errorThrow_std::_$Thread$CloseCodeCurrentExitHandleObjectSingleWait
                                    • String ID: Success created.$Success destroyed.
                                    • API String ID: 2210105531-4203135720
                                    • Opcode ID: ff02e16145b4574e5359987cf38adead49e57be2357544d26cccc0d48b4f29dc
                                    • Instruction ID: 7e8c33efbb5e0020cc5d034dd7c1ce40f520df39276d602f112299036fe03875
                                    • Opcode Fuzzy Hash: ff02e16145b4574e5359987cf38adead49e57be2357544d26cccc0d48b4f29dc
                                    • Instruction Fuzzy Hash: BA31FC71E48312ABE720BB649C03F5A77A4FB04B61F500565F954E71C2E7BA9810F792
                                    Function 00F18BAF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 111 f18baf-f18bbb 112 f18c4d-f18c50 111->112 113 f18bc0-f18bd1 112->113 114 f18c56 112->114 116 f18bd3-f18bd6 113->116 117 f18bde-f18bf7 LoadLibraryExW 113->117 115 f18c58-f18c5c 114->115 118 f18c76-f18c78 116->118 119 f18bdc 116->119 120 f18bf9-f18c02 GetLastError 117->120 121 f18c5d-f18c6d 117->121 118->115 123 f18c4a 119->123 124 f18c04-f18c16 call f18908 120->124 125 f18c3b-f18c48 120->125 121->118 122 f18c6f-f18c70 FreeLibrary 121->122 122->118 123->112 124->125 128 f18c18-f18c2a call f18908 124->128 125->123 128->125 131 f18c2c-f18c39 LoadLibraryExW 128->131 131->121 131->125
                                    APIs
                                    • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,26250299,?,00F18CBC,?,?,?,00000000), ref: 00F18C70
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FreeLibrary
                                    • String ID: api-ms-$ext-ms-
                                    • API String ID: 3664257935-537541572
                                    • Opcode ID: c3f598135e70ab0507a75f7ebdc403a1da97781ba1df51c7b81246f236cb3bfb
                                    • Instruction ID: ed0cac3a1664085962cea135a70c09941895f066635360a172c12de4a9ea15e7
                                    • Opcode Fuzzy Hash: c3f598135e70ab0507a75f7ebdc403a1da97781ba1df51c7b81246f236cb3bfb
                                    • Instruction Fuzzy Hash: E5210572E02215ABCB219B60DE50AEA3768EF517F0B150110E905A7290EF30ED83FAE1
                                    Function 00F0F7DC Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 132 f0f7dc-f0f7e7 133 f0f7e9-f0f7fc call f12f1d call f12e1f 132->133 134 f0f7fd-f0f810 call f0f78c 132->134 139 f0f812-f0f82f CreateThread 134->139 140 f0f83e 134->140 142 f0f831-f0f83d GetLastError call f12ec3 139->142 143 f0f84d-f0f852 139->143 144 f0f840-f0f84c call f0f6fe 140->144 142->140 148 f0f854-f0f857 143->148 149 f0f859-f0f85d 143->149 148->149 149->144
                                    APIs
                                    • CreateThread.KERNELBASE(?,?,Function_0000F680,00000000,?,?), ref: 00F0F825
                                    • GetLastError.KERNEL32 ref: 00F0F831
                                    • __dosmaperr.LIBCMT ref: 00F0F838
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateErrorLastThread__dosmaperr
                                    • String ID:
                                    • API String ID: 2744730728-0
                                    • Opcode ID: 88f339caaa21f6914a415f5e800041fc912145154cd87a0ae4ea8b259fb05583
                                    • Instruction ID: 9bba1db3debcaf765b2ece98955f58b2345b972c7abf57ea54e2912876828c7c
                                    • Opcode Fuzzy Hash: 88f339caaa21f6914a415f5e800041fc912145154cd87a0ae4ea8b259fb05583
                                    • Instruction Fuzzy Hash: 29017172900219EFDF259FE0DC06ADE7BA4EF00360F104168F901965A0DB75DE59FBA1
                                    Function 00F29B20 Relevance: 3.1, APIs: 2, Instructions: 93memorysynchronizationthreadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • VirtualAlloc.KERNELBASE(00000000,000004AC,00001000,00000040,?,?,?,?), ref: 00F29BB8
                                    • GetUpdateRgn.USER32(00000000,00000000,00000000), ref: 00F29BC9
                                    • CreateThread.KERNELBASE(00000000,00000000,00F29B20,00000000,00000000,00000000), ref: 00F29C5F
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,?), ref: 00F29C68
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocCreateObjectSingleThreadUpdateVirtualWait
                                    • String ID:
                                    • API String ID: 1268193855-0
                                    • Opcode ID: b65ea98179643923dec94bcddfcda20fe18eb977cd90c52e86dfc0d498d9bbca
                                    • Instruction ID: bc5e5895c64ec147a00ec712310c4f35870841c0115ab0b9d4dc3a2e7d9a4466
                                    • Opcode Fuzzy Hash: b65ea98179643923dec94bcddfcda20fe18eb977cd90c52e86dfc0d498d9bbca
                                    • Instruction Fuzzy Hash: 21314B71E042086BD704EF68FD82BADB7B1BF45310F104219FD006B3C1EB74AA85A785
                                    Function 00F0F680 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetLastError.KERNEL32(00F33A10,0000000C), ref: 00F0F693
                                    • ExitThread.KERNEL32 ref: 00F0F69A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorExitLastThread
                                    • String ID:
                                    • API String ID: 1611280651-0
                                    • Opcode ID: 7ad203570ddc88d3382a307768c468c2bfde9fb25fe98e06c92ef15845f5f4d1
                                    • Instruction ID: 799c165b582ded6d5f8cf7c857ddffc30f63862c7ee62f91fe431ffb13ca02ee
                                    • Opcode Fuzzy Hash: 7ad203570ddc88d3382a307768c468c2bfde9fb25fe98e06c92ef15845f5f4d1
                                    • Instruction Fuzzy Hash: 4AF0AF71900205AFDF10EF70DC0AAAE3B65EF40720F204159F0019B2A2CB78A945FFA1
                                    Function 00F18C7A Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 191 f18c7a-f18ca2 192 f18ca4-f18ca6 191->192 193 f18ca8-f18caa 191->193 194 f18cf9-f18cfc 192->194 195 f18cb0-f18cb7 call f18baf 193->195 196 f18cac-f18cae 193->196 198 f18cbc-f18cc0 195->198 196->194 199 f18cc2-f18cd0 GetProcAddress 198->199 200 f18cdf-f18cf6 198->200 199->200 201 f18cd2-f18cdd call f160db 199->201 202 f18cf8 200->202 201->202 202->194
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4178875456d40899b514963a65378089199750952555010cc48c70ebc79e0d18
                                    • Instruction ID: 7e22ca319a5d5a75f72f88a54216d7703acb926a650d2ae70c5aaca789d511af
                                    • Opcode Fuzzy Hash: 4178875456d40899b514963a65378089199750952555010cc48c70ebc79e0d18
                                    • Instruction Fuzzy Hash: 5201F5737116269BEB198E2DEE40ADB3396FBC47B03244220F900DB184DF318882A7E0
                                    Function 00F19B87 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 205 f19b87-f19b93 206 f19bc5-f19bd0 call f12f1d 205->206 207 f19b95-f19b97 205->207 214 f19bd2-f19bd4 206->214 209 f19bb0-f19bc1 RtlAllocateHeap 207->209 210 f19b99-f19b9a 207->210 211 f19bc3 209->211 212 f19b9c-f19ba3 call f18279 209->212 210->209 211->214 212->206 217 f19ba5-f19bae call f182c4 212->217 217->206 217->209
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000,00F1FFAD,?,?,00F1FFAD,00000220,?,00000010,?), ref: 00F19BB9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 018e87c890bf3407da0c5fcbea86bf0a1ed3ab78e993752324b77d19db6aab2c
                                    • Instruction ID: ed4cfe266e4fa767044c98ae6118259b8fb5659203a1405d6cf2856ff7244932
                                    • Opcode Fuzzy Hash: 018e87c890bf3407da0c5fcbea86bf0a1ed3ab78e993752324b77d19db6aab2c
                                    • Instruction Fuzzy Hash: 18E06532A0C62566DA22A665AC25BEB365CAB813B0F150120AC09960D5DFE4CDC1B5E1

                                    Non-executed Functions

                                    Function 00F236B5 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __floor_pentium4
                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                    • API String ID: 4168288129-2761157908
                                    • Opcode ID: 82e1e0cc00390f72e7b940ae73839dd120bc172d309814ff97a055522362a3bf
                                    • Instruction ID: 9dfb54704dce60df67fc9da0afaf787ff20e20c4b99fc916259aa8b2a527bcd0
                                    • Opcode Fuzzy Hash: 82e1e0cc00390f72e7b940ae73839dd120bc172d309814ff97a055522362a3bf
                                    • Instruction Fuzzy Hash: 4DD22AB2E082388FDB65CE28ED407EAB7B5EB84315F1441EAD44DE7240D778AE859F41
                                    Function 00F22A0F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoW.KERNEL32(?,2000000B,00F22D2D,00000002,00000000,?,?,?,00F22D2D,?,00000000), ref: 00F22AA8
                                    • GetLocaleInfoW.KERNEL32(?,20001004,00F22D2D,00000002,00000000,?,?,?,00F22D2D,?,00000000), ref: 00F22AD1
                                    • GetACP.KERNEL32(?,?,00F22D2D,?,00000000), ref: 00F22AE6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID: ACP$OCP
                                    • API String ID: 2299586839-711371036
                                    • Opcode ID: 0168e14e1de8f03321c9e6ba85eec2270e75f1fd14f8ec9c17e675183cb28591
                                    • Instruction ID: cb7b7064dd039ebf608971e4de04e91fa5bf9b955b85d3b1db85702d924105cb
                                    • Opcode Fuzzy Hash: 0168e14e1de8f03321c9e6ba85eec2270e75f1fd14f8ec9c17e675183cb28591
                                    • Instruction Fuzzy Hash: 2621B322E00125BBDBB4DF54ED01B9772A7EB50F70B568434E80AD7901E73ADE41EB50
                                    Function 00F22BE4 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F19827: GetLastError.KERNEL32(?,?,00F0F6A5,00F33A10,0000000C), ref: 00F1982B
                                      • Part of subcall function 00F19827: SetLastError.KERNEL32(00000000), ref: 00F198CD
                                    • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00F22CF0
                                    • IsValidCodePage.KERNEL32(00000000), ref: 00F22D39
                                    • IsValidLocale.KERNEL32(?,00000001), ref: 00F22D48
                                    • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00F22D90
                                    • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00F22DAF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                    • String ID:
                                    • API String ID: 415426439-0
                                    • Opcode ID: a28094d3bfedc0d6b5b3983b8ea7d6d9440b6d48403dc804f339351aea6a5dcc
                                    • Instruction ID: 0186a318d3b9c4ec557ba287dd4eb5da836d5de8b990a83ca8c348c87090ebc8
