Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1482542
MD5:04e90b2cf273efb3f6895cfcef1e59ba
SHA1:79afcc39db33426ee8b97ad7bfb48f3f2e4c3449
SHA256:e015f535c8a9fab72f2e06863c559108b1a25af90468cb9f80292c3ba2c33f6e
Tags:exe
Infos:

Detection

PureLog Stealer, RedLine, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
High number of junk calls founds (likely related to sandbox DOS / API hammering)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Enables security privileges
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7324 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 04E90B2CF273EFB3F6895CFCEF1E59BA)
    • conhost.exe (PID: 7332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 7408 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • DMINktnUtY.exe (PID: 7444 cmdline: "C:\Users\user\AppData\Roaming\DMINktnUtY.exe" MD5: 74E358F24A40F37C8FFD7FA40D98683A)
        • conhost.exe (PID: 7460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • J48w21dBmF.exe (PID: 7452 cmdline: "C:\Users\user\AppData\Roaming\J48w21dBmF.exe" MD5: 2C2BE38FB507206D36DDDB3D03096518)
        • conhost.exe (PID: 7488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\J48w21dBmF.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    C:\Users\user\AppData\Roaming\J48w21dBmF.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      C:\Users\user\AppData\Roaming\J48w21dBmF.exeMALWARE_Win_zgRATDetects zgRATditekSHen
      • 0x583a9:$s1: file:///
      • 0x582e1:$s2: {11111-22222-10009-11112}
      • 0x58339:$s3: {11111-22222-50001-00000}
      • 0x54d2f:$s4: get_Module
      • 0x4e954:$s5: Reverse
      • 0x4f872:$s6: BlockCopy
      • 0x4e993:$s7: ReadByte
      • 0x583bb:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
      C:\Users\user\AppData\Roaming\DMINktnUtY.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Users\user\AppData\Roaming\DMINktnUtY.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          Click to see the 1 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000004.00000000.1681361554.0000000000742000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            00000003.00000000.1680428465.0000000000CC2000.00000002.00000001.01000000.00000005.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_zgRATDetects zgRATditekSHen
                  • 0x8e409:$s1: file:///
                  • 0xfe9cd:$s1: file:///
                  • 0x8e341:$s2: {11111-22222-10009-11112}
                  • 0xfe905:$s2: {11111-22222-10009-11112}
                  • 0x8e399:$s3: {11111-22222-50001-00000}
                  • 0xfe95d:$s3: {11111-22222-50001-00000}
                  • 0x8ad8f:$s4: get_Module
                  • 0xfb7ac:$s4: get_Module
                  • 0x849b4:$s5: Reverse
                  • 0xf57f5:$s5: Reverse
                  • 0x858d2:$s6: BlockCopy
                  • 0xf6590:$s6: BlockCopy
                  • 0x849f3:$s7: ReadByte
                  • 0xf5811:$s7: ReadByte
                  • 0x8e41b:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
                  • 0xfe9df:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
                  Click to see the 2 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  2.2.RegAsm.exe.436060.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                    2.2.RegAsm.exe.436060.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      2.2.RegAsm.exe.436060.0.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
                      • 0x565a9:$s1: file:///
                      • 0x564e1:$s2: {11111-22222-10009-11112}
                      • 0x56539:$s3: {11111-22222-50001-00000}
                      • 0x52f2f:$s4: get_Module
                      • 0x4cb54:$s5: Reverse
                      • 0x4da72:$s6: BlockCopy
                      • 0x4cb93:$s7: ReadByte
                      • 0x565bb:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
                      2.2.RegAsm.exe.4b3c60.2.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                        2.2.RegAsm.exe.4b3c60.2.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                          Click to see the 19 entries

                          Sigma Signatures

                          No Sigma rule has matched

                          Snort Signatures

                          No Snort rule has matched

                          Suricata Signatures

                          Timestamp:2024-07-26T01:02:39.138594+0200
                          SID:2022930
                          Source Port:443
                          Destination Port:49735
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-07-26T01:03:00.592832+0200
                          SID:2022930
                          Source Port:443
                          Destination Port:62408
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-07-26T01:02:59.378967+0200
                          SID:2022930
                          Source Port:443
                          Destination Port:62407
                          Protocol:TCP
                          Classtype:A Network Trojan was detected

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus / Scanner detection for submitted sample
                          Source: file.exeAvira: detected
                          Antivirus detection for dropped file
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeAvira: detection malicious, Label: HEUR/AGEN.1323361
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
                          Machine Learning detection for dropped file
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeJoe Sandbox ML: detected
                          Machine Learning detection for sample
                          Source: file.exeJoe Sandbox ML: detected
                          Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ACACA1 FindFirstFileExW,0_2_00ACACA1
                          Source: unknownDNS traffic detected: query: 56.126.166.20.in-addr.arpa replaycode: Name error (3)
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: DMINktnUtY.exe, 00000003.00000002.1702039637.0000000003344000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1701185664.0000000002C5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\^q equals www.youtube.com (Youtube)
                          Source: DMINktnUtY.exe, 00000003.00000002.1702039637.0000000003344000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1701185664.0000000002C5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                          Source: DMINktnUtY.exe, 00000003.00000002.1702039637.0000000003344000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1701185664.0000000002C5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\^q equals www.youtube.com (Youtube)
                          Source: DMINktnUtY.exe, 00000003.00000002.1702039637.0000000003344000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1701185664.0000000002C5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb`,^q equals www.youtube.com (Youtube)
                          Source: DMINktnUtY.exe, 00000003.00000002.1702039637.0000000003344000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1701185664.0000000002C5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: `,^q#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                          Source: global trafficDNS traffic detected: DNS query: 56.126.166.20.in-addr.arpa
                          Source: DMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                          Source: DMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                          Source: DMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                          Source: J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                          Source: J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                          Source: DMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                          Source: DMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                          Source: DMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                          Source: DMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                          Source: DMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                          Source: DMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                          Source: DMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                          Source: DMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                          Source: DMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                          Source: DMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                          Source: DMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                          Source: DMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                          Source: DMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                          Source: DMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                          Source: J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                          Source: DMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                          Source: J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                          Source: DMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                          Source: DMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                          Source: DMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                          Source: DMINktnUtY.exe, 00000003.00000002.1702039637.0000000003271000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1701185664.0000000002C1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.s
                          Source: J48w21dBmF.exe, 00000004.00000002.1701185664.0000000002C1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                          Source: J48w21dBmF.exe, 00000004.00000002.1701185664.0000000002CB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
                          Source: DMINktnUtY.exe, 00000003.00000002.1702039637.00000000034C4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_afe1c48f-5

                          System Summary

                          barindex
                          Malicious sample detected (through community Yara rule)
                          Source: 2.2.RegAsm.exe.436060.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                          Source: 2.2.RegAsm.exe.4b3c60.2.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                          Source: 3.0.DMINktnUtY.exe.cc0000.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                          Source: 4.0.J48w21dBmF.exe.740000.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                          Source: 2.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                          Source: 2.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                          Source: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects zgRAT Author: ditekSHen
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exe, type: DROPPEDMatched rule: Detects zgRAT Author: ditekSHen
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exe, type: DROPPEDMatched rule: Detects zgRAT Author: ditekSHen
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ACA0660_2_00ACA066
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC11D00_2_00AC11D0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ACEDCE0_2_00ACEDCE
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC5D320_2_00AC5D32
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ABE7B40_2_00ABE7B4
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004023102_2_00402310
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004050B02_2_004050B0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0042045E2_2_0042045E
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040FCE02_2_0040FCE0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00419D092_2_00419D09
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041950B2_2_0041950B
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004156252_2_00415625
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00404EF02_2_00404EF0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040CF7F2_2_0040CF7F
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeCode function: 3_2_013C67B03_2_013C67B0
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeCode function: 3_2_013C08783_2_013C0878
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeCode function: 3_2_013C08683_2_013C0868
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeCode function: 4_2_029F2D004_2_029F2D00
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeCode function: 4_2_029F08984_2_029F0898
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeCode function: 4_2_029F08A84_2_029F08A8
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeCode function: 4_2_029F2CF04_2_029F2CF0
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeCode function: 4_2_0539DD804_2_0539DD80
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeCode function: 4_2_053906B04_2_053906B0
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeCode function: 4_2_053916A94_2_053916A9
                          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\J48w21dBmF.exe 0C7173DAAA5AD8DABE7A2CDE6DBD0EEE1CA790071443AA13B01A1E731053491E
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess token adjusted: SecurityJump to behavior
                          Source: C:\Users\user\Desktop\file.exeCode function: String function: 00AB8970 appears 50 times
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00407D20 appears 55 times
                          Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: 2.2.RegAsm.exe.436060.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                          Source: 2.2.RegAsm.exe.4b3c60.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                          Source: 3.0.DMINktnUtY.exe.cc0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                          Source: 4.0.J48w21dBmF.exe.740000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                          Source: 2.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                          Source: 2.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                          Source: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exe, type: DROPPEDMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exe, type: DROPPEDMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                          Source: file.exeStatic PE information: Section: .data ZLIB complexity 0.9957952789319011
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, Strings.csCryptographic APIs: 'CreateDecryptor'
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, kU5tliBImvaQ8ijXHBH.csCryptographic APIs: 'CreateDecryptor'
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, ior9Akd5ddZSi4JUE3I.csCryptographic APIs: 'CreateDecryptor'
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, ior9Akd5ddZSi4JUE3I.csCryptographic APIs: 'CreateDecryptor'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, Strings.csCryptographic APIs: 'CreateDecryptor'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, RsBNpMSIA1NJTZGGM59.csCryptographic APIs: 'CreateDecryptor'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, EvIl806iCqlrVic9EL7.csCryptographic APIs: 'CreateDecryptor'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, ymPuo7hNqu7rH1NPowv.csCryptographic APIs: 'CreateDecryptor'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, ymPuo7hNqu7rH1NPowv.csCryptographic APIs: 'CreateDecryptor'
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, Strings.csBase64 encoded string: 'GVcsCi8lPCw0QAVDNVUzPBcKbB83HS8CNTEjNxEnMFMEQiM7MB8sChAfJCcqNSMgNj03HSEZEhAwJEVO'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, Strings.csBase64 encoded string: 'NjIdFQUMAg8GNFcvNyY4HgIkJBEaJjgUDg0NVxslKFc3UzQgBjQeCQUbOB4AJwoTNSYaKBgbKA0HNV5a'
                          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/4@1/0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\DMINktnUtY.exeJump to behavior
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7332:120:WilError_03
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeMutant created: NULL
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7460:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Roaming\DMINktnUtY.exe "C:\Users\user\AppData\Roaming\DMINktnUtY.exe"
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Roaming\J48w21dBmF.exe "C:\Users\user\AppData\Roaming\J48w21dBmF.exe"
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Roaming\DMINktnUtY.exe "C:\Users\user\AppData\Roaming\DMINktnUtY.exe" Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Roaming\J48w21dBmF.exe "C:\Users\user\AppData\Roaming\J48w21dBmF.exe" Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeSection loaded: dwrite.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeSection loaded: textshaping.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeSection loaded: dwrite.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeSection loaded: textshaping.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: file.exeStatic file information: File size 1464832 > 1048576
                          Source: file.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x134600
                          Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                          Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                          Data Obfuscation