                                    • Opcode Fuzzy Hash: a28094d3bfedc0d6b5b3983b8ea7d6d9440b6d48403dc804f339351aea6a5dcc
                                    • Instruction Fuzzy Hash: A4518372E00229BBDF60DFA5EC41ABE77B8FF14720F544429E911E7150EB749A40AB61
                                    Function 00F22280 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F19827: GetLastError.KERNEL32(?,?,00F0F6A5,00F33A10,0000000C), ref: 00F1982B
                                      • Part of subcall function 00F19827: SetLastError.KERNEL32(00000000), ref: 00F198CD
                                    • GetACP.KERNEL32(?,?,?,?,?,?,00F1730D,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00F22341
                                    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00F1730D,?,?,?,00000055,?,-00000050,?,?), ref: 00F2236C
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00F224CF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$CodeInfoLocalePageValid
                                    • String ID: utf8
                                    • API String ID: 607553120-905460609
                                    • Opcode ID: 4ea83fa0e645c5aca0b8fa16d1f26bd1704c68945d6f3c814c911ad06011b77a
                                    • Instruction ID: d65690c552be10aaef6238b8ab830e65ee8bda080d04a3cb8b554f25a504fc72
                                    • Opcode Fuzzy Hash: 4ea83fa0e645c5aca0b8fa16d1f26bd1704c68945d6f3c814c911ad06011b77a
                                    • Instruction Fuzzy Hash: DD71F671A00225BADB64EB75EC42FBA73A8FF18720F144029F905DB182EB78ED41E751
                                    Function 00F19D96 Relevance: 6.3, APIs: 4, Instructions: 337COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _strrchr
                                    • String ID:
                                    • API String ID: 3213747228-0
                                    • Opcode ID: adabab75f0cd4e4127e2d25f40a6035a1c11768978d09e5fd8cbb18de81cc5b4
                                    • Instruction ID: 959a9a45ba8511943bd9f36512c9332af71eba69830eb799b663458a49b61680
                                    • Opcode Fuzzy Hash: adabab75f0cd4e4127e2d25f40a6035a1c11768978d09e5fd8cbb18de81cc5b4
                                    • Instruction Fuzzy Hash: F9B17A32D092459FDB11CF28C8A17FEBBA5EF59310F148169E805EB241C279DD82EBE1
                                    Function 00F0B69A Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00F0B6A6
                                    • IsDebuggerPresent.KERNEL32 ref: 00F0B772
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F0B78B
                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 00F0B795
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                    • String ID:
                                    • API String ID: 254469556-0
                                    • Opcode ID: cf29895d772fb92023c396bfe8b01b11f737166eef92909d3fedd0791e3055ca
                                    • Instruction ID: ebb96b0b5f8b10f1cde260211a5b9d9761b2d4c9b3dbbd72d447a4c214334ef8
                                    • Opcode Fuzzy Hash: cf29895d772fb92023c396bfe8b01b11f737166eef92909d3fedd0791e3055ca
                                    • Instruction Fuzzy Hash: 4731F875D0521C9BDF21DF64DD497CDBBB8AF08300F1041EAE50CAB290EB759A85AF45
                                    Function 00F22693 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F19827: GetLastError.KERNEL32(?,?,00F0F6A5,00F33A10,0000000C), ref: 00F1982B
                                      • Part of subcall function 00F19827: SetLastError.KERNEL32(00000000), ref: 00F198CD
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00F226E7
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00F22731
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00F227F7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InfoLocale$ErrorLast
                                    • String ID:
                                    • API String ID: 661929714-0
                                    • Opcode ID: 382dae221ed905098da1fe29c99baa7a059f89b4e65e9f7225c4aabfbd77b35d
                                    • Instruction ID: 64ce01469644c8cae3e299c9f21c82780ebc9004ca55c1e38592f8aec6e2c3a1
                                    • Opcode Fuzzy Hash: 382dae221ed905098da1fe29c99baa7a059f89b4e65e9f7225c4aabfbd77b35d
                                    • Instruction Fuzzy Hash: 9D619371900127AFEB68DF28EC82BBA73A8FF04721F10417AED05D6585E738D995EB50
                                    Function 00F12C23 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000010), ref: 00F12D1B
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000010), ref: 00F12D25
                                    • UnhandledExceptionFilter.KERNEL32(00F33748,?,?,?,?,?,00000010), ref: 00F12D32
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                    • String ID:
                                    • API String ID: 3906539128-0
                                    • Opcode ID: 8b044d3bb22dbeaf18a06f50a50fddca049f83336e41bbce28c38158231231bd
                                    • Instruction ID: 78a49aa3e2949bc793c3b96a3cf8aabadfcd04f3ea278ab02b5c9602c81fe518
                                    • Opcode Fuzzy Hash: 8b044d3bb22dbeaf18a06f50a50fddca049f83336e41bbce28c38158231231bd
                                    • Instruction Fuzzy Hash: 7D31D47490121C9BCB21DF64DD88BCDBBB8BF18310F5042EAE41CA72A0E7349B859F45
                                    Function 00F15570 Relevance: 3.4, APIs: 2, Instructions: 449COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fec831842d4b3e083d0d5fc355441d8007b4a970f2afc1f871a5a5b277875a26
                                    • Instruction ID: dd296c86e960f34dddef56b101d9859a381234520b845e394dc70c327bf67457
                                    • Opcode Fuzzy Hash: fec831842d4b3e083d0d5fc355441d8007b4a970f2afc1f871a5a5b277875a26
                                    • Instruction Fuzzy Hash: 08F12A71E01619DFDF14CFA9C880AEDB7B1EF88724F158269E819AB390D730AD45DB90
                                    Function 00F02880 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: %$+
                                    • API String ID: 0-2626897407
                                    • Opcode ID: 4a586fbefb8ed2c832e795624db4beffdacac52e4c76899d37a4faa7a2be287b
                                    • Instruction ID: 77463a6087b77aa95c44f2260d2ff62229dfba96d3a042e22af96a38b597b566
                                    • Opcode Fuzzy Hash: 4a586fbefb8ed2c832e795624db4beffdacac52e4c76899d37a4faa7a2be287b
                                    • Instruction Fuzzy Hash: F6F10F729082409FC715DF28CC45A6FBBE5BFC9710F444A1DF984AB291D734E944BBA2
                                    Function 00F03320 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: %$+
                                    • API String ID: 0-2626897407
                                    • Opcode ID: 11b3d8ab0354165112c8db349d577438aacb0c46dd2bd858a6bc34d66a29565e
                                    • Instruction ID: 2c872f7a2b1af1c94750ca6b4282459adf85f02c2ad786a3e907bad0c308aece
                                    • Opcode Fuzzy Hash: 11b3d8ab0354165112c8db349d577438aacb0c46dd2bd858a6bc34d66a29565e
                                    • Instruction Fuzzy Hash: D2F101729083419FC715DF28CC41A6FBBE9EFC9710F044A1DF984AB291D735EA44AB92
                                    Function 00F1B11C Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00F1B117,?,?,00000008,?,?,00F27A35,00000000), ref: 00F1B349
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionRaise
                                    • String ID:
                                    • API String ID: 3997070919-0
                                    • Opcode ID: 05061122be17ca4da7febe00b5e5b0f52f9d0d1f2d7f3810bc5f68e18b29e8bd
                                    • Instruction ID: b23835bcb3e8cba30620761b94905d0e464b757234b4e3ccb98170a4aa2e14ac
                                    • Opcode Fuzzy Hash: 05061122be17ca4da7febe00b5e5b0f52f9d0d1f2d7f3810bc5f68e18b29e8bd
                                    • Instruction Fuzzy Hash: C2B14D32610608DFD719CF2CC496BA97BE0FF45364F258658E8A9CF2A1C335E992DB40
                                    Function 00F0B380 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00F0B396
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FeaturePresentProcessor
                                    • String ID:
                                    • API String ID: 2325560087-0
                                    • Opcode ID: 00cfeea7622ce364bf144aaeff949745fe8200ec50221dc462ebd2b3452df178
                                    • Instruction ID: 50dc59824a73c4cc0453e19356d157e7590e95680f12700240cbb03716ba882e
                                    • Opcode Fuzzy Hash: 00cfeea7622ce364bf144aaeff949745fe8200ec50221dc462ebd2b3452df178
                                    • Instruction Fuzzy Hash: B2519FB1E0060ACFEB18CF64D9917AABBF4FB44324F28816AC405EB2A5D3759D40EF50
                                    Function 00F1F6FD Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9db252a685bb700f1e053ad85b181b54124ff2fff39ee67472883ea303e0cacf
                                    • Instruction ID: baa57257d024193db9b16213076b82042c640efd86a2243fc6988de7d5c1ad52
                                    • Opcode Fuzzy Hash: 9db252a685bb700f1e053ad85b181b54124ff2fff39ee67472883ea303e0cacf
                                    • Instruction Fuzzy Hash: 1641D0B5C0021DAFCB20DF69CC89AEABBB9AF45310F1442E9E418D3201DA359E899F50
                                    Function 00F115A4 Relevance: 1.6, Strings: 1, Instructions: 344COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 0
                                    • API String ID: 0-4108050209
                                    • Opcode ID: 3467f9763bca30649f1aa725c7faaaf86a7a43dc6dcc06b12b5c08708c750d9b
                                    • Instruction ID: af625ae3085f325451d439e047492ea4ae0629bc5bdb56b2a285c1392e79a5a4
                                    • Opcode Fuzzy Hash: 3467f9763bca30649f1aa725c7faaaf86a7a43dc6dcc06b12b5c08708c750d9b
                                    • Instruction Fuzzy Hash: 28C1C174A006468FDB28CF68C4906FEBBB2BB45320F18461DD6969B791C736ACC5EB41
                                    Function 00F228E6 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F19827: GetLastError.KERNEL32(?,?,00F0F6A5,00F33A10,0000000C), ref: 00F1982B
                                      • Part of subcall function 00F19827: SetLastError.KERNEL32(00000000), ref: 00F198CD
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00F2293A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$InfoLocale
                                    • String ID:
                                    • API String ID: 3736152602-0
                                    • Opcode ID: 9e955aa83ef2a33a1d4b6d679389c8c0c25536ddf3ae69aa39b423bbd5fe083b
                                    • Instruction ID: df7f4c2aab0b039b14a2f93dd4493e414ff9bf1d8fcb8cf00fdd4f8cffe576be
                                    • Opcode Fuzzy Hash: 9e955aa83ef2a33a1d4b6d679389c8c0c25536ddf3ae69aa39b423bbd5fe083b
                                    • Instruction Fuzzy Hash: AD21A772A10216BBDB689F25EC41BBA73A8EF44324F100079FD05DA141EB78ED81FB51
                                    Function 00F1125C Relevance: 1.6, Strings: 1, Instructions: 314COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 0
                                    • API String ID: 0-4108050209
                                    • Opcode ID: 328e3061344a81f2a28b4a5077caa0b2ebb049cd22caf3a934faea4d5a1222f3
                                    • Instruction ID: 9efa9d302458ee2f312863a7b92fc9a778fb88492b7c3e5d7f5f685277170330
                                    • Opcode Fuzzy Hash: 328e3061344a81f2a28b4a5077caa0b2ebb049cd22caf3a934faea4d5a1222f3
                                    • Instruction Fuzzy Hash: F5B1C070E0064A8BCF34CE68C891AFEB7B1BB45720F14061ED6A2D7691D735A9C1EB52
                                    Function 00F2256D Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F19827: GetLastError.KERNEL32(?,?,00F0F6A5,00F33A10,0000000C), ref: 00F1982B
                                      • Part of subcall function 00F19827: SetLastError.KERNEL32(00000000), ref: 00F198CD
                                    • EnumSystemLocalesW.KERNEL32(00F22693,00000001,00000000,?,-00000050,?,00F22CC4,00000000,?,?,?,00000055,?), ref: 00F225DF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem
                                    • String ID:
                                    • API String ID: 2417226690-0
                                    • Opcode ID: ffce52c6f3a92b5edaa3f71e17a614c2dc70057cd5b7f7d9a216cc0154e9f63f
                                    • Instruction ID: cecd43b856ac3d705965a2c4eed86d18af1459ad2eb1dbb8ce0080a2bca4a6a1
                                    • Opcode Fuzzy Hash: ffce52c6f3a92b5edaa3f71e17a614c2dc70057cd5b7f7d9a216cc0154e9f63f
                                    • Instruction Fuzzy Hash: 52114C376043016FDB189F39D8A16BABB91FF80328B18842CE94747B40D775B942DB40
                                    Function 00F22B15 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F19827: GetLastError.KERNEL32(?,?,00F0F6A5,00F33A10,0000000C), ref: 00F1982B
                                      • Part of subcall function 00F19827: SetLastError.KERNEL32(00000000), ref: 00F198CD
                                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00F22990,00000000,00000000,?), ref: 00F22B41
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$InfoLocale
                                    • String ID:
                                    • API String ID: 3736152602-0
                                    • Opcode ID: 280a39ea19d4bff47191c2340eee7010871f0b1dd5af2992d2c89367c8671e7f
                                    • Instruction ID: 3cc3d16440d46e6a0d681e65484305ff3a3b20edd014d416c122eb624178c10a
                                    • Opcode Fuzzy Hash: 280a39ea19d4bff47191c2340eee7010871f0b1dd5af2992d2c89367c8671e7f
                                    • Instruction Fuzzy Hash: E7F0F9339001267BDB685E209C05BBA7754EB80764F044428EC11A3190DB74FD41E691
                                    Function 00F2247B Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F19827: GetLastError.KERNEL32(?,?,00F0F6A5,00F33A10,0000000C), ref: 00F1982B
                                      • Part of subcall function 00F19827: SetLastError.KERNEL32(00000000), ref: 00F198CD
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00F224CF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$InfoLocale
                                    • String ID: utf8
                                    • API String ID: 3736152602-905460609
                                    • Opcode ID: b168ea0836c01a2546a141ec6a08f75de0b5fc809adc264a72ef8b6bdbbda0f8
                                    • Instruction ID: 1f590aec1d088294523982524c1bd863fd9775ad16c934b5005807a421e74ffb
                                    • Opcode Fuzzy Hash: b168ea0836c01a2546a141ec6a08f75de0b5fc809adc264a72ef8b6bdbbda0f8
                                    • Instruction Fuzzy Hash: 96F02832A00119ABC714AF34EC16EFE73E8DB45720F004079B902D7281EA78AD01A790
                                    Function 00F22608 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F19827: GetLastError.KERNEL32(?,?,00F0F6A5,00F33A10,0000000C), ref: 00F1982B
                                      • Part of subcall function 00F19827: SetLastError.KERNEL32(00000000), ref: 00F198CD
                                    • EnumSystemLocalesW.KERNEL32(00F228E6,00000001,?,?,-00000050,?,00F22C88,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00F22652
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem
                                    • String ID:
                                    • API String ID: 2417226690-0
                                    • Opcode ID: ea915c01fba3deb2c7416fd2b0f82e73942da850a3ecd4a16120490e9b29b3aa
                                    • Instruction ID: 7cd56934a8a15d95ebb734fd42240f7de64fcb8cb906106d692d7b8056145abf
                                    • Opcode Fuzzy Hash: ea915c01fba3deb2c7416fd2b0f82e73942da850a3ecd4a16120490e9b29b3aa
                                    • Instruction Fuzzy Hash: 49F040336003146FCB246F39AC81ABABF90FF80738F05802DF9418B680C7B5AC02EA40
                                    Function 00F189E6 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F12F71: EnterCriticalSection.KERNEL32(?,?,00F194FF,?,00F33DE0,00000008,00F196C3,?,?,?), ref: 00F12F80
                                    • EnumSystemLocalesW.KERNEL32(00F189D9,00000001,00F33D80,0000000C,00F18E48,00000000), ref: 00F18A1E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CriticalEnterEnumLocalesSectionSystem
                                    • String ID:
                                    • API String ID: 1272433827-0
                                    • Opcode ID: ca1fa0f0bf411f9ac662037a061c214a617e9c515a9e3bec7cc08e27f2366d1f
                                    • Instruction ID: c5e97c24c89494e8f17782d92d744bfb43466655260880efdf8540362eaa779a
                                    • Opcode Fuzzy Hash: ca1fa0f0bf411f9ac662037a061c214a617e9c515a9e3bec7cc08e27f2366d1f
                                    • Instruction Fuzzy Hash: 48F04F76A40208DFD700DF98E842BDD77F0FB05721F10811AF411DB2A0CB795942AF41
                                    Function 00F22522 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F19827: GetLastError.KERNEL32(?,?,00F0F6A5,00F33A10,0000000C), ref: 00F1982B
                                      • Part of subcall function 00F19827: SetLastError.KERNEL32(00000000), ref: 00F198CD
                                    • EnumSystemLocalesW.KERNEL32(00F2247B,00000001,?,?,?,00F22CE6,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00F22559
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem
                                    • String ID:
                                    • API String ID: 2417226690-0
                                    • Opcode ID: 0e8a54bf31e5837c6bb2617476979c597b557d6a51c502bd46e275194c6c7b9c
                                    • Instruction ID: 2e09da178c50f8ab34d1df48a7ba69dc55179bfcc55f3c0c0bfc5b9576284d92
                                    • Opcode Fuzzy Hash: 0e8a54bf31e5837c6bb2617476979c597b557d6a51c502bd46e275194c6c7b9c
                                    • Instruction Fuzzy Hash: E3F05536700204A7CB18EF36E856A6ABF90EFC2724F0A8059EE058B250C275D843EB90
                                    Function 00F18F4C Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00F17E73,?,20001004,00000000,00000002,?,?,00F17475), ref: 00F18F80
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID:
                                    • API String ID: 2299586839-0
                                    • Opcode ID: b327e762e59d7bfa1f0b7c5bb58b7b52b2a4173d13267c759044350406e7fa6d
                                    • Instruction ID: 3807d3dd68d0735e2871bcc30baf9101b21689def4037a68ba55e23877c53544
                                    • Opcode Fuzzy Hash: b327e762e59d7bfa1f0b7c5bb58b7b52b2a4173d13267c759044350406e7fa6d
                                    • Instruction Fuzzy Hash: 88E0BF3690421CBBCF226F61DD09ADE7E16EF447A0F044011FD0565161CF799972BAD5
                                    Function 00F0B7F6 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(Function_0000B802,00F0AE2A), ref: 00F0B7FB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: 1e299bafec373e3a030b4b9295d074f2a089a5491985ef8deb607cc4e56b7369
                                    • Instruction ID: 2c9c55039f135784c125461dc08e222310cd12077ec95af7aefd69a5f04c014c
                                    • Opcode Fuzzy Hash: 1e299bafec373e3a030b4b9295d074f2a089a5491985ef8deb607cc4e56b7369
                                    • Instruction Fuzzy Hash:
                                    Function 00F22E46 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: HeapProcess
                                    • String ID:
                                    • API String ID: 54951025-0
                                    • Opcode ID: 9310adad2f6c646f6495697b8de1c6aeb1322cf97e509d2be13476c68ac3f850
                                    • Instruction ID: a6b37295289ba5f097aedf0bf54ed9aed6d869b648efcecdb623178a7defa648
                                    • Opcode Fuzzy Hash: 9310adad2f6c646f6495697b8de1c6aeb1322cf97e509d2be13476c68ac3f850
                                    • Instruction Fuzzy Hash: 2EA02230202208CFC300CF30AF0838C3BECBB0C2C03080028A008C0030EB3080AABB0A
                                    Function 00F21D31 Relevance: .3, Instructions: 327COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
                                    • String ID:
                                    • API String ID: 3471368781-0
                                    • Opcode ID: 3b9efd91b0036223baba0dcb90ef31f7ebadf15890c068ae2eccf03a5b32a6fe
                                    • Instruction ID: bca8d535ffccdd35d77ba10eeb11d8bca066780ef4f4507525f960eca918f83e
                                    • Opcode Fuzzy Hash: 3b9efd91b0036223baba0dcb90ef31f7ebadf15890c068ae2eccf03a5b32a6fe
                                    • Instruction Fuzzy Hash: B4B13675A007519BDB38EB24DC82BBBB3E8FF64318F44442DE942C6580EB75B985E704
                                    Function 00F19B56 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c40462530d1634de5f1ed506cdc9d9bcd32bdc8a5f714ca53be199472989dfe9
                                    • Instruction ID: 781de58acb809e31e48e15efd01de544abfddff906d680b06bba900db79df6b1
                                    • Opcode Fuzzy Hash: c40462530d1634de5f1ed506cdc9d9bcd32bdc8a5f714ca53be199472989dfe9
                                    • Instruction Fuzzy Hash: A2E08C32A19228EBCB18DB88D904D8AF3ECEB88B90B110496B501D3110C2B4DF40EBD0