                          barindex
                          .NET source code contains method to dynamically call methods (often used by packers)
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, ior9Akd5ddZSi4JUE3I.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{YYtS09hfE44Dgdn6eP6(typeof(IntPtr).TypeHandle),typeof(Type)})
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, ymPuo7hNqu7rH1NPowv.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{ekkVyRtJMvVSoctoUmo(typeof(IntPtr).TypeHandle),typeof(Type)})
                          Source: DMINktnUtY.exe.2.drStatic PE information: 0xEB89CB14 [Tue Mar 22 23:49:40 2095 UTC]
                          Source: file.exeStatic PE information: section name: .zzZ
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB8115 push ecx; ret 0_2_00AB8128
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00428E7D push esi; ret 2_2_00428E86
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004076D3 push ecx; ret 2_2_004076E6
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeCode function: 4_2_051536FB push ecx; retf 4_2_051536FC
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeCode function: 4_2_05155A40 pushfd ; iretd 4_2_05155A49
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, Strings.csHigh entropy of concatenated method names: 'Init', 'Decrypt', 'Get', 'SW7XlrLiUtWtnAPuFtV', 'gyNMMlLMaRRJZVA8Zga', 'syvAAsLSYSns17kCQ5l', 'uoNmVrLh7m9eQTQYps9', 'NweWaRL2PB9sh4II1Mv', 'tWLdQsLOBsFU6dULcLx', 'BmavqDL0KlWIly2fF0m'
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, Uv6YUiUwiQlDKPLBKM.csHigh entropy of concatenated method names: 'oLBfmLT9Ns', 'GomfrRgoqL', 'IDTf9oF32T', 'htnfzOZWFw', 'gcrDcvOcXR', 'FVQDjt0k05', 'DseDu7FOUI', 'mKXNW2MpLBiURKss36f', 'yrJ9qyMZn4AGtbXbRmy', 'YG5D7PsP0l'
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, kU5tliBImvaQ8ijXHBH.csHigh entropy of concatenated method names: 'ENaBSnTU1B', 'qATBhpGvvj', 'So3BOCaM1G', 'lusBkeD34a', 'nKhBaiF9lU', 'XMYB8Kr8g0', 'm21B5VgJPV', 'rJyBg516vu', 'wMMBbJ4gGv', 'o3DBLjrrPH'
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, fFbZwlX6ufedP3VVdMU.csHigh entropy of concatenated method names: 'T8AXE6QJcl', 'PqTXVvxFFR', 'FT8X3mstF7', 'dINXUPmirf', 'd79Xv913rb', 'aOdu0hsMnOTcuTXEmyZ', 'ax8DabsSZaBB4wDSxjR', 'd87FcWsiiHfIY3bAgvj', 'wdia52sLpfwFS8sbo9O', 'CFr89Zs1cE4IO3gDp0m'
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, OawTOsXok9dLIGUygKV.csHigh entropy of concatenated method names: 'wguXwrkVYN', 'M18XYmqCaV', 'IeXXITOoen', 'iFHXsbDTkd', 'Ly9Xb2eD0U', 'Mo9XLmnBFS', 'XD9X1XKkSC', 'DkJXMI13AW', 'Dh1XSEVscu', 'TyeXiNy2ho'
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, gWZbR7uUo3Ecmavde4A.csHigh entropy of concatenated method names: 'PxZutvKsUo', 'atGuFpZi5w', 'hVvuqZaPyc', 'FvJunRVQED', 'RkDuo2sZUm', 'qyguW9EbFq', 'h1Jufy2HhS', 'Ud1uD0xNYq', 'h8auTW89UE', 'LieudcDK10'
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, LAmgpAMJb2FSRsQu6M.csHigh entropy of concatenated method names: 'Field1', 'vbdDjbY8DHesv4vMlbr', 'ySTYUcYGBhEEbwjBjoA', 'DGDHkqY5GmAedjA9rtO', 'qS4qC3Yg4YVNc2ih286', 'zDRZsSYK7tomF32MpxA', 'GmheqfYQhhLKAbILsd3', 'AIRZ0kYasBsVaTidhA9'
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, GTUJybuyb8qluZH6i7u.csHigh entropy of concatenated method names: 'D8burCwhun', 'k3Pu9vMvoh', 'Dispose', 'va5uzN0G6r', 'idgGZbs45KVbGmhOslP', 'CT37LyslFBUQsgaHYao', 's5hCBwstxBAmqJ5rwnN', 'GB3WsLsPlYBfJifTq2c', 'oYAL6msFGFhXb89fJu3'
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, VGSE25XrYZJ1Kcb1FkT.csHigh entropy of concatenated method names: 'sxsXzROfXo', 'mDu7csjce6', 'Trx7jS1097', 'p8W7ucG7hK', 'IW57XK0iJI', 'XqD77RQKWn', 'PLt7BriMAb', 'wrq7HaZwYY', 'rjM7eYvTMK', 'lKI76bjIxt'
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, kZrCypXugJuhBYjNYsQ.csHigh entropy of concatenated method names: 'cnfXBaVqTM', 'Ex3X7koON5', 'Xdr0ZRsxo8SnAZKT8ex', 'FCYeLBsoVmZUo0s9SfY', 'Nd39M5sW5HCVAq1ksFP', 'Kdarb7swNPtnuAwPT5p', 'CGVlu3sYgVotCauIRjk', 'yOCNDosI2YClmmPS4gH', 'hjjpuBss62PZd2bJx9B', 'WUkekWsqL0q1wZxJ7mX'
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, IHXC94YXWFClKfVysr.csHigh entropy of concatenated method names: 'TgQsedPD0', 'Mosbcbnbh', 'C6jL72jyy', 'I\u04344', 'XDNyPHYMM3F0XLUMcaU', 'WsGq7IYSXsg8QKfp3dp', 'PvPPojYiJ8nfwmrifFt', 'rXar4lYhpYFDSirtGBP', 'sc7lcTY2ywa2TQ6NuPd', 'GhZJLAYOGXMqjUumvlM'
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, mWn2uTXfABRTA9gvJpL.csHigh entropy of concatenated method names: 'vIPXTPbiHE', 'Y2oXdbqFYx', 'MgRXRHWLG9', 'uBUXJKE8vn', 'LOTX4C1EqN', 'kWRXlr11Fh', 'rnfXtVIjAE', 'YcFXP5Vhrc', 'VlHXFvNsEc', 'eiTXAJKJmf'
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, SyxKifekd28kxBNqQqx.csHigh entropy of concatenated method names: 'YN8dsVrSIj', 'RU6cEqiX5QgF0tko90y', 'UDHrY4i738uKB2LNpv7', 'INJxuYiB951gZhacsRN', 'Yu4dL6TqLq', 'fBDd1an2gj', 'a34dMsYUke', 'MSXdS0iJav', 'WX9VMvieHIjYRgo3JC5', 'LOWQ83i6oc0PgAgZiXa'
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, hmpfoCjvg4hqsFP0LjP.csHigh entropy of concatenated method names: 'zqZToFyuAq', 'yZnTWTUmx2', 'w6Ke6MSt5X64q3us6AB', 'SNWnVqSPbaWEOi19otP', 'TudkPFSF0j9tpnlLnIm', 'wOqEBPSq1RrJhiw9NZZ', 'DHqnrJSnEPSTn6QEnQe', 'G06TIkdJJT', 'J2AKG6SoUaiRRlOdTE4', 'Q0EBytSWLONhTf6Ngkb'
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, UtoRl5uKb9Fp7h6R4GX.csHigh entropy of concatenated method names: 'qqsTaE1Kd4', 'JFT3e1Sa09e5ForaSx7', 'yWh9ddS8fvVek9GibGu', 'CDruZ2INIZ', 'xdbuNPYrWZ', 'u55JW2sDJreFKL0aOEW', 'LfFYNasTMxN2pbTNPyk', 'lEcpIHsdX0RViQjS4X3', 'ldAqc0sRN5Is49aM0Wr'
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, DJTcgV7fSIieAeqHgA0.csHigh entropy of concatenated method names: 'jt543GErCe', 'W3r4USIhU8', 'KYn4EQQiGT', 'na74v95gdW', 'E3k4f3mExU', 'Ix34DsZaLf', 'Ob94T23cie', 'tMD4dl9KQh', 'hyt7T6hnHo', 'U4V4R7McRE'
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, SkL3LGHeejS7o6KAb0B.csHigh entropy of concatenated method names: 'BVkHC3dpCK', 'LwOHV8KlEn', 'sB2H3eb6A1', 'TDrHUfDXNx', 'dyqHvKO0fC', 'RGZHf44N66', 'Fk8HDKQoT1', 'X6IHTQmFp3', 'OLmHdkZrHR', 'UltHRusjRv'
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, q9oNCQ3LukRHjfJdSTn.csHigh entropy of concatenated method names: 'c7j3MPyune', 'gLJ3SMxcXC', 'KGX3hm1pLD', 'oKv32ycjs1', 'cQj30nect3', 'Eox3Q0Qemp', 'C9p3aPl5s1', 'ToString', 'gFCTclMlI2t0jthLBHA', 'DHIqVrMtW3DA82BJgk4'
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, uwnKjGF06wYI5Nb9kX.csHigh entropy of concatenated method names: 'Field1', 'hjyqMrTso', 'Field2', 'Field3', 'QTcnZLsMC', 'VrxxFFebR', 'IG9o5pFLF', 'rRuWXPYAN4NRB3yykmS', 'C1CBtYYqVKVt3DlngCD', 'Mh7QX2YPcLclddWJlZ7'
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, LrFTpY7iUXI47XuL87C.csHigh entropy of concatenated method names: 'jt543GErCe', 'dD944UjqUM', 'Vwy724cqDJ', 'iTs7OR04P9', 'AWX70R6edo', 'Jk07kRZIgf', 'qmh7Q8DXhP', 'KYn4EQQiGT', 'W3r4USIhU8', 'kDO4lnWoY1'
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, ior9Akd5ddZSi4JUE3I.csHigh entropy of concatenated method names: 'hEOCU7hWD8mjKfipxt7', 'MxBfikhwhN3ZGOjYMed', 'srQJ4tvwkf', 'cUaCX9hbaGAcxyqube5', 'NDE0gahLlVvO4PiMDwb', 'dhgUeUh1uSEJhGs0GMW', 'Q3RJfVhMSkAgEi3kLH0', 'snyhUahSAZWer9Hi99X', 'g38PJ8K3c0', 'korJn9sVu4'
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, dWsk2suC6DIcKHHbQrw.csHigh entropy of concatenated method names: 'ExpandEnvironmentVariable', 'j5quVNpYfo', 'b4Uu3r0uip', 'HP2eMvIypBAMvbdafSK', 'BUUvTZIm87YYpjgFyVd', 'G7FcPXIrP2If1e4e5rO', 'wypZ9WI951lHn1XIn2h', 'AMgnc5IzGmxR5mPTpEQ', 'gJn5J7scObuOBLKLmWq'
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, AGCC1qjaZnIu24AH3bt.csHigh entropy of concatenated method names: 'J28uc9oq4Q', 'cL8jGTwbHJ', 'uaIj5It8WI', 'DAfjgD2kUN', 'XP0jKjQj02', 'QubjpLKfRY', 'pm1jZrrVHS', 'mgUjNfux08', 'zxajy2Mhao', 'NxIjmwTHvn'
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, cnM5KpB9Si7YRITptjy.csHigh entropy of concatenated method names: 'nb6Hc2ZIfx', 'CiEHjWUS0G', 'dIOHudqMg3', 'z1jHXYvPwI', 'SJSH7klKfW', 'Ce28quLcvR3ePOS1vwW', 'Fhn3wWLjimtpHhSkrih', 'LPQC5DLuIKtTL6HAMsD', 'RANFXYLXEqyiwsHhWbQ'
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, zgHUwGHNI1chR8xhv4v.csHigh entropy of concatenated method names: 'vPFdoIb660', 'GC4dW2P2cY', 'JqPPI2S9I1aALueYFRs', 'mnTkbrSzGCki1QonSM2', 'fdeMYCicWgi14v1w47F', 'IGTPAlijB4EOU9emPMK', 'wwYHmJqSlU', 'fLXHrXKglT', 'dsBH9msXjp', 'yAgA8qLIkxsJjLaQabN'