                                    Function 00F169CE Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b5a630a47bc7cf2c319f03ac5adf3fe6ea5721287783c53932d153f0d08af9e9
                                    • Instruction ID: 5221d865fb332cb6d3e2864ceffa566caee48b2965b16bc1486d8b59194b5479
                                    • Opcode Fuzzy Hash: b5a630a47bc7cf2c319f03ac5adf3fe6ea5721287783c53932d153f0d08af9e9
                                    • Instruction Fuzzy Hash: D5C08C3540090087CE298D1892B23E83354A3D1792FC0048CD4528B642C52EDCCAFA00
                                    Function 00F04E90 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 292COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00F04E9D
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00F04EB7
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00F04ED8
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00F04F04
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00F04F39
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00F04F76
                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00F04FC7
                                    • __Getctype.LIBCPMT ref: 00F04FDE
                                    • std::_Facet_Register.LIBCPMT ref: 00F04FF7
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00F05010
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::~_$Lockit::_$Facet_GetctypeLocinfo::_Locinfo_ctorRegister
                                    • String ID: bad locale name
                                    • API String ID: 1407599034-1405518554
                                    • Opcode ID: 7257f96bcb437c8aa98b96364c19e0093b322c628db8d1224f1a1e1202056d0e
                                    • Instruction ID: d2aad11f734aef28d6c04f22c509def8b52ff731714e0d9d41ca13f2ddc5f869
                                    • Opcode Fuzzy Hash: 7257f96bcb437c8aa98b96364c19e0093b322c628db8d1224f1a1e1202056d0e
                                    • Instruction Fuzzy Hash: 33B1DF75A006458FCB20DF68C840BAAB7F1FF84B20F258259E9549B3D1DB75AC06FB91
                                    Function 00F053D0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00F053DD
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00F053F7
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00F05418
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00F05444
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00F05479
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00F054B6
                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00F05507
                                    • std::_Facet_Register.LIBCPMT ref: 00F05526
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00F0553F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::~_$Lockit::_$Facet_Locinfo::_Locinfo_ctorRegister
                                    • String ID: bad locale name
                                    • API String ID: 3434717313-1405518554
                                    • Opcode ID: 7aa702bc9986699bd85716937421520ecd22f9ef9cfd3ba57fb4928e6294ff9c
                                    • Instruction ID: ceda08299fdd98cf3d59d74301af2d01412edc375c852684a42d0c18cae96d89
                                    • Opcode Fuzzy Hash: 7aa702bc9986699bd85716937421520ecd22f9ef9cfd3ba57fb4928e6294ff9c
                                    • Instruction Fuzzy Hash: C841AF35A043408FC710DF64D844BABB7E4FF90B21F14445DE9889B291DB79E94AFBA2
                                    Function 00F06490 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 126COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00F064A0
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00F064BA
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00F064DB
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00F0650A
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00F06571
                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00F065CE
                                    • __Getctype.LIBCPMT ref: 00F065E5
                                    • std::_Facet_Register.LIBCPMT ref: 00F0662A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::_$Lockit::~_$Facet_GetctypeLocinfo::_Locinfo_ctorRegister
                                    • String ID: bad locale name
                                    • API String ID: 2622896957-1405518554
                                    • Opcode ID: bc129e2cb88066e2835c37da05be0b9f43dfd84eb2bb85eef8c5661e71337900
                                    • Instruction ID: 54ac884c0b5ddcc5b64981298a8a205cfbbe6a7f91d34419104e3b5a100ed83a
                                    • Opcode Fuzzy Hash: bc129e2cb88066e2835c37da05be0b9f43dfd84eb2bb85eef8c5661e71337900
                                    • Instruction Fuzzy Hash: BE51D2719047848FD321DF24CD40BABB7E0BF94710F18855CE9899B2A2EB34E955FB92
                                    Function 00F06950 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 158COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00F069B1
                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00F06A06
                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00F06B7E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::_$Concurrency::cancel_current_taskLocinfo::_Locinfo_ctorLockitLockit::_
                                    • String ID: ,$.$bad locale name$false$true
                                    • API String ID: 1995332507-3659324578
                                    • Opcode ID: c33fad70a10e224b20d4b22906554e692a50b3c3c85bb6f246a956c645f3d54a
                                    • Instruction ID: 292757b318b12a7fb44a6910ae13d49534e83496da0bbf1697980485457971a0
                                    • Opcode Fuzzy Hash: c33fad70a10e224b20d4b22906554e692a50b3c3c85bb6f246a956c645f3d54a
                                    • Instruction Fuzzy Hash: 7251A2B18083859FD720DF64C841BABB7E4BF84314F044A6EF98897281E775E558EB93
                                    Function 00F06B90 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 120COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00F06BE2
                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00F06C37
                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00F06D01
                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00F06D06
                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00F06D0B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::cancel_current_task$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                    • String ID: bad locale name$false$true
                                    • API String ID: 164343898-1062449267
                                    • Opcode ID: 1ea1a6df6453e5b24fa05e50fd1ef2ac79f61487ec55ff2cfefdb058e94e46e6
                                    • Instruction ID: a2938e0c8e4ef401eb2e7a9c006fc4a2774e6ff31a3d35ae21ca7a41223614c9
                                    • Opcode Fuzzy Hash: 1ea1a6df6453e5b24fa05e50fd1ef2ac79f61487ec55ff2cfefdb058e94e46e6
                                    • Instruction Fuzzy Hash: 9441BFB46093409ED720EF64CC4175BBBE4BF85310F04486DF5989B2D1E7B9D509EBA2
                                    Function 00F0AD2D Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00F0AD33
                                    • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00F0AD41
                                    • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00F0AD52
                                    • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00F0AD63
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$HandleModule
                                    • String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
                                    • API String ID: 667068680-1247241052
                                    • Opcode ID: cc686d4001349f776bdfd134973f3ccb4dd96be6d8f4d581fb6da9da9582b501
                                    • Instruction ID: 36652d519ecab24d89bf77856cec8baa440fd0a50366b6a02a5256cceb9eace8
                                    • Opcode Fuzzy Hash: cc686d4001349f776bdfd134973f3ccb4dd96be6d8f4d581fb6da9da9582b501
                                    • Instruction Fuzzy Hash: 40E0EC31551328EB8320DF74BC0DDA63BA8FB0A7123040316F801D2160D7708803BBA3
                                    Function 00F0E508 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • type_info::operator==.LIBVCRUNTIME ref: 00F0E627
                                    • ___TypeMatch.LIBVCRUNTIME ref: 00F0E735
                                    • _UnwindNestedFrames.LIBCMT ref: 00F0E887
                                    • CallUnexpected.LIBVCRUNTIME ref: 00F0E8A2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                    • String ID: csm$csm$csm
                                    • API String ID: 2751267872-393685449
                                    • Opcode ID: 18f40784e4211f1313ff1ec11001cf35ddc690e15f7f9b0d911b78d9cbb778ae
                                    • Instruction ID: dfaa2804e5042e0e2e5623d22f4c5d81a30f32cc8f5ab49c06d47cf019c0c254
                                    • Opcode Fuzzy Hash: 18f40784e4211f1313ff1ec11001cf35ddc690e15f7f9b0d911b78d9cbb778ae
                                    • Instruction Fuzzy Hash: ABB16B71C00209EFCF29DFA4C9819AEBBB5FF14320B14895AE8116B292D735DA51FB91
                                    Function 00F1DBF7 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID: 0-3907804496
                                    • Opcode ID: fc4f53fedef683d08a49aaace1fa026347e850894a4930f3cb280f7a0bef890c
                                    • Instruction ID: c7d4993df362b6846e78b20462f862c8bdb562ecdeeb14ed6b703f2abe747537
                                    • Opcode Fuzzy Hash: fc4f53fedef683d08a49aaace1fa026347e850894a4930f3cb280f7a0bef890c
                                    • Instruction Fuzzy Hash: B2B11271E0020AAFDB11DFA8C880BFDBBB5BF95310F144258E5119B292C7759EC2EB61
                                    Function 00F268FA Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetCPInfo.KERNEL32(01524380,01524380,?,7FFFFFFF,?,00F26BCA,01524380,01524380,?,01524380,?,?,?,?,01524380,?), ref: 00F269A0
                                    • __alloca_probe_16.LIBCMT ref: 00F26A5B
                                    • __alloca_probe_16.LIBCMT ref: 00F26AEA
                                    • __freea.LIBCMT ref: 00F26B35
                                    • __freea.LIBCMT ref: 00F26B3B
                                    • __freea.LIBCMT ref: 00F26B71
                                    • __freea.LIBCMT ref: 00F26B77
                                    • __freea.LIBCMT ref: 00F26B87
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __freea$__alloca_probe_16$Info
                                    • String ID:
                                    • API String ID: 127012223-0
                                    • Opcode ID: 15a14bc4ce32fa3c86b6b08b2785177165b9d4daed5a86ad6194420f15fe30b7