                          Source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, X5iBUftytZuo7rW1lJ.csHigh entropy of concatenated method names: 'Field1', 'Field2', 'Field3', 'zDEAfxYf60yVfYmhRvB', 'RHKd3bYDFFwx4jZ6e2R', 'nxf7i4YTgrRvbQZE50r', 'ImeXrHYdkppaCTrFegj', 'rRYWxdYREeaSJPOg2qD', 'El1TWVYJTw7cBuSVEXm', 'xy4h9CY4yGwlbXMloxx'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, MI9HRSOvwZeUK3VMWUm.csHigh entropy of concatenated method names: 'XOV0JT40t6', 'S3vO3m9uVf', 'lITONJBd7h', 'qfoO5LUYma', 'kVMO1CEX7T', 'VUrOIm3Qe0', 'zb9OMY15M4', 'wgcOGZ5nwc', 'btBObjfDOs', 'lfWO7kI64e'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, UAFCoqEm5t2t628Rj6.csHigh entropy of concatenated method names: 'Field1', 'Field2', 'Field3', 'YqBkX1iv89WPRoZ0KM7', 'tOAjcmijKbAwKRZOEF8', 'ObIRZbi35BpjIcfeVOT', 'dECfuMiNjUcGcnHFQ4C', 'XhxfQ9i5pfNRIwaCcq2', 'ej4sbxiVU8nLjyuEq6W', 'KCOGO5iEcB6WwTBV2QZ'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, IRxSG6qt0JkYwKh1cA1.csHigh entropy of concatenated method names: 'm6CqvvqbXE', 'NFPqV2WPSM', 'CjXqEkbwJ7', 'EX13R0CKHPRgghmyZ57', 'oIn5JWCzrb8BfPFNrij', 'K1dM6PwJmFq8lTrvnL5', 'vCmpHDwOQ5JVPsAWIGn', 'KBtg2lw0IK1U9N6lhsV', 'XHwKVmwsFQFhiov5n26'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, x4QOh80pVtb236KIyss.csHigh entropy of concatenated method names: 'KYd0Z3Dffe', 'zyn0x7m082', 'LgX0e4cslF', 'HQD0PEU9KR', 'sH20yHT1fA', 'zFU0u0apw2', 'fax0DR3qlS', 'xJA0ce8nCb', 'tlE0A2B9K3', 'W0B0h2cZkh'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, svBIiPpoOPB51PVt4u.csHigh entropy of concatenated method names: 'ECdD7lsjFc', 'StpDYnKHya', 'pLCDKa2Phd', 'PFiDzqXTG5', 'iA2cJWX11O', 'YHhcOdliie', 'XDSc0mEwCW', 'UEhKNWWjIlKKkrnFk9k', 'BAj3vTW3jQrwsrkqlEH', 'Field1'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, IySwrSs0IOLUMRVYwiw.csHigh entropy of concatenated method names: 'G2Os6cplpi', 'KsnsUZRZmp', 'poM7WTg29bEDyfMmkI0', 'sJcFN7gWK1BaNeoVguL', 'laesU4gkH0xqOFQywS8', 'UH4ImKg9mF64DdgkiQ7', 'ib32oigtLFxiVhrVG7H', 'PfN6nmg87dp2i75I9dx', 'aYMriWgV4xn3aF3sBac', 'LOfaBtgErGkSVc90pgQ'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, RlBF8Yl8Mnqswvfy6T.csHigh entropy of concatenated method names: 'ObpFUuDsX', 'qSlgsu09H', 'DI7d5XObG', 'I\u04344', 'YG8nAuis3Gfeu0gcIEA', 'zty0ZGiU0TvxlVce1Lt', 'prXVsFi6dbVUo65JnX8', 'MMm5Kciq3LOQrX3tWdB', 'gvvQKmiH5SlJNxgI9CC', 'Un5Y4tiXCTTvxS6Oq1Y'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, s6ECEhpmkusi0Qv5kY0.csHigh entropy of concatenated method names: 'z88pDarpDl', 'z0hpACi43S', 'AJvp40rrEV', 'nylpSKeLNo', 'fwnppgyNHT', 'rjXpBJNORc', 'k5AcsEWQZ6dEHyVcNB7', 'tfsBeLWeqEMcGXExYR7', 'huC179WofcMXsHx0maD', 'WZB071Wx6ICnsKgQXte'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, RamrfvUW8b4LOT78xRN.csHigh entropy of concatenated method names: 'inlnSs5o2E', 'aFRnn0WNmS', 'nmcU9QMh4h', 'D0jUtK8e9Z', 'CAdU8YqWcM', 'bR3UVkb2ah', 'scSUEWLZXO', 'SPinmyoBYJ', 'ITPnpCntwG', 'UnynTWIRZh'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, ywXCBSsXL20GxCBwtB4.csHigh entropy of concatenated method names: 'WGIA7pXqls', 'bM6AYyD5eA', 'BHWRf3kIwneTDcINIsb', 'lim8qDkMusJMyNYtL4L', 'puGxYVkGpSVPlZ938f7', 'BChsm5DupI', 'iTJsrO1qgZ', 'ggssSgv0DB', 'R8GspFYU51', 'v1vsBqB1WQ'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, iycOc4OBrCIqcimjTAQ.csHigh entropy of concatenated method names: 'VNJAypw7OG', 'qJiAusskyB', 'uy18Ytkhisf2ExTJW1J', 'n3nvUFk4OosKZo4bCnA', 'o9Ux5fkndnCLoYNQFhn', 'CvI3xykTow12KjcAvLx', 'UlAAi6V5CM', 'R2hn1lkoAcrBZOQsvLb', 'CKV74pkxarYvZMXr0MZ', 'VmApTLkeC243cc92203'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, u0NXHu0bkvMRgbfSJy8.csHigh entropy of concatenated method names: 'hgYAMdmK0g', 'M8fGurk3eZ1FFnYRI5U', 'NGqB8DkNlLEpOAMjIdq', 'iUsDmtk5WwBGjhj4PBr', 'vbo0Y17V2X', 'aMX0KbUph3', 'Dispose', 'rb80zO43DU', 'Q0pvd0gLxuGFYco0pN4', 'rR1KPygn8JrTspKJlEp'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, rKvsa3syrS73YeA7jyA.csHigh entropy of concatenated method names: 'F1msaJHgRl', 'AYpslkP5a2', 'n6DsiA7tnZ', 'cXlsFQYH2M', 'c9JsgWaU7y', 'RxZsdTg57w', 'hJBsCoCt0O', 'aduswwBmWf', 'Qt7s2vb2FY', 'mZ7sWobLdG'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, ASIA32GE8WnZlNuPFd.csHigh entropy of concatenated method names: 'AmxAPiyHXf', 'EAWYjBkBJd2GPPQeYy6', 'uS6jlEkDPSKUyhYrhW5', 'zlWhKXkcbEUjNDYpCeE', 'Field2', 'Field3', 'L5K7X4GXU', 'off206F04Lyl7CYs3xx', 'RDqLtOFJFt63rZo8nmD', 'fuE2WfFOx1XZOnj8trm'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, rSDSpq6PNmQKVcpcMNZ.csHigh entropy of concatenated method names: 'nCe6yn3XSf', 'ryC6uTKVnP', 'Qq86adOyQv', 'Tmh6lG8APu', 'hiIJhiCfZHOG3Tqtuj7', 'cIyvZqCmi469eHl14Hr', 'nQkrrICr0hJuZDFQZjv', 'oXdU7rCS8hhC3yGPtqc', 'LaRnqQCHWJ2OGsK2Bfp', 'zfaPCWCX0gbZZA0KZjv'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, gesyyeL87s3PHycCwjB.csHigh entropy of concatenated method names: 'gfSLbNeAbF', 'LCML7PG00q', 'FHcLY3S5QT', 'eVeLKxmD1W', 'bHeLz7hKNq', 'aKOnJNM6Nk', 'TLFnOoPsAI', 'rC8n0UOcIQ', 'lDcnslAAF4', 'HrSnUgr0kd'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, Vjy70LqGwwWppi5TZNJ.csHigh entropy of concatenated method names: 'hoLhylep9E', 'LWIhuUiHS8', 'SDSKSxk7PIpNHQwjjGW', 'tPh0hSkYr9sqNTtnwuZ', 'CGamJgkKFB2uaMWkP3c', 'KchWIykz1IdHLFwkjmw', 'iZrK3c9Jffj7ahtDWPe', 'NpJ3GW9Ooy7UJMXZI8K', 'CRb2f190Z79p3eyfnFd', 'asrbLg9sxmhFIivRY6h'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, oXutQK0fHr1rqG4SV0v.csHigh entropy of concatenated method names: 'ExpandEnvironmentVariable', 'WAp0r7xB9F', 'sDa0SlWmQ9', 'OMnZmCFIxKFkpSD6bLn', 'ONtDvZFM5hd1AbanMeU', 'euyBq6FGBestpSSCiVx', 'AHcHL4Fb7oGTcdEeZiW', 'KNO7dmF7lBjgiBgJ5M8', 'UyTcFcFYut9VLjoxExr'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, UEdYIrZeVJVB5DkBei.csHigh entropy of concatenated method names: 'Field1', 'Field2', 'Field3', 'xeENITlioHIS6jx5fS6', 'cVhSIMlFHMlZXDghyP2', 'exlNxIlg4cxfDXLCnph', 'GcjOX1ldVoEWIXgZtWG', 'vmbugalCWfHO5EVpgXp', 'O7hmcTlwmpXbfF9W1w6', 's58uxvl2uk4hmIWiRRF'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, XF74h1wZjOuXiQCriF.csHigh entropy of concatenated method names: 'Field1', 'KcYEWoioxRmXbg14ZTg', 'M0g4MJixxeWvfq06X6v', 'h7W86RiQYxEQfQyceC2', 'HJTrZKieIQDUiZVx0sV', 'fNvMGUiPToCS3pwmf9Z', 'qIEHRBiRUbneLEsKkoQ', 'hC4NVXiyqEGBQbfb4n4', 'cE1k67iTKwDtVQn6dD2', 'm7ji8qiZ4rMEx5EuwD9'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, EvIl806iCqlrVic9EL7.csHigh entropy of concatenated method names: 'M0H62wkQxa', 'kVP6kf3p9p', 'Tg66tnnwQA', 'Mk26VYfoxj', 'owJ6vab0RD', 'gDC6jaPI0c', 'yg26NWt2nn', 'Eyo65wv3LO', 'KsB6gDmZNP', 'DES6dul3E7'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, cBNyi2sYfgL3550bGU3.csHigh entropy of concatenated method names: 'RM5szeEQ1t', 'lXNUJr8S5h', 'XBEUOrC4na', 'BLiU0lb5ax', 'vbXUsIuYeN', 'Yd5UU0tqGG', 'YrKU6dHILU', 'sAaUqov7q3', 'ouQUHEZBRs', 'J72UXJwyCt'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, nsSneXq3eaD03mDbw7B.csHigh entropy of concatenated method names: 'HX6q5uO1hq', 'ERMq1W3NeI', 'hSaqIwS2Bm', 'DVPqMuYeZA', 'glPijjwHTjK1ij1NAAI', 's6PIJpw6B88fTvQkEDr', 'DOa6D6wqfDmqpO5Gh08', 'hFRVq7wXKQG031SyYX5', 'wQgrckwfFLw3WZ1uwCh', 'wvVcUAwm7lVIB62iR2a'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, qMNlr7xOiu102s6Kub.csHigh entropy of concatenated method names: 'Field1', 'CePe5a3BF', 'Field2', 'Field3', 'e02PBbjL3', 'fY8RRRypK', 'jZPyB5nGB', 'DBnZHdlE98h2Mipj0qJ', 'YsS9jZl8cK645wB2LsJ', 'cnYOa0lVlYqwk6Ay8nq'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, sRdhkaHVfRZvwMXFLXj.csHigh entropy of concatenated method names: 'eBihFcTG1B', 'S9fgDp9HUEC8yBow2E0', 'ppaNEP9XZIHMcXVlv0v', 'HLgBQj9fh9qdedanDa7', 'FLbhdruviE', 'N5yhCBkiJ9', 'yQPhwW5K00', 'o8mh2rUcBe', 'vFB0vH9rYSiK024lKgO', 'gckLAi9S86bmEPmvc8k'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, bYCbSc01eTuvRcAM3VG.csHigh entropy of concatenated method names: 'cvoAvslYP2', 'ADRE15ktrZqTrvCrUHd', 'lCsRAwk8HAe8EKkGIoZ', 'opo0MiOINU', 'zH60GTR4JY', 'r4Q0wqgcU0CebOvxxsX', 'UI9bsOgAPv6yL5FZO9F', 'C9OXVZghAg33SaXBFig'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, f6ZghHUDBXH2tYmbacT.csHigh entropy of concatenated method names: 'inlnSs5o2E', 'ITPnpCntwG', 'SPinmyoBYJ', 'VKnnBkR2Ev', 'XUEnDLjCNi', 'kppncMZvGA', 'hhbnAHm1XX', 'j8gnhuTAPg', 'eTuUAqgkg4', 'kq8n4vkfpL'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, C56DgqqHHPFZ3wjEp9K.csHigh entropy of concatenated method names: 'RwmqfVsYjb', 'YRpqrM6bO2', 'dt4qSHpYWO', 'Qw1qpMtuB7', 'LXXqBLRwVC', 'oEHqDhnw3g', 'Msmqcx9tRn', 'SQVqAVyR49', 'Nd0qh1npyC', 'LAlq4o51Sx'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, rukH9XSdr6847h0UoRO.csHigh entropy of concatenated method names: 'kwZSwIFouV', 'rOlS22NOjF', 'CVkSk7ZYLY', 'YnoS9lDe8j', 'hm7S8SFMwd', 'm6VSEUxt7r', 'j7ySvCbJny', 'ToString', 'xR3nQVWpiSONisnYS9I', 'xoGMiiWBYOpihJvvA2r'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, U3g2Fn0EMjdn1l2OYvs.csHigh entropy of concatenated method names: 'UuU0jDnJ9p', 'Eqr0NWRU3h', 'eyY052nXxo', 'iBi53ngrYwj6CBfJ2Gs', 'NnhUEFgf8vvSHwsF98v', 'gOWgAGgmTs3CM8QWTlu', 'GmDmRDgSbCqKpcglVEo', 'Endlltgp4TLDXxui6mq', 'PWLAKagBmMnDnAHYqN8'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, X92ilY6hK042XbCPDTJ.csHigh entropy of concatenated method names: 'fN96Lh5Ox5', 'N7W6n7rkw2', 'D5d7yIdYwGVL8tjfENp', 'dU2ukIdKWFyyViKIQi9', 'mQOmt2dz5i8WoquQYBQ', 'lsDFXsCJwLAMHNM5PPc', 'VExMMpCOjJujvRPkYRg', 'EeIe5vdbmvTVtbsXnI5', 'ddcpYsd7xPXvp3scuYu', 'Ye3MOSC09lD59ZMFlq8'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, ymPuo7hNqu7rH1NPowv.csHigh entropy of concatenated method names: 'pnFoJytIaQQM80HZRJF', 'Cl74jxtMDXLqLkPr77R', 'ceZLn1T8aH', 'uH21uRtYsLSpa2r1swI', 'a5OGRGtKMsbVJLIZQj4', 'qOkHXitzKZgOdiaKTpE', 'eqZY6O8JBhHIqwXiNVH', 'fqA6tl8OebDEe0jERat', 'bn9bBP800j6jcT3F1xa', 'PVEDbE8sG80Uja4IWdT'
                          Source: 2.2.RegAsm.exe.436060.0.raw.unpack, JXkW8tsDkYjKfFXHfYT.csHigh entropy of concatenated method names: 'aMasAS4Zf3', 'J5oshtQCCC', 'XKPs4kGo99', 'fFSsLZdN04', 'FCFsnrI8NZ', 'mB4sTcQIok', 'QuIsZvvrPX', 'u9oso7lnLU', 'HXYsxm61Qs', 'W8wsQZVH95'
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\DMINktnUtY.exeJump to dropped file
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\J48w21dBmF.exeJump to dropped file
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                          Malware Analysis System Evasion