                                    • Instruction ID: 727f3d2ab3106d5e198c0d82eee1fff72d6ca6efd6103713b8927faa7caecf44
                                    • Opcode Fuzzy Hash: 15a14bc4ce32fa3c86b6b08b2785177165b9d4daed5a86ad6194420f15fe30b7
                                    • Instruction Fuzzy Hash: 3471F872E00225ABDF219F54AC81FAE77B9DF85324F290059E905F7181DA39DC40B7A1
                                    Function 00F0AB11 Relevance: 12.2, APIs: 8, Instructions: 175COMMON
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,CCCCCCCC,00F01C8F,?,00000001,00000000,00000002,00000001,?,00F01C8F,?), ref: 00F0AB5A
                                    • __alloca_probe_16.LIBCMT ref: 00F0AB86
                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,?,00F01C8F,?,00000000,00F31DDE,01526580,?,?,?,00F06AAC), ref: 00F0ABC5
                                    • LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00F01C8F,?,00000000,00F31DDE,01526580), ref: 00F0ABE2
                                    • LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,00F01C8F,?,00000000,00F31DDE,01526580), ref: 00F0AC21
                                    • __alloca_probe_16.LIBCMT ref: 00F0AC3E
                                    • LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00F01C8F,?,00000000,00F31DDE,01526580), ref: 00F0AC80
                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,00F01C8F,?,00000000,00F31DDE,01526580), ref: 00F0ACA3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                    • String ID:
                                    • API String ID: 2040435927-0
                                    • Opcode ID: 203cb852745f2c729cec57f09f2f9e7566b8f4f6a37b7245af3a42cc1b7f5912
                                    • Instruction ID: 533bdb0db2bf1ff9a37b0b415a63f93c7f9d9fb17befe908c5a48d60dae37a17
                                    • Opcode Fuzzy Hash: 203cb852745f2c729cec57f09f2f9e7566b8f4f6a37b7245af3a42cc1b7f5912
                                    • Instruction Fuzzy Hash: BF51B072A0031AABEF219F60CC45FAA7BA9EB44760F158124FD05A61D0E735CC10FB52
                                    Function 00F06100 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00F0610D
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00F0612B
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00F0614C
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00F0619C
                                    • std::_Facet_Register.LIBCPMT ref: 00F061C6
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00F061DF
                                      • Part of subcall function 00F01930: ___std_exception_copy.LIBVCRUNTIME ref: 00F0196C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::~_$Lockit::_$Facet_Register___std_exception_copy
                                    • String ID:
                                    • API String ID: 728164013-0
                                    • Opcode ID: 24f5f897d34d1bb087acd4c9d693dfa417c19e2501653bd423dedc4273f9cde1
                                    • Instruction ID: e33dc26bb3a86fc2a2e54aa140094a1d520311c87ff0af2e07347529f7aaf6e7
                                    • Opcode Fuzzy Hash: 24f5f897d34d1bb087acd4c9d693dfa417c19e2501653bd423dedc4273f9cde1
                                    • Instruction Fuzzy Hash: A7212232A042118FC721EF14DC409AAB3A4FF80720F144699E955972E2DB34AD2AFBD2
                                    Function 00F05A60 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00F05A6D
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00F05A8B
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00F05AAC
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00F05AFC
                                    • std::_Facet_Register.LIBCPMT ref: 00F05B26
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00F05B3F
                                      • Part of subcall function 00F01930: ___std_exception_copy.LIBVCRUNTIME ref: 00F0196C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::~_$Lockit::_$Facet_Register___std_exception_copy
                                    • String ID:
                                    • API String ID: 728164013-0
                                    • Opcode ID: be89350e9cf22fbefbd9744fb5ebffaab65c4cccad9c4ba6a9fcda47856a3462
                                    • Instruction ID: d268860868c4ce8bf447330928ebab6de79d20ce830d749c3916c4d488407803
                                    • Opcode Fuzzy Hash: be89350e9cf22fbefbd9744fb5ebffaab65c4cccad9c4ba6a9fcda47856a3462
                                    • Instruction Fuzzy Hash: 9721C171A003158BC711EF14EC809ABB7A8FB94720F14465DE981972D1DB39BD0AFBD2
                                    Function 00F0E19A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,00F0E191,00F0C74C,00F0B846), ref: 00F0E1A8
                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F0E1B6
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F0E1CF
                                    • SetLastError.KERNEL32(00000000,00F0E191,00F0C74C,00F0B846), ref: 00F0E221
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastValue___vcrt_
                                    • String ID:
                                    • API String ID: 3852720340-0
                                    • Opcode ID: 330bf8f99e15bd7d54bc468ba7e6926b15613132131c52069c558d6f71504bc4
                                    • Instruction ID: 5add77705468695a058f7d43f2ca70f9598c4d8f18510e147f62da218abddffe
                                    • Opcode Fuzzy Hash: 330bf8f99e15bd7d54bc468ba7e6926b15613132131c52069c558d6f71504bc4
                                    • Instruction Fuzzy Hash: 2D01F773A0D6166EE73827B47CC5B6A3B5ADB41774320063AF9108A4E1EF628C45B181
                                    Function 00F169F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,26250299,?,?,00000000,00F286B3,000000FF,?,00F16980,00000002,?,00F16954,00F1302A), ref: 00F16A25
                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F16A37
                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,00F286B3,000000FF,?,00F16980,00000002,?,00F16954,00F1302A), ref: 00F16A59
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressFreeHandleLibraryModuleProc
                                    • String ID: CorExitProcess$mscoree.dll
                                    • API String ID: 4061214504-1276376045
                                    • Opcode ID: 1f2cea55758545008ce32485b386da22d32b5a0ceb68ee3550eb7ef48d055009
                                    • Instruction ID: 538754885e671d7f64b92fae812a25787766b0e6fc085b516b814ada8e06bb93
                                    • Opcode Fuzzy Hash: 1f2cea55758545008ce32485b386da22d32b5a0ceb68ee3550eb7ef48d055009
                                    • Instruction Fuzzy Hash: C501A731944629ABCB11DF50DD05BAE7BF8FB04B20F044125E811F22D0DB799900DE91
                                    Function 00F1ECA2 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                    Download Yara Rule
                                    APIs
                                    • __alloca_probe_16.LIBCMT ref: 00F1ED29
                                    • __alloca_probe_16.LIBCMT ref: 00F1EDEA
                                    • __freea.LIBCMT ref: 00F1EE51
                                      • Part of subcall function 00F19B87: RtlAllocateHeap.NTDLL(00000000,00F1FFAD,?,?,00F1FFAD,00000220,?,00000010,?), ref: 00F19BB9
                                    • __freea.LIBCMT ref: 00F1EE66
                                    • __freea.LIBCMT ref: 00F1EE76
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __freea$__alloca_probe_16$AllocateHeap
                                    • String ID:
                                    • API String ID: 1423051803-0
                                    • Opcode ID: 94c8421d10192eacf065c7ce3cc41290a876abc2578d6f63e11153a73f2da96b
                                    • Instruction ID: f336aa3286aea7f476e194a656d3e1ece2567d85e5edaf12a34b89079af0c9a4
                                    • Opcode Fuzzy Hash: 94c8421d10192eacf065c7ce3cc41290a876abc2578d6f63e11153a73f2da96b
                                    • Instruction Fuzzy Hash: 6E51D372A00206AFEF259F60DC81EFB76A9EF48760F160528FC18D6150EB75CD90B7A0
                                    Function 00F07BDC Relevance: 7.6, APIs: 5, Instructions: 65COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3.LIBCMT ref: 00F07BE3
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00F07BED
                                      • Part of subcall function 00F01AC0: std::_Lockit::_Lockit.LIBCPMT ref: 00F01ACF
                                      • Part of subcall function 00F01AC0: std::_Lockit::~_Lockit.LIBCPMT ref: 00F01AEA
                                    • codecvt.LIBCPMT ref: 00F07C27
                                    • std::_Facet_Register.LIBCPMT ref: 00F07C3E
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00F07C5E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                    • String ID:
                                    • API String ID: 712880209-0
                                    • Opcode ID: d120e53a5567d15d4ff8ac984dba334b2b87f4b63c83631e5ed6d42b52bea7bb
                                    • Instruction ID: d198e4e0c401ecb941be162163a568970f67283f2daf3017068a166270c3e82f
                                    • Opcode Fuzzy Hash: d120e53a5567d15d4ff8ac984dba334b2b87f4b63c83631e5ed6d42b52bea7bb
                                    • Instruction Fuzzy Hash: EB11AF71D042259FCB11FF649C456AEBBA4AF84760F244449F401AB3D2DF78AE01BB91
                                    Function 00F0930F Relevance: 7.6, APIs: 5, Instructions: 65COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3.LIBCMT ref: 00F09316
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00F09320
                                      • Part of subcall function 00F01AC0: std::_Lockit::_Lockit.LIBCPMT ref: 00F01ACF
                                      • Part of subcall function 00F01AC0: std::_Lockit::~_Lockit.LIBCPMT ref: 00F01AEA
                                    • codecvt.LIBCPMT ref: 00F0935A
                                    • std::_Facet_Register.LIBCPMT ref: 00F09371
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00F09391
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                    • String ID:
                                    • API String ID: 712880209-0
                                    • Opcode ID: 8256dc932707a041c3c1bf42b394f60a4b7af50acc7eed15f09b2411cfd36d36
                                    • Instruction ID: 5ea0af35ca3e0627ce3c869aaf03afe617d07f1dbe0b26142585f96a9e099fc8
                                    • Opcode Fuzzy Hash: 8256dc932707a041c3c1bf42b394f60a4b7af50acc7eed15f09b2411cfd36d36
                                    • Instruction Fuzzy Hash: 0211AF71D042299FCB11EB64CD067AEB7A8BF44760F144509F411A72D2EFB8AE01FB91