                          barindex
                          High number of junk calls founds (likely related to sandbox DOS / API hammering)
                          Source: Global behaviorJunk call stats: NtWriteFile 1254914
                          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                          Source: DMINktnUtY.exe, 00000003.00000002.1702039637.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1701185664.0000000002CB0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE@\^Q
                          Source: DMINktnUtY.exe, 00000003.00000002.1702039637.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1701185664.0000000002CB0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE`,^Q
                          Source: DMINktnUtY.exe, 00000003.00000002.1702039637.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1701185664.0000000002CB0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeMemory allocated: 13C0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeMemory allocated: 3270000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeMemory allocated: 2F70000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeMemory allocated: 2900000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeMemory allocated: 2B80000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeMemory allocated: 2900000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exe TID: 7536Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exe TID: 7552Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ACACA1 FindFirstFileExW,0_2_00ACACA1
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: DMINktnUtY.exe, 00000003.00000002.1702039637.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1701185664.0000000002CB0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe`,^q
                          Source: DMINktnUtY.exe, 00000003.00000002.1702039637.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1701185664.0000000002CB0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe
                          Source: DMINktnUtY.exe, 00000003.00000002.1702039637.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1701185664.0000000002CB0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe@\^q
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB87A2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AB87A2
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC203F mov ecx, dword ptr fs:[00000030h]0_2_00AC203F
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC6B75 mov eax, dword ptr fs:[00000030h]0_2_00AC6B75
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041913C mov eax, dword ptr fs:[00000030h]2_2_0041913C
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00411496 mov ecx, dword ptr fs:[00000030h]2_2_00411496
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ACBE89 GetProcessHeap,0_2_00ACBE89
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88FE SetUnhandledExceptionFilter,0_2_00AB88FE
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB89B5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00AB89B5
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB87A2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AB87A2
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ABC783 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00ABC783
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00407AF1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00407AF1
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00407C53 SetUnhandledExceptionFilter,2_2_00407C53
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00407D65 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00407D65
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040DD68 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0040DD68
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeMemory allocated: page read and write | page guardJump to behavior