                                    Function 00F08F97 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3.LIBCMT ref: 00F08F9E
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00F08FA9
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00F09017
                                      • Part of subcall function 00F090FA: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00F09112
                                    • std::locale::_Setgloballocale.LIBCPMT ref: 00F08FC4
                                    • _Yarn.LIBCPMT ref: 00F08FDA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                    • String ID:
                                    • API String ID: 1088826258-0
                                    • Opcode ID: b460d07ca793a5f316e48e8044d0b432299b9656b575213b0b1b026957561970
                                    • Instruction ID: 8391acfd6e798250ee1d8f79ff935832ce3943697ec3642eca035a6f2ab24a82
                                    • Opcode Fuzzy Hash: b460d07ca793a5f316e48e8044d0b432299b9656b575213b0b1b026957561970
                                    • Instruction Fuzzy Hash: 2901BC79A042659BC706EB20DC4697D77A1FF85790B144008E811573C2DF78AA43FBD2
                                    Function 00F02230 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___std_exception_copy.LIBVCRUNTIME ref: 00F022CD
                                      • Part of subcall function 00F0BC00: RaiseException.KERNEL32(E06D7363,00000001,00000003,00F0BB23,?,?,?,?,00F0BB23,?,00F340FC,?), ref: 00F0BC60
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionRaise___std_exception_copy
                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                    • API String ID: 3109751735-1866435925
                                    • Opcode ID: 96c682ea3b8ff5695cf5e2aa16b4bf9187feadf0537da9f72e6bb56e6842f297
                                    • Instruction ID: 3564b4ed10f08e90eea8f0d40fd861ab8d139677d47cf3904f06213aa5b5802e
                                    • Opcode Fuzzy Hash: 96c682ea3b8ff5695cf5e2aa16b4bf9187feadf0537da9f72e6bb56e6842f297
                                    • Instruction Fuzzy Hash: D7113AB2900304ABD710DF98CC45B86B3D8BF45320F04852AF954972C1F774E844F7A1
                                    Function 00F0F2E2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,00F0F293,00000000,00000001,00F817D4,?,?,?,00F0F436,00000004,InitializeCriticalSectionEx,00F2BE28,InitializeCriticalSectionEx), ref: 00F0F2EF
                                    • GetLastError.KERNEL32(?,00F0F293,00000000,00000001,00F817D4,?,?,?,00F0F436,00000004,InitializeCriticalSectionEx,00F2BE28,InitializeCriticalSectionEx,00000000,?,00F0F1ED), ref: 00F0F2F9
                                    • LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,00F0E103), ref: 00F0F321
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LibraryLoad$ErrorLast
                                    • String ID: api-ms-
                                    • API String ID: 3177248105-2084034818
                                    • Opcode ID: ff53797d9bb4705faf54fadf72ca7895e8ad6a1df1221f640843ebe113a62943
                                    • Instruction ID: 5339d469e81de620f6f2efa98846c7e5a2a3e352917d9495c6803b84c0873ce2
                                    • Opcode Fuzzy Hash: ff53797d9bb4705faf54fadf72ca7895e8ad6a1df1221f640843ebe113a62943
                                    • Instruction Fuzzy Hash: C2E04830641208B7DF301B60EC06B593F559F00B60F540030F90CE84E1D761D859B5C9
                                    Function 00F1BD96 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetConsoleOutputCP.KERNEL32(26250299,00000010,00000000,?), ref: 00F1BDF9
                                      • Part of subcall function 00F1F09E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00F1EE47,?,00000000,-00000008), ref: 00F1F14A
                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00F1C054
                                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00F1C09C
                                    • GetLastError.KERNEL32 ref: 00F1C13F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                    • String ID:
                                    • API String ID: 2112829910-0
                                    • Opcode ID: e5eba9c2602a56281e13c1d7cf2322a4d4433fc39452ae3504201c24e3d81572
                                    • Instruction ID: c022be82d7a48bfb3a3f07aa67d06bc3747e881281a6f3c8090071f6ea218103
                                    • Opcode Fuzzy Hash: e5eba9c2602a56281e13c1d7cf2322a4d4433fc39452ae3504201c24e3d81572
                                    • Instruction Fuzzy Hash: 99D159B5D40258EFCB15CFA8D880AEDBBB5FF09314F18452AE455EB352D730A982DB90
                                    Function 00F0E2B1 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AdjustPointer
                                    • String ID:
                                    • API String ID: 1740715915-0
                                    • Opcode ID: 28f081f8925f60337291edb51183af8a09c8b1eb097ddda2682d14964f497310
                                    • Instruction ID: dc99c085be43b515b27a5d71b38303479e83682c07cf1484b5ef83c57b2c1902
                                    • Opcode Fuzzy Hash: 28f081f8925f60337291edb51183af8a09c8b1eb097ddda2682d14964f497310
                                    • Instruction Fuzzy Hash: E351D1B6A05206EFDB288F50D881BBA7FA5EF40320F14496DE845872E1D735EC80FB90
                                    Function 00F1F4BA Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F1F09E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00F1EE47,?,00000000,-00000008), ref: 00F1F14A
                                    • GetLastError.KERNEL32 ref: 00F1F51E
                                    • __dosmaperr.LIBCMT ref: 00F1F525
                                    • GetLastError.KERNEL32(?,?,?,?), ref: 00F1F55F
                                    • __dosmaperr.LIBCMT ref: 00F1F566
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                    • String ID:
                                    • API String ID: 1913693674-0
                                    • Opcode ID: 27f3321c2fe9a7c9e1e89311e65325c95c0a109d8dae3bba2b9b33ece96d1bb7
                                    • Instruction ID: 0f3ee071af59e9af369d5ea150886ca152f74c90db093b216dd6ac2bf2a1da9a
                                    • Opcode Fuzzy Hash: 27f3321c2fe9a7c9e1e89311e65325c95c0a109d8dae3bba2b9b33ece96d1bb7
                                    • Instruction Fuzzy Hash: 7321C571A00605AFDB20AFB5CC809EBB7A9FF043647548538F929C7151E735EDD4ABA0
                                    Function 00F15DCA Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a3e14e73fb4e220e6132aec3df07a2d4cc0ba722ea4bfd8ce836d152bd4c04b8
                                    • Instruction ID: 5f228bd1ba84044656ac25c3b5e0180ace462f98a5a4994563ba069d278ac239
                                    • Opcode Fuzzy Hash: a3e14e73fb4e220e6132aec3df07a2d4cc0ba722ea4bfd8ce836d152bd4c04b8
                                    • Instruction Fuzzy Hash: B121C332E04A05EFDB20AFA1DC409EB77A9EF80B647104514F915DB141E735EED1BBA0
                                    Function 00F20450 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetEnvironmentStringsW.KERNEL32 ref: 00F20458
                                      • Part of subcall function 00F1F09E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00F1EE47,?,00000000,-00000008), ref: 00F1F14A
                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F20490
                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F204B0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                    • String ID:
                                    • API String ID: 158306478-0
                                    • Opcode ID: a636a32f75d2c792e8f2ddbf7f17b4108a4fe04a287decc3403235909704baac
                                    • Instruction ID: a8a08811fbe2322427d022e0c7b869a81341736545a9bfb1304e15d77202aff4
                                    • Opcode Fuzzy Hash: a636a32f75d2c792e8f2ddbf7f17b4108a4fe04a287decc3403235909704baac
                                    • Instruction Fuzzy Hash: EF11C4B3D01229BF6621B771AC89CBFB95CDF857A43108025FA06D1102FE78CD4271B2
                                    Function 00F26686 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • WriteConsoleW.KERNEL32(00000010,00000000,00F33A70,00000000,00000010,?,00F24EA2,00000010,00000001,00000010,?,?,00F1C193,?,00000010,00000000), ref: 00F2669D
                                    • GetLastError.KERNEL32(?,00F24EA2,00000010,00000001,00000010,?,?,00F1C193,?,00000010,00000000,?,?,?,00F1C71A,00000010), ref: 00F266A9
                                      • Part of subcall function 00F2666F: CloseHandle.KERNEL32(FFFFFFFE,00F266B9,?,00F24EA2,00000010,00000001,00000010,?,?,00F1C193,?,00000010,00000000,?,?), ref: 00F2667F
                                    • ___initconout.LIBCMT ref: 00F266B9
                                      • Part of subcall function 00F26631: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00F26660,00F24E8F,?,?,00F1C193,?,00000010,00000000,?), ref: 00F26644
                                    • WriteConsoleW.KERNEL32(00000010,00000000,00F33A70,00000000,?,00F24EA2,00000010,00000001,00000010,?,?,00F1C193,?,00000010,00000000,?), ref: 00F266CE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                    • String ID:
                                    • API String ID: 2744216297-0
                                    • Opcode ID: c1abef627f1c818d985fad660ad6ce1b800ba176cf9749c4b62ec03f6489cc50
                                    • Instruction ID: 3af13052fdffdc1e19da0028c1554a327d36514589810a980a4bade3cb48daa7
                                    • Opcode Fuzzy Hash: c1abef627f1c818d985fad660ad6ce1b800ba176cf9749c4b62ec03f6489cc50
                                    • Instruction Fuzzy Hash: 23F0AC36500228BFCF622FD5EC08A993F66FB487B1F144510FA19D9130D6368820FF91
                                    Function 00F29190 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 390COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F04E90: std::_Lockit::_Lockit.LIBCPMT ref: 00F04E9D
                                      • Part of subcall function 00F04E90: std::_Lockit::_Lockit.LIBCPMT ref: 00F04EB7
                                      • Part of subcall function 00F04E90: std::_Lockit::~_Lockit.LIBCPMT ref: 00F04ED8
                                      • Part of subcall function 00F04E90: std::_Lockit::~_Lockit.LIBCPMT ref: 00F04F04
                                    • OffsetRect.USER32(00000000,00000000,00000000), ref: 00F2931F
                                      • Part of subcall function 00F04E90: std::_Lockit::~_Lockit.LIBCPMT ref: 00F04F39
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Lockitstd::_$Lockit::~_$Lockit::_$OffsetRect
                                    • String ID: 0$Zatlat