                          HIPS / PFW / Operating System Protection Evasion

                          barindex
                          Allocates memory in foreign processes
                          Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                          Contains functionality to inject code into remote processes
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106018D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_0106018D
                          Injects a PE file into a foreign processes
                          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                          Writes to foreign memory regions
                          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 426000Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 434000Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 436000Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 534000Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 110B008Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Roaming\DMINktnUtY.exe "C:\Users\user\AppData\Roaming\DMINktnUtY.exe" Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Roaming\J48w21dBmF.exe "C:\Users\user\AppData\Roaming\J48w21dBmF.exe" Jump to behavior
                          Source: DMINktnUtY.exe, 00000003.00000002.1702039637.00000000034C4000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1701185664.0000000002DDA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
                          Source: DMINktnUtY.exe, 00000003.00000002.1702039637.00000000034C4000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1701185664.0000000002DDA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB8565 cpuid 0_2_00AB8565
                          Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00AC5185
                          Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00ACE107
                          Source: C:\Users\user\Desktop\file.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00ACDAA1
                          Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00ACE230
                          Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00ACE336
                          Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00ACDC9C
                          Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00ACE405
                          Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00ACDD8E
                          Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00ACDD43
                          Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00AC56AB
                          Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00ACDEB4
                          Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00ACDE29
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_0041E815
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,2_2_00414128
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,2_2_0041EA68
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_0041EB91
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,2_2_0041E402
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,2_2_0041EC97
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_0041ED66
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,2_2_0041E5FD
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,2_2_0041464E
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,2_2_0041E6EF
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,2_2_0041E6A4
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,2_2_0041E78A
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Users\user\AppData\Roaming\DMINktnUtY.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Users\user\AppData\Roaming\J48w21dBmF.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB8BB2 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00AB8BB2
                          Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                          Stealing of Sensitive Information

                          barindex
                          Yara detected PureLog Stealer
                          Source: Yara matchFile source: 2.2.RegAsm.exe.436060.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.RegAsm.exe.4b3c60.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 3.0.DMINktnUtY.exe.cc0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 4.0.J48w21dBmF.exe.740000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.RegAsm.exe.436060.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000004.00000000.1681361554.0000000000742000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000000.1680428465.0000000000CC2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\J48w21dBmF.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\DMINktnUtY.exe, type: DROPPED
                          Yara detected RedLine Stealer
                          Source: Yara matchFile source: Process Memory Space: DMINktnUtY.exe PID: 7444, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: J48w21dBmF.exe PID: 7452, type: MEMORYSTR
                          Yara detected zgRAT
                          Source: Yara matchFile source: 2.2.RegAsm.exe.436060.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.RegAsm.exe.4b3c60.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 3.0.DMINktnUtY.exe.cc0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 4.0.J48w21dBmF.exe.740000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.RegAsm.exe.436060.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\J48w21dBmF.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\DMINktnUtY.exe, type: DROPPED

                          Remote Access Functionality

                          barindex
                          Yara detected PureLog Stealer
                          Source: Yara matchFile source: 2.2.RegAsm.exe.436060.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.RegAsm.exe.4b3c60.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 3.0.DMINktnUtY.exe.cc0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 4.0.J48w21dBmF.exe.740000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.RegAsm.exe.436060.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000004.00000000.1681361554.0000000000742000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000000.1680428465.0000000000CC2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\J48w21dBmF.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\DMINktnUtY.exe, type: DROPPED
                          Yara detected RedLine Stealer
                          Source: Yara matchFile source: Process Memory Space: DMINktnUtY.exe PID: 7444, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: J48w21dBmF.exe PID: 7452, type: MEMORYSTR
                          Yara detected zgRAT
                          Source: Yara matchFile source: 2.2.RegAsm.exe.436060.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.RegAsm.exe.4b3c60.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 3.0.DMINktnUtY.exe.cc0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 4.0.J48w21dBmF.exe.740000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.RegAsm.exe.4b3c60.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.RegAsm.exe.436060.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\J48w21dBmF.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\DMINktnUtY.exe, type: DROPPED

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                          DLL Side-Loading                          		412
                          Process Injection                          		1
                          Masquerading                          		11
                          Input Capture                          		1
                          System Time Discovery                          		Remote Services11
                          Input Capture                          		1
                          Encrypted Channel                          		Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                          DLL Side-Loading                          		1
                          Disable or Modify Tools                          		LSASS Memory121
                          Security Software Discovery                          		Remote Desktop Protocol11
                          Archive Collected Data                          		1
                          Non-Application Layer Protocol                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                          Virtualization/Sandbox Evasion                          		Security Account Manager1
                          Process Discovery                          		SMB/Windows Admin SharesData from Network Shared Drive1
                          Application Layer Protocol                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook412
                          Process Injection                          		NTDS31
                          Virtualization/Sandbox Evasion                          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                          Deobfuscate/Decode Files or Information                          		LSA Secrets2
                          File and Directory Discovery                          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
                          Obfuscated Files or Information                          		Cached Domain Credentials33
                          System Information Discovery                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                          Software Packing                          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                          Timestomp                          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                          DLL Side-Loading                          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          file.exe100%AviraHEUR/AGEN.1317026
                          file.exe100%Joe Sandbox ML

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Users\user\AppData\Roaming\DMINktnUtY.exe100%AviraHEUR/AGEN.1323361
                          C:\Users\user\AppData\Roaming\J48w21dBmF.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Roaming\DMINktnUtY.exe100%Joe Sandbox ML

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
                          http://www.fontbureau.com0%URL Reputationsafe
                          http://www.fontbureau.com/designersG0%URL Reputationsafe
                          https://api.ip.sb/ip0%URL Reputationsafe
                          http://www.fontbureau.com/designers/?0%URL Reputationsafe
                          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                          http://www.fontbureau.com/designers?0%URL Reputationsafe
                          http://www.tiro.com0%URL Reputationsafe
                          http://www.fontbureau.com/designers0%URL Reputationsafe
                          http://www.goodfont.co.kr0%URL Reputationsafe
                          http://www.carterandcone.coml0%URL Reputationsafe
                          http://www.sajatypeworks.com0%URL Reputationsafe
                          http://www.typography.netD0%URL Reputationsafe
                          http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
                          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                          http://www.founder.com.cn/cn0%URL Reputationsafe
                          http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
                          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                          http://www.fontbureau.com/designers80%URL Reputationsafe
                          http://www.fonts.com0%URL Reputationsafe
                          http://www.sandoll.co.kr0%URL Reputationsafe
                          http://www.urwpp.deDPlease0%URL Reputationsafe
                          http://www.zhongyicts.com.cn0%URL Reputationsafe
                          http://www.sakkal.com0%URL Reputationsafe
                          https://discord.com/api/v9/users/0%Avira URL Cloudsafe
                          https://api.ip.s0%Avira URL Cloudsafe

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          56.126.166.20.in-addr.arpa
                          		unknown
                          		unknownfalse
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://www.apache.org/licenses/LICENSE-2.0DMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comDMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersGDMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://api.ip.sb/ipJ48w21dBmF.exe, 00000004.00000002.1701185664.0000000002C1E000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/?J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn/bTheDMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?DMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.tiro.comJ48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://api.ip.sDMINktnUtY.exe, 00000003.00000002.1702039637.0000000003271000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1701185664.0000000002C1E000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designersJ48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.goodfont.co.krDMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comlDMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comDMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDDMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNDMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn/cTheDMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/staff/dennis.htmDMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cnDMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/frere-user.htmlDMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/DMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://discord.com/api/v9/users/J48w21dBmF.exe, 00000004.00000002.1701185664.0000000002CB0000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.galapagosdesign.com/DPleaseDMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers8DMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fonts.comDMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sandoll.co.krDMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.urwpp.deDPleaseDMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.zhongyicts.com.cnDMINktnUtY.exe, 00000003.00000002.1708371377.0000000007222000.00000004.00000800.00020000.00000000.sdmp, J48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sakkal.comJ48w21dBmF.exe, 00000004.00000002.1709171602.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown

                            World Map of Contacted IPs

                            No contacted IP infos

                            General Information

                            Joe Sandbox version:40.0.0 Tourmaline
                            Analysis ID:1482542
                            Start date and time:2024-07-26 01:01:30 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 7m 5s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:12
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:file.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@10/4@1/0
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 98%
                            • Number of executed functions: 58
                            • Number of non-executed functions: 77
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: file.exe

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASNs

                            No context

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            C:\Users\user\AppData\Roaming\J48w21dBmF.exefile.exeGet hashmaliciousAmadey, Babadeda, LummaC Stealer, PureLog Stealer, RedLine, Stealc, VidarBrowse
                              setup.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Mars Stealer, PureLog Stealer, Quasar, RedLineBrowse
                                R4Hv8s2UzU.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DMINktnUtY.exe.log

                                  Download File
                                  Process:C:\Users\user\AppData\Roaming\DMINktnUtY.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1119
                                  Entropy (8bit):5.345080863654519
                                  Encrypted:false
                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
                                  MD5:88593431AEF401417595E7A00FE86E5F
                                  SHA1:1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
                                  SHA-256:ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
                                  SHA-512:1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\J48w21dBmF.exe.log

                                  Download File
                                  Process:C:\Users\user\AppData\Roaming\J48w21dBmF.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1119
                                  Entropy (8bit):5.345080863654519
                                  Encrypted:false
                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
                                  MD5:88593431AEF401417595E7A00FE86E5F
                                  SHA1:1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
                                  SHA-256:ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
                                  SHA-512:1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                  C:\Users\user\AppData\Roaming\DMINktnUtY.exe

                                  Download File
                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):522752
                                  Entropy (8bit):5.951577023655318
                                  Encrypted:false
                                  SSDEEP:6144:M7usalgH+8mMCcbOk3xJua0pKzTqpD0HN5O1oLKZSIV:M7usal++9kBq0OpGS2LuSIV
                                  MD5:74E358F24A40F37C8FFD7FA40D98683A
                                  SHA1:7A330075E6EA3D871EAEEFCECDEB1D2FEB2FC202
                                  SHA-256:0928C96B35CD4CC5887FB205731AA91EB68886B816BCC5EC151AEEE81CE4F9A6
                                  SHA-512:1525E07712C35111B56664E1589B1DB37965995CC8E6D9B6F931FA38B0AA8E8347FC08B870D03573D10F0D597A2CD9DB2598845C82B6C085F0DF04F2A3B46EAF
                                  Malicious:true
                                  Yara Hits:
                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exe, Author: Joe Security
                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exe, Author: Joe Security
                                  • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exe, Author: ditekSHen
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  Reputation:low
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................0......v........... ........@.. .......................`............@.....................................K.......pr...................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...pr.......t..................@..@.reloc.......@......................@..B........................H.......D...........f....(...)...........................................*...(....(....*.0...........s........~....%:....&~......"...s....%.....(...+o.....8[....o...............%..F~#...(.....%..G~#...(.....%..H~#...(.....%..e~#...(.....~$...(.......o......8......(......s.......su.......~....}....~...........s....(....o....}......{.....I~#...(....o........9......I~#...(.......8C........~#...(....o....:......{....~%...(....8......{....~&...(.........(...........9........o.....

                                  C:\Users\user\AppData\Roaming\J48w21dBmF.exe

                                  Download File
                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):515072
                                  Entropy (8bit):5.8837492625998085
                                  Encrypted:false
                                  SSDEEP:6144:/y1uYzDsaZxRqwwyUwNUll+/i+jqybFrdpfuqbY+lid1Dq1DEYu:61uYzDdZxRqw4walQXbF7521e1op
                                  MD5:2C2BE38FB507206D36DDDB3D03096518
                                  SHA1:A16EDB81610A080096376D998E5DDC3E4B54BBD6
                                  SHA-256:0C7173DAAA5AD8DABE7A2CDE6DBD0EEE1CA790071443AA13B01A1E731053491E
                                  SHA-512:E436954D7D5B77FEB32F200CC48CB01F94B449887443A1E75EBEF2F6FA2139D989D65F5EA7A71F8562C3AAE2FEA4117EFC87E8AAE905E1BA466FBC8BB328B316
                                  Malicious:true
                                  Yara Hits:
                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exe, Author: Joe Security
                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exe, Author: Joe Security
                                  • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exe, Author: ditekSHen
                                  Antivirus:
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  Joe Sandbox View:
                                  • Filename: file.exe, Detection: malicious, Browse
                                  • Filename: setup.exe, Detection: malicious, Browse
                                  • Filename: R4Hv8s2UzU.exe, Detection: malicious, Browse
                                  Reputation:low
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....O...............0..F...........d... ........@.. .......................@............@..................................c..K.......d.................... ....................................................... ............... ..H............text...4D... ...F.................. ..`.rsrc...d............H..............@..@.reloc....... ......................@..B.................d......H........Z..8...........$................................................*...(....(....*..(....*..(....*.0...........s........~....%:....&~......$...s....%.....(...+o.....8[....o...............%..F~(...(.....%..G~(...(.....%..H~(...(.....%..e~(...(.....~)...(.......o......8......(......s.......s........~....}....~...........s....(....o....}......{.....I~(...(....o........9......I~(...(.......8C........~(...(....o....:......{....~*...(....8......{....~+...(.........(..........

                                  Static File Info

                                  General

                                  File type:PE32 executable (console) Intel 80386, for MS Windows
                                  Entropy (8bit):7.929603549541649
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:file.exe
                                  File size:1'464'832 bytes
                                  MD5:04e90b2cf273efb3f6895cfcef1e59ba
                                  SHA1:79afcc39db33426ee8b97ad7bfb48f3f2e4c3449
                                  SHA256:e015f535c8a9fab72f2e06863c559108b1a25af90468cb9f80292c3ba2c33f6e
                                  SHA512:72aa08242507f6dd39822a34c68d6185927f6772a3fc03a0850d7c8542b21a43e176f29e5fbb3a4e54bc02fa68c807a01091158ef68c5a2f425cc432c95ea555
                                  SSDEEP:24576:HFTGHKQCRBkD/5vn3MdVu9VNY5oofD0f8jKchmlZ38HKlzNCPvk8IjOz4H0czmue:pGHW7E/5/kVQDooorBvmnVovHIakHVmH
                                  TLSH:3565220571C4C473D677253209E4E2B96ABEF8700BA25B8F67585F7E5F30683C630A6A
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.X.............t.......t.......t.......t..............n.......n.......n......._......._......._.......Rich...................

                                  File Icon

                                  Icon Hash:90cececece8e8eb0

                                  Static PE Info

                                  General

                                  Entrypoint:0x408441
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows cui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x66A25DBA [Thu Jul 25 14:14:18 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:6
                                  OS Version Minor:0
                                  File Version Major:6
                                  File Version Minor:0
                                  Subsystem Version Major:6
                                  Subsystem Version Minor:0
                                  Import Hash:6addd02d82538c2ca23958c8c292883b

                                  Entrypoint Preview

                                  Instruction
                                  call 00007F3FE4CC6B9Eh
                                  jmp 00007F3FE4CC6259h
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  push ecx
                                  lea ecx, dword ptr [esp+08h]
                                  sub ecx, eax
                                  and ecx, 0Fh
                                  add eax, ecx
                                  sbb ecx, ecx
                                  or eax, ecx
                                  pop ecx
                                  jmp 00007F3FE4CC6C8Fh
                                  push ecx
                                  lea ecx, dword ptr [esp+08h]
                                  sub ecx, eax
                                  and ecx, 07h
                                  add eax, ecx
                                  sbb ecx, ecx
                                  or eax, ecx
                                  pop ecx
                                  jmp 00007F3FE4CC6C79h
                                  int3
                                  int3
                                  int3
                                  int3
                                  push ebx
                                  push esi
                                  mov eax, dword ptr [esp+18h]
                                  or eax, eax
                                  jne 00007F3FE4CC63FAh
                                  mov ecx, dword ptr [esp+14h]
                                  mov eax, dword ptr [esp+10h]
                                  xor edx, edx
                                  div ecx
                                  mov ebx, eax
                                  mov eax, dword ptr [esp+0Ch]
                                  div ecx
                                  mov edx, ebx
                                  jmp 00007F3FE4CC6423h
                                  mov ecx, eax
                                  mov ebx, dword ptr [esp+14h]
                                  mov edx, dword ptr [esp+10h]
                                  mov eax, dword ptr [esp+0Ch]
                                  shr ecx, 1
                                  rcr ebx, 1
                                  shr edx, 1
                                  rcr eax, 1
                                  or ecx, ecx
                                  jne 00007F3FE4CC63D6h
                                  div ebx
                                  mov esi, eax
                                  mul dword ptr [esp+18h]
                                  mov ecx, eax
                                  mov eax, dword ptr [esp+14h]
                                  mul esi
                                  add edx, ecx
                                  jc 00007F3FE4CC63F0h
                                  cmp edx, dword ptr [esp+10h]
                                  jnbe 00007F3FE4CC63EAh
                                  jc 00007F3FE4CC63E9h
                                  cmp eax, dword ptr [esp+0Ch]
                                  jbe 00007F3FE4CC63E3h
                                  dec esi
                                  xor edx, edx
                                  mov eax, esi
                                  pop esi
                                  pop ebx
                                  retn 0010h
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  push ebx
                                  mov eax, dword ptr [esp+14h]
                                  or eax, eax
                                  jne 00007F3FE4CC63FAh
                                  mov ecx, dword ptr [esp+10h]
                                  mov eax, dword ptr [esp+0Ch]
                                  xor edx, edx
                                  div ecx
                                  mov eax, dword ptr [esp+08h]