                                    • API String ID: 2708111867-1547964091
                                    • Opcode ID: 9ff7ed4520d334609afba42ce5afa986dd8413c8f53224beb29c9319be667e15
                                    • Instruction ID: e57e1aebb1a932045f89b98935c608693027645efb8faaff7614d0fb388f957f
                                    • Opcode Fuzzy Hash: 9ff7ed4520d334609afba42ce5afa986dd8413c8f53224beb29c9319be667e15
                                    • Instruction Fuzzy Hash: 41E1BB706083418FD714DF24D895B6ABBE1BFC9304F18496CF5898B392DB75E845EB82
                                    Function 00F02160 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___std_exception_copy.LIBVCRUNTIME ref: 00F022CD
                                      • Part of subcall function 00F0BC00: RaiseException.KERNEL32(E06D7363,00000001,00000003,00F0BB23,?,?,?,?,00F0BB23,?,00F340FC,?), ref: 00F0BC60
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionRaise___std_exception_copy
                                    • String ID: ios_base::badbit set$ios_base::failbit set
                                    • API String ID: 3109751735-1240500531
                                    • Opcode ID: b6c91aefbaedf9c25c60c281fbfbdbc1686d323748371d9e9d9f79321c6126f4
                                    • Instruction ID: d22ed3a4d26016714b3623f285e1ba9f59855537b3c911d64edcde6486a40702
                                    • Opcode Fuzzy Hash: b6c91aefbaedf9c25c60c281fbfbdbc1686d323748371d9e9d9f79321c6126f4
                                    • Instruction Fuzzy Hash: 424106B2504304AFD704DF68CC45B9BB7E8BF89320F14861EF95487291E774E945EBA2
                                    Function 00F0DFA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00F0DFDF
                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00F0E093
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CurrentImageNonwritable___except_validate_context_record
                                    • String ID: csm
                                    • API String ID: 3480331319-1018135373
                                    • Opcode ID: 6074cfe10a010edf9df0586590e2bfbf0db5218a97d82738f21313254a64700a
                                    • Instruction ID: ca68203acdbad4dc760ae7bd3470e2f141918ef519d0bffd8cfd5f0ba7e3d5cc
                                    • Opcode Fuzzy Hash: 6074cfe10a010edf9df0586590e2bfbf0db5218a97d82738f21313254a64700a
                                    • Instruction Fuzzy Hash: DB41A170E00209DBCF20DF68CC84A9EBBB5BF44324F148556E8159B3D2D776A915FB91
                                    Function 00F0E8AD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • EncodePointer.KERNEL32(00000000,?), ref: 00F0E8D2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: EncodePointer
                                    • String ID: MOC$RCC
                                    • API String ID: 2118026453-2084237596
                                    • Opcode ID: 0f77710dee4e5701d2ee22b20ee85e46306e04d60c26feb208cf579bda4a4fc1
                                    • Instruction ID: 13f87a401604b8a0c961baef17d47af05f76013902e9fd2e2d6b76683aacf588
                                    • Opcode Fuzzy Hash: 0f77710dee4e5701d2ee22b20ee85e46306e04d60c26feb208cf579bda4a4fc1
                                    • Instruction Fuzzy Hash: 78414971900209AFDF16DF94CD81AAEBBB5BF48310F148499F904672A1D3359A50FB91
                                    Function 00F019B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00F019B5
                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00F019FA
                                      • Part of subcall function 00F09095: _Yarn.LIBCPMT ref: 00F090B4
                                      • Part of subcall function 00F09095: _Yarn.LIBCPMT ref: 00F090D8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2138000335.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2137984169.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138027358.0000000000F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138045741.0000000000F77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2138103233.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                    • String ID: bad locale name
                                    • API String ID: 1908188788-1405518554
                                    • Opcode ID: fdf154453030496162538d663cb1c9e1aaa2e07cf0b41730643f9ad98463f4d1
                                    • Instruction ID: 35374fa9e28a82615364cb06f96a8035a4f3ba7a5dab8a2cfa32838d8b18d7ed
                                    • Opcode Fuzzy Hash: fdf154453030496162538d663cb1c9e1aaa2e07cf0b41730643f9ad98463f4d1
                                    • Instruction Fuzzy Hash: 37F01D71505B408ED371DF758804743BAE0AF25710F048A5DE4CAC7A81E379E508DBA6

                                    Execution Graph

                                    Execution Coverage:7%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:0%
                                    Total number of Nodes:44
                                    Total number of Limit Nodes:6
                                    execution_graph 15737 ec4668 15738 ec4684 15737->15738 15739 ec4696 15738->15739 15741 ec47a0 15738->15741 15742 ec47c5 15741->15742 15746 ec48b0 15742->15746 15750 ec48a1 15742->15750 15748 ec48d7 15746->15748 15747 ec49b4 15747->15747 15748->15747 15754 ec4248 15748->15754 15751 ec48b0 15750->15751 15752 ec4248 CreateActCtxA 15751->15752 15753 ec49b4 15751->15753 15752->15753 15755 ec5940 CreateActCtxA 15754->15755 15757 ec5a03 15755->15757 15758 ecd0b8 15759 ecd0fe GetCurrentProcess 15758->15759 15761 ecd149 15759->15761 15762 ecd150 GetCurrentThread 15759->15762 15761->15762 15763 ecd18d GetCurrentProcess 15762->15763 15764 ecd186 15762->15764 15765 ecd1c3 15763->15765 15764->15763 15766 ecd1eb GetCurrentThreadId 15765->15766 15767 ecd21c 15766->15767 15768 ecad38 15769 ecad47 15768->15769 15771 ecae30 15768->15771 15772 ecae64 15771->15772 15773 ecae41 15771->15773 15772->15769 15773->15772 15779 ecb0c8 15773->15779 15783 ecb0b8 15773->15783 15774 ecae5c 15774->15772 15775 ecb068 GetModuleHandleW 15774->15775 15776 ecb095 15775->15776 15776->15769 15780 ecb0dc 15779->15780 15782 ecb101 15780->15782 15787 eca870 15780->15787 15782->15774 15784 ecb0dc 15783->15784 15785 eca870 LoadLibraryExW 15784->15785 15786 ecb101 15784->15786 15785->15786 15786->15774 15788 ecb2a8 LoadLibraryExW 15787->15788 15790 ecb321 15788->15790 15790->15782 15791 ecd300 DuplicateHandle 15792 ecd396 15791->15792

                                    Executed Functions

                                    Function 00ECD0A8 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 00ECD136
                                    • GetCurrentThread.KERNEL32 ref: 00ECD173
                                    • GetCurrentProcess.KERNEL32 ref: 00ECD1B0
                                    • GetCurrentThreadId.KERNEL32 ref: 00ECD209
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2247538267.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_ec0000_RegAsm.jbxd
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: bf4ee91332fab757574437bdc7010f21516aaafe34ed5da2c73c3baea73009c0
                                    • Instruction ID: 5be02c30eef2e27e7a1a7be30e3e2b7826f60a60a112bcc0e0bba69440dceaef
                                    • Opcode Fuzzy Hash: bf4ee91332fab757574437bdc7010f21516aaafe34ed5da2c73c3baea73009c0
                                    • Instruction Fuzzy Hash: 695185B0900349CFDB14DFAADA48BAEBBF1EF88314F24845DE009A72A0CB755845CB25
                                    Function 00ECD0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 00ECD136
                                    • GetCurrentThread.KERNEL32 ref: 00ECD173
                                    • GetCurrentProcess.KERNEL32 ref: 00ECD1B0
                                    • GetCurrentThreadId.KERNEL32 ref: 00ECD209
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2247538267.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_ec0000_RegAsm.jbxd
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: a3aca848a2d362d0d5b249b7c91b6448b22cfdaa6e242e192ae9c6338fdd0ba2
                                    • Instruction ID: 922c6b49eb5f6c984389cf796b74bec739e6003e1b94d68dd70f4ab17f79608c
                                    • Opcode Fuzzy Hash: a3aca848a2d362d0d5b249b7c91b6448b22cfdaa6e242e192ae9c6338fdd0ba2
                                    • Instruction Fuzzy Hash: 985177B09003498FDB54DFAADA48BAEBBF1EF88314F24841DE009B7360DB755945CB65
                                    Function 00ECAE30 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 44 ecae30-ecae3f 45 ecae6b-ecae6f 44->45 46 ecae41-ecae4e call ec9838 44->46 47 ecae71-ecae7b 45->47 48 ecae83-ecaec4 45->48 53 ecae64 46->53 54 ecae50 46->54 47->48 55 ecaec6-ecaece 48->55 56 ecaed1-ecaedf 48->56 53->45 102 ecae56 call ecb0c8 54->102 103 ecae56 call ecb0b8 54->103 55->56 58 ecaee1-ecaee6 56->58 59 ecaf03-ecaf05 56->59 57 ecae5c-ecae5e 57->53 60 ecafa0-ecafb7 57->60 62 ecaee8-ecaeef call eca814 58->62 63 ecaef1 58->63 61 ecaf08-ecaf0f 59->61 77 ecafb9-ecb018 60->77 65 ecaf1c-ecaf23 61->65 66 ecaf11-ecaf19 61->66 64 ecaef3-ecaf01 62->64 63->64 64->61 68 ecaf25-ecaf2d 65->68 69 ecaf30-ecaf39 call eca824 65->69 66->65 68->69 75 ecaf3b-ecaf43 69->75 76 ecaf46-ecaf4b 69->76 75->76 78 ecaf4d-ecaf54 76->78 79 ecaf69-ecaf76 76->79 95 ecb01a-ecb060 77->95 78->79 80 ecaf56-ecaf66 call eca834 call eca844 78->80 85 ecaf78-ecaf96 79->85 86 ecaf99-ecaf9f 79->86 80->79 85->86 97 ecb068-ecb093 GetModuleHandleW 95->97 98 ecb062-ecb065 95->98 99 ecb09c-ecb0b0 97->99 100 ecb095-ecb09b 97->100 98->97 100->99 102->57 103->57
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00ECB086
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2247538267.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_ec0000_RegAsm.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: 693dfbdb87e0706906c46768a5584e399e90da95d88b0227e53f28f177e08341
                                    • Instruction ID: 89e3d079aac6b0acc441b7f77cc611e4c722243abfc1b1f4289fb519e3e305ef
                                    • Opcode Fuzzy Hash: 693dfbdb87e0706906c46768a5584e399e90da95d88b0227e53f28f177e08341
                                    • Instruction Fuzzy Hash: 3C714870A00B498FD724DF69D545B6ABBF1FF88308F04892DE446E7A40DB76E846CB91
                                    Function 00EC4248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 104 ec4248-ec5a01 CreateActCtxA 107 ec5a0a-ec5a64 104->107 108 ec5a03-ec5a09 104->108 115 ec5a66-ec5a69 107->115 116 ec5a73-ec5a77 107->116 108->107 115->116 117 ec5a88 116->117 118 ec5a79-ec5a85 116->118 120 ec5a89 117->120 118->117 120->120
                                    APIs
                                    • CreateActCtxA.KERNEL32(?), ref: 00EC59F1