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x309c00xb8.rdata
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x30a780x28.rdata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1680000x2064.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x2df480x1c.rdata
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x2df800x18.rdata
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2de880x40.rdata
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x260000x16c.rdata
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000x231470x232008fb69ceb8576bdf5e51d052017e8d4aeFalse0.5813083852313167data6.624309201579866IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .zzZ0x250000x7200x800a5a1587b92aec5f21fa2f42d68b726eeFalse0.66845703125data6.146447531049635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rdata0x260000xb2f20xb4004e7c5ece6142a0ce583c14cfe96ef121False0.422265625data4.893998198324542IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .data0x320000x1354bc0x1346003062aaa0c6480fc87b81dd06f16eeae1False0.9957952789319011data7.998850387116656IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .reloc0x1680000x20640x220017d8a3f3c7e5dfa01b689c1ca66d78feFalse0.7172564338235294data6.402163113953746IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Imports

                                  DLLImport
                                  KERNEL32.dllWaitForSingleObject, CreateThread, VirtualAllocEx, FreeConsole, RaiseException, InitOnceBeginInitialize, InitOnceComplete, CloseHandle, GetCurrentThreadId, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, GetLastError, FreeLibraryWhenCallbackReturns, CreateThreadpoolWork, SubmitThreadpoolWork, CloseThreadpoolWork, GetModuleHandleExW, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, QueryPerformanceCounter, EncodePointer, DecodePointer, MultiByteToWideChar, WideCharToMultiByte, LCMapStringEx, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, GetStringTypeW, GetCPInfo, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, CreateFileW, RtlUnwind, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleFileNameW, GetStdHandle, WriteFile, GetCommandLineA, GetCommandLineW, HeapFree, HeapAlloc, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, GetFileSizeEx, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetProcessHeap, SetStdHandle, HeapSize, WriteConsoleW

                                  Exports

                                  NameOrdinalAddress
                                  QuitMessageStr10x42570f
                                  _QuitMessageStr20x42570f
                                  _QuitMessageStr230x42570f
                                  _QuitMessageStr340x42570f
                                  _QuitMessageStr450x42570f

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                  2024-07-26T01:02:39.138594+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434973552.165.165.26192.168.2.4
                                  2024-07-26T01:03:00.592832+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4436240820.12.23.50192.168.2.4
                                  2024-07-26T01:02:59.378967+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4436240720.12.23.50192.168.2.4

                                  Network Port Distribution

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jul 26, 2024 01:02:41.086441994 CEST53541771.1.1.1192.168.2.4
                                  Jul 26, 2024 01:02:54.647083044 CEST5352629162.159.36.2192.168.2.4
                                  Jul 26, 2024 01:02:55.165905952 CEST6070553192.168.2.41.1.1.1
                                  Jul 26, 2024 01:02:55.174444914 CEST53607051.1.1.1192.168.2.4