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2247538267.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_ec0000_RegAsm.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: f22ebaf3c7c78dcade0d4558439461c727fcf773f8be5d1da7456f52f21fed34
                                    • Instruction ID: 3b59e73227e99b25c4ba08d0cbb8b43b5de4b66dbae411cd951fe598f09075c0
                                    • Opcode Fuzzy Hash: f22ebaf3c7c78dcade0d4558439461c727fcf773f8be5d1da7456f52f21fed34
                                    • Instruction Fuzzy Hash: 9441B271C00719CBDB24DFAAC984B9DBBB5FF84714F20816AD408BB251DB766986CF90
                                    Function 00EC5935 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 121 ec5935-ec593c 122 ec5944-ec5a01 CreateActCtxA 121->122 124 ec5a0a-ec5a64 122->124 125 ec5a03-ec5a09 122->125 132 ec5a66-ec5a69 124->132 133 ec5a73-ec5a77 124->133 125->124 132->133 134 ec5a88 133->134 135 ec5a79-ec5a85 133->135 137 ec5a89 134->137 135->134 137->137
                                    APIs
                                    • CreateActCtxA.KERNEL32(?), ref: 00EC59F1
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2247538267.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_ec0000_RegAsm.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: 9a37ad17771a8330bc56e0b0cc4309c66c209a64185e744819296aa963e47331
                                    • Instruction ID: 9f828b13d6c9e5d088c236d3838f0c7931c98bfdc25f5e09638935aecab1f29c
                                    • Opcode Fuzzy Hash: 9a37ad17771a8330bc56e0b0cc4309c66c209a64185e744819296aa963e47331
                                    • Instruction Fuzzy Hash: BD41D371C00719CBDB24DFA9C984B9DBBB5FF44304F24815AD418BB251DB756945CF50
                                    Function 00ECA858 Relevance: 1.6, APIs: 1, Instructions: 83libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 138 eca858-eca860 140 eca88c 138->140 141 eca862-ecb2e8 138->141 143 eca8ec-eca954 140->143 144 eca88e-eca8c0 140->144 146 ecb2ea-ecb2ed 141->146 147 ecb2f0-ecb31f LoadLibraryExW 141->147 146->147 150 ecb328-ecb345 147->150 151 ecb321-ecb327 147->151 151->150
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00ECB101,00000800,00000000,00000000), ref: 00ECB312
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2247538267.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_ec0000_RegAsm.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: ebe199b49cbcc8f749d6d27dbcd19b85d8fa38b80b3e444d82a845e124e43086
                                    • Instruction ID: 10821f87c2eac84f8cdc6fa7f63b1092df0b58bd33f0f07024f58dc5aac200d2
                                    • Opcode Fuzzy Hash: ebe199b49cbcc8f749d6d27dbcd19b85d8fa38b80b3e444d82a845e124e43086
                                    • Instruction Fuzzy Hash: 3931DEB6808398CFDB05CFAAC845BEEBFB0EB45314F04505ED444A7212C3799406CFA1
                                    Function 00ECD300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 154 ecd300-ecd394 DuplicateHandle 155 ecd39d-ecd3ba 154->155 156 ecd396-ecd39c 154->156 156->155
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ECD387
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2247538267.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_ec0000_RegAsm.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: 61e39322a7d54ac1d424af4aa10bf7c2f54193bbffa7a86307f084745659b9c4
                                    • Instruction ID: 59575c8ae27898cbd51946a851922b9e2c26b7985e5e23315193ee461dc37074
                                    • Opcode Fuzzy Hash: 61e39322a7d54ac1d424af4aa10bf7c2f54193bbffa7a86307f084745659b9c4
                                    • Instruction Fuzzy Hash: 0821E2B5900349DFDB10CFAAD984ADEBBF4EB48320F14841AE918A3310D379A954CFA1
                                    Function 00ECD2F9 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 159 ecd2f9-ecd394 DuplicateHandle 160 ecd39d-ecd3ba 159->160 161 ecd396-ecd39c 159->161 161->160
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ECD387
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2247538267.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_ec0000_RegAsm.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: e43a4b7046736fdf4991f91f45d3fa73f13c62f704d02da951fcf1b710117684
                                    • Instruction ID: 9dac8c858a0450429ecd20e9455a6f91d50f26c5f3cce1920ecfa60b8009aa04
                                    • Opcode Fuzzy Hash: e43a4b7046736fdf4991f91f45d3fa73f13c62f704d02da951fcf1b710117684
                                    • Instruction Fuzzy Hash: 6F21E0B5904249DFDB10CFAAD985ADEBBF4AB48324F14842AE918A3210C379A954CF61
                                    Function 00ECB2A0 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 164 ecb2a0-ecb2e8 166 ecb2ea-ecb2ed 164->166 167 ecb2f0-ecb31f LoadLibraryExW 164->167 166->167 168 ecb328-ecb345 167->168 169 ecb321-ecb327 167->169 169->168
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00ECB101,00000800,00000000,00000000), ref: 00ECB312
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2247538267.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_ec0000_RegAsm.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: c5a144bed168088a3b31f793e2440aab4763644640f41b470b00fa1e0a294804
                                    • Instruction ID: 53346b737fcf12e58bfeb97b95e0b567836519f77f05f1e6a833676824ffaf28
                                    • Opcode Fuzzy Hash: c5a144bed168088a3b31f793e2440aab4763644640f41b470b00fa1e0a294804
                                    • Instruction Fuzzy Hash: 8E1103B68002498FDB10CF9AD984BDEFBF4AB88724F14842EE519B7200C3B5A545CFA5
                                    Function 00ECA870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 172 eca870-ecb2e8 174 ecb2ea-ecb2ed 172->174 175 ecb2f0-ecb31f LoadLibraryExW 172->175 174->175 176 ecb328-ecb345 175->176 177 ecb321-ecb327 175->177 177->176
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00ECB101,00000800,00000000,00000000), ref: 00ECB312
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2247538267.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_ec0000_RegAsm.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: ad2f52c99157495d2de9c5c2ef7b233f1531e2a75e5dfc4da9cf07f3d21587d0
                                    • Instruction ID: 7c438b4fcd86236505e9e8676c69637ffc324ae9572e17771493edfbe06d6c6b
                                    • Opcode Fuzzy Hash: ad2f52c99157495d2de9c5c2ef7b233f1531e2a75e5dfc4da9cf07f3d21587d0
                                    • Instruction Fuzzy Hash: 3E1106B68003499FDB10CF9AC545B9EFBF4EB88724F10841EE515B7200C3B5A545CFA5
                                    Function 00ECB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 180 ecb020-ecb060 181 ecb068-ecb093 GetModuleHandleW 180->181 182 ecb062-ecb065 180->182 183 ecb09c-ecb0b0 181->183 184 ecb095-ecb09b 181->184 182->181 184->183
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00ECB086
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2247538267.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_ec0000_RegAsm.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: 5b5f02b330fd6840e62b573417846a5add3c57f0d8bc37de23350ab7b8c1c516
                                    • Instruction ID: 4fba02120066c70e0b354fb1903a6ac513150934b93240ed62adcdfacc7ed284
                                    • Opcode Fuzzy Hash: 5b5f02b330fd6840e62b573417846a5add3c57f0d8bc37de23350ab7b8c1c516
                                    • Instruction Fuzzy Hash: EA11C0B6C00749CBDB20CF9AC545B9EFBF4AB88724F14841AD429B7210D3B6A545CFA1
                                    Function 00DED3D8 Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2247223012.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_ded000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: da0a2e6ef403c42755ff9515da048ba7dcedb088c11ff48843f2078aa1a88f76
                                    • Instruction ID: 9b9bb4bd05610e3353003f4ed5b5e59a42336e544f44d4dca1ef630fda5e850d
                                    • Opcode Fuzzy Hash: da0a2e6ef403c42755ff9515da048ba7dcedb088c11ff48843f2078aa1a88f76
                                    • Instruction Fuzzy Hash: 9A216A76100284DFDB04EF01D9C0B26BF66FBA4324F24C16CD9090B296CB36E856CBB2
                                    Function 00DFD01C Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2247252288.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_dfd000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0246d8336d45faff0c0e86396509d6cdf1ec98cf35af17572497b69578598510
                                    • Instruction ID: 30a73c693f3f16ab046bcf9aed23cd9cef2fa3851d095c059898f18f575e8a8c
                                    • Opcode Fuzzy Hash: 0246d8336d45faff0c0e86396509d6cdf1ec98cf35af17572497b69578598510
                                    • Instruction Fuzzy Hash: 98212275604248EFDB14DF14D9C0B26BB63EB84314F24C56DEA4A4B252CB7AD847CA71
                                    Function 00DFD005 Relevance: .1, Instructions: 62COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2247252288.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_dfd000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e0f0a7b70d604d4b4d5a0df3c0fac4acd5a48f9d997466654cb9ced795758f27
                                    • Instruction ID: 9e88c880df586f50fb8c2708335f0e82ce2cf05e21390f7658fe8f957cf48348
                                    • Opcode Fuzzy Hash: e0f0a7b70d604d4b4d5a0df3c0fac4acd5a48f9d997466654cb9ced795758f27
                                    • Instruction Fuzzy Hash: 9E218E755093C48FCB02CF20D990715BF72EB46314F29C5EAD9498B6A7C33A980ACB62
                                    Function 00DED3D3 Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2247223012.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_ded000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5a5504dfd99aeaae02a5904faf24bf7c180eb56da23d91347c8bcbb22ee6d9b3
                                    • Instruction ID: e8c5279a92a1e0a8985b1f0e9ca14a5e7dab943e9a704f3f434d7b5bb897ed19
                                    • Opcode Fuzzy Hash: 5a5504dfd99aeaae02a5904faf24bf7c180eb56da23d91347c8bcbb22ee6d9b3
                                    • Instruction Fuzzy Hash: 1A1126B6404280CFCB01DF00D9C0B16BF72FBA4324F28C6A9D8090B656C33AE856CBA1
                                    Function 00DEDA28 Relevance: .0, Instructions: 36COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2247223012.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_ded000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f3b232e072bcdf9674c1756a50e1b2b6d56025cc22547644403e8b4e18428fd5
                                    • Instruction ID: d097c183134b16739786e21a1ae6cb53e8cfd14da7933af004e3d585e2b98c0c
                                    • Opcode Fuzzy Hash: f3b232e072bcdf9674c1756a50e1b2b6d56025cc22547644403e8b4e18428fd5
                                    • Instruction Fuzzy Hash: E3F0C271408384AAE7208E06DD84B62FF98EF50725F18C45AED084A282C6799940CBB1