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Jul 26, 2024 01:02:55.165905952 CEST192.168.2.41.1.1.10x58dStandard query (0)56.126.166.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Jul 26, 2024 01:02:55.174444914 CEST1.1.1.1192.168.2.40x58dName error (3)56.126.166.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:19:02:18
                                  Start date:25/07/2024
                                  Path:C:\Users\user\Desktop\file.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                  Imagebase:0xab0000
                                  File size:1'464'832 bytes
                                  MD5 hash:04E90B2CF273EFB3F6895CFCEF1E59BA
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:1
                                  Start time:19:02:18
                                  Start date:25/07/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:2
                                  Start time:19:02:21
                                  Start date:25/07/2024
                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                  Imagebase:0xe30000
                                  File size:65'440 bytes
                                  MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:3
                                  Start time:19:02:22
                                  Start date:25/07/2024
                                  Path:C:\Users\user\AppData\Roaming\DMINktnUtY.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\AppData\Roaming\DMINktnUtY.exe"
                                  Imagebase:0xcc0000
                                  File size:522'752 bytes
                                  MD5 hash:74E358F24A40F37C8FFD7FA40D98683A
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000000.1680428465.0000000000CC2000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exe, Author: Joe Security
                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exe, Author: Joe Security
                                  • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: C:\Users\user\AppData\Roaming\DMINktnUtY.exe, Author: ditekSHen
                                  Antivirus matches:
                                  • Detection: 100%, Avira
                                  • Detection: 100%, Joe Sandbox ML
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:4
                                  Start time:19:02:22
                                  Start date:25/07/2024
                                  Path:C:\Users\user\AppData\Roaming\J48w21dBmF.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\AppData\Roaming\J48w21dBmF.exe"
                                  Imagebase:0x740000
                                  File size:515'072 bytes
                                  MD5 hash:2C2BE38FB507206D36DDDB3D03096518
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000000.1681361554.0000000000742000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exe, Author: Joe Security
                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exe, Author: Joe Security
                                  • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: C:\Users\user\AppData\Roaming\J48w21dBmF.exe, Author: ditekSHen
                                  Antivirus matches:
                                  • Detection: 100%, Joe Sandbox ML
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:5
                                  Start time:19:02:22
                                  Start date:25/07/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:6
                                  Start time:19:02:22
                                  Start date:25/07/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:5.4%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:1.3%
                                    Total number of Nodes:2000
                                    Total number of Limit Nodes:38
                                    execution_graph 22403 ab72ab 22404 ab72e3 22403->22404 22405 ab72b4 22403->22405 22405->22404 22408 ac01c5 22405->22408 22407 ab72d6 22409 ac01d7 22408->22409 22412 ac01e0 ___scrt_uninitialize_crt 22408->22412 22410 ac0049 ___scrt_uninitialize_crt 70 API calls 22409->22410 22411 ac01dd 22410->22411 22411->22407 22413 ac01f1 22412->22413 22416 abffe9 22412->22416 22413->22407 22417 abfff5 __FrameHandler3::FrameUnwindToState 22416->22417 22424 abd5f7 EnterCriticalSection 22417->22424 22419 ac0003 22420 ac0157 ___scrt_uninitialize_crt 70 API calls 22419->22420 22421 ac0014 22420->22421 22425 ac003d 22421->22425 22424->22419 22428 abd60b LeaveCriticalSection 22425->22428 22427 ac0026 22427->22407 22428->22427 20028 ac30af 20031 ac2d7b 20028->20031 20032 ac2d87 __FrameHandler3::FrameUnwindToState 20031->20032 20039 abf268 EnterCriticalSection 20032->20039 20034 ac2dbf 20040 ac2ddd 20034->20040 20035 ac2d91 20035->20034 20037 acd355 __Getctype 14 API calls 20035->20037 20037->20035 20039->20035 20043 abf2b0 LeaveCriticalSection 20040->20043 20042 ac2dcb 20043->20042 18773 ab82bf 18774 ab82cb __FrameHandler3::FrameUnwindToState 18773->18774 18799 ab7e77 18774->18799 18776 ab842b 18842 ab87a2 IsProcessorFeaturePresent 18776->18842 18777 ab82d2 18777->18776 18787 ab82fc ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState ___scrt_release_startup_lock 18777->18787 18779 ab8432 18817 ac214c 18779->18817 18784 ab831b 18785 ab839c 18810 ac2713 18785->18810 18787->18784 18787->18785 18820 ac2126 18787->18820 18789 ab83a2 18814 ad5712 FreeConsole 18789->18814 18794 ab83c7 18795 ab83d0 18794->18795 18833 ac2101 18794->18833 18836 ab7fe8 18795->18836 18800 ab7e80 18799->18800 18849 ab8565 IsProcessorFeaturePresent 18800->18849 18804 ab7e91 18805 ab7e95 18804->18805 18859 ac2b69 18804->18859 18805->18777 18808 ab7eac 18808->18777 18811 ac271c 18810->18811 18812 ac2721 18810->18812 18931 ac246d 18811->18931 18812->18789 19176 ad5637 CreateThread WaitForSingleObject 18814->19176 18816 ab83b9 18831 ab88bc GetModuleHandleW 18816->18831 19706 ac1f31 18817->19706 18821 abf1eb __FrameHandler3::FrameUnwindToState 18820->18821 18822 ac213c _unexpected 18820->18822 18823 ac4900 __Getctype 41 API calls 18821->18823 18822->18785 18825 abf1fc 18823->18825 18824 abc9fb __purecall 41 API calls 18827 abf226 18824->18827 18825->18824 18828 abf25b 18827->18828 18829 abf257 18827->18829 19783 ac5726 18827->19783 19788 abf27f 18828->19788 18829->18785 18832 ab83c3 18831->18832 18832->18779 18832->18794 18834 ac1f31 __FrameHandler3::FrameUnwindToState 23 API calls 18833->18834 18835 ac210c 18834->18835 18835->18795 18837 ab7ff4 18836->18837 18838 ab800a 18837->18838 19792 ac2b7b 18837->19792 18838->18784 18840 ab8002 18841 abb14b ___scrt_uninitialize_crt 7 API calls 18840->18841 18841->18838 18843 ab87b8 __fread_nolock __FrameHandler3::FrameUnwindToState 18842->18843 18844 ab8863 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 18843->18844 18845 ab88a7 __FrameHandler3::FrameUnwindToState 18844->18845 18845->18779 18846 ac2110 18847 ac1f31 __FrameHandler3::FrameUnwindToState 23 API calls 18846->18847 18848 ab8440 18847->18848 18850 ab7e8c 18849->18850 18851 abb12c 18850->18851 18868 abc1fc 18851->18868 18854 abb135 18854->18804 18856 abb13d 18857 abb148 18856->18857 18882 abc238 18856->18882 18857->18804 18922 acbea4 18859->18922 18862 abb14b 18863 abb15e 18862->18863 18864 abb154 18862->18864 18863->18805 18865 abb470 ___vcrt_uninitialize_ptd 6 API calls 18864->18865 18866 abb159 18865->18866 18867 abc238 ___vcrt_uninitialize_locks DeleteCriticalSection 18866->18867 18867->18863 18869 abc205 18868->18869 18871 abc22e 18869->18871 18872 abb131 18869->18872 18886 abc5b1 18869->18886 18873 abc238 ___vcrt_uninitialize_locks DeleteCriticalSection 18871->18873 18872->18854 18874 abb43d 18872->18874 18873->18872 18903 abc4c2 18874->18903 18879 abb46d 18879->18856 18881 abb452 18881->18856 18883 abc262 18882->18883 18884 abc243 18882->18884 18883->18854 18885 abc24d DeleteCriticalSection 18884->18885 18885->18883 18885->18885 18891 abc3d7 18886->18891 18889 abc5e9 InitializeCriticalSectionAndSpinCount 18890 abc5d4 18889->18890 18890->18869 18892 abc3f4 18891->18892 18895 abc3f8 18891->18895 18892->18889 18892->18890 18893 abc460 GetProcAddress 18893->18892 18895->18892 18895->18893 18896 abc451 18895->18896 18898 abc477 LoadLibraryExW 18895->18898 18896->18893 18897 abc459 FreeLibrary 18896->18897 18897->18893 18899 abc48e GetLastError 18898->18899 18900 abc4be 18898->18900 18899->18900 18901 abc499 ___vcrt_FlsSetValue 18899->18901 18900->18895 18901->18900 18902 abc4af LoadLibraryExW 18901->18902 18902->18895 18904 abc3d7 ___vcrt_FlsSetValue 5 API calls 18903->18904 18905 abc4dc 18904->18905 18906 abc4f5 TlsAlloc 18905->18906 18907 abb447 18905->18907 18907->18881 18908 abc573 18907->18908 18909 abc3d7 ___vcrt_FlsSetValue 5 API calls 18908->18909 18910 abc58d 18909->18910 18911 abc5a8 TlsSetValue 18910->18911 18912 abb460 18910->18912 18911->18912 18912->18879 18913 abb470 18912->18913 18914 abb47a 18913->18914 18915 abb480 18913->18915 18917 abc4fd 18914->18917 18915->18881 18918 abc3d7 ___vcrt_FlsSetValue 5 API calls 18917->18918 18919 abc517 18918->18919 18920 abc52f TlsFree 18919->18920 18921 abc523 18919->18921 18920->18921 18921->18915 18923 acbeb4 18922->18923 18924 ab7e9e 18922->18924 18923->18924 18926 ac5aa3 18923->18926 18924->18808 18924->18862 18927 ac5aaa 18926->18927 18928 ac5aed GetStdHandle 18927->18928 18929 ac5b4f 18927->18929 18930 ac5b00 GetFileType 18927->18930 18928->18927 18929->18923 18930->18927 18932 ac2476 18931->18932 18935 ac248c 18931->18935 18932->18935 18937 ac2499 18932->18937 18934 ac2483 18934->18935 18954 ac2604 18934->18954 18935->18812 18938 ac24a5 18937->18938 18939 ac24a2 18937->18939 18962 acb6f2 18938->18962 18939->18934 18944 ac24b6 18946 ac4beb ___free_lconv_mon 14 API calls 18944->18946 18945 ac24c2 18989 ac24f3 18945->18989 18948 ac24bc 18946->18948 18948->18934 18950 ac4beb ___free_lconv_mon 14 API calls 18951 ac24e6 18950->18951 18952 ac4beb ___free_lconv_mon 14 API calls 18951->18952 18953 ac24ec 18952->18953 18953->18934 18955 ac2675 18954->18955 18956 ac2613 18954->18956 18955->18935 18956->18955 18957 ac511b __dosmaperr 14 API calls 18956->18957 18959 aca79e WideCharToMultiByte std::_Locinfo::_Locinfo_dtor 18956->18959 18960 ac2679 18956->18960 18961 ac4beb ___free_lconv_mon 14 API calls 18956->18961 18957->18956 18958 ac4beb ___free_lconv_mon 14 API calls 18958->18955 18959->18956 18960->18958 18961->18956 18963 acb6fb 18962->18963 18964 ac24ab 18962->18964 19011 ac49bb 18963->19011 18968 acb9f4 GetEnvironmentStringsW 18964->18968 18969 acba0c 18968->18969 18974 ac24b0 18968->18974 18970 aca79e std::_Locinfo::_Locinfo_dtor WideCharToMultiByte 18969->18970 18971 acba29 18970->18971 18972 acba3e 18971->18972 18973 acba33 FreeEnvironmentStringsW 18971->18973 18975 ac5bdf __fread_nolock 15 API calls 18972->18975 18973->18974 18974->18944 18974->18945 18976 acba45 18975->18976 18977 acba4d 18976->18977 18978 acba5e 18976->18978 18979 ac4beb ___free_lconv_mon 14 API calls 18977->18979 18980 aca79e std::_Locinfo::_Locinfo_dtor WideCharToMultiByte 18978->18980 18981 acba52 FreeEnvironmentStringsW 18979->18981 18982 acba6e 18980->18982 18981->18974 18983 acba7d 18982->18983 18984 acba75 18982->18984 18985 ac4beb ___free_lconv_mon 14 API calls 18983->18985 18986 ac4beb ___free_lconv_mon 14 API calls 18984->18986 18987 acba7b FreeEnvironmentStringsW 18985->18987 18986->18987 18987->18974 18990 ac2508 18989->18990 18991 ac511b __dosmaperr 14 API calls 18990->18991 18992 ac252f 18991->18992 18993 ac2537 18992->18993 18994 ac2541 18992->18994 18995 ac4beb ___free_lconv_mon 14 API calls 18993->18995 18997 ac259e 18994->18997 18999 ac511b __dosmaperr 14 API calls 18994->18999 19000 ac25ad 18994->19000 19002 ac44aa ___std_exception_copy 41 API calls 18994->19002 19005 ac25c8 18994->19005 19007 ac4beb ___free_lconv_mon 14 API calls 18994->19007 18996 ac24c9 18995->18996 18996->18950 18998 ac4beb ___free_lconv_mon 14 API calls 18997->18998 18998->18996 18999->18994 19170 ac25d5 19000->19170 19002->18994 19004 ac4beb ___free_lconv_mon 14 API calls 19006 ac25ba 19004->19006 19008 abc9ac __Getctype 11 API calls 19005->19008 19009 ac4beb ___free_lconv_mon 14 API calls 19006->19009 19007->18994 19010 ac25d4 19008->19010 19009->18996 19012 ac49cc 19011->19012 19013 ac49c6 19011->19013 19015 ac5669 __dosmaperr 6 API calls 19012->19015 19017 ac49d2 19012->19017 19014 ac562a __dosmaperr 6 API calls 19013->19014 19014->19012 19016 ac49e6 19015->19016 19016->19017 19018 ac49ea 19016->19018 19019 abc9fb __purecall 41 API calls 19017->19019 19020 ac49d7 19017->19020 19021 ac511b __dosmaperr 14 API calls 19018->19021 19022 ac4a50 19019->19022 19039 acb4fd 19020->19039 19023 ac49f6 19021->19023 19024 ac49fe 19023->19024 19025 ac4a13 19023->19025 19027 ac5669 __dosmaperr 6 API calls 19024->19027 19026 ac5669 __dosmaperr 6 API calls 19025->19026 19029 ac4a1f 19026->19029 19028 ac4a0a 19027->19028 19032 ac4beb ___free_lconv_mon 14 API calls 19028->19032 19030 ac4a32 19029->19030 19031 ac4a23 19029->19031 19034 ac472e __dosmaperr 14 API calls 19030->19034 19033 ac5669 __dosmaperr 6 API calls 19031->19033 19035 ac4a10 19032->19035 19033->19028 19036 ac4a3d 19034->19036 19035->19017 19037 ac4beb ___free_lconv_mon 14 API calls 19036->19037 19038 ac4a44 19037->19038 19038->19020 19040 acb652 __strnicoll 41 API calls 19039->19040 19041 acb527 19040->19041 19062 acb27d 19041->19062 19044 ac5bdf __fread_nolock 15 API calls 19045 acb551 19044->19045 19046 acb559 19045->19046 19047 acb567 19045->19047 19048 ac4beb ___free_lconv_mon 14 API calls 19046->19048 19069 acb74d 19047->19069 19051 acb540 19048->19051 19051->18964 19052 acb59f 19053 ac1137 __dosmaperr 14 API calls 19052->19053 19054 acb5a4 19053->19054 19056 ac4beb ___free_lconv_mon 14 API calls 19054->19056 19055 acb5e6 19058 acb62f 19055->19058 19080 acb16f 19055->19080 19056->19051 19057 acb5ba 19057->19055 19061 ac4beb ___free_lconv_mon 14 API calls 19057->19061 19060 ac4beb ___free_lconv_mon 14 API calls 19058->19060 19060->19051 19061->19055 19063 ac114a __strnicoll 41 API calls 19062->19063 19064 acb28f 19063->19064 19065 acb29e GetOEMCP 19064->19065 19066 acb2b0 19064->19066 19067 acb2c7 19065->19067 19066->19067 19068 acb2b5 GetACP 19066->19068 19067->19044 19067->19051 19068->19067 19070 acb27d 43 API calls 19069->19070 19071 acb76d 19070->19071 19073 acb7aa IsValidCodePage 19071->19073 19077 acb7e6 __fread_nolock 19071->19077 19072 ab8107 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 19074 acb594 19072->19074 19075 acb7bc 19073->19075 19073->19077 19074->19052 19074->19057 19076 acb7eb GetCPInfo 19075->19076 19079 acb7c5 __fread_nolock 19075->19079 19076->19077 19076->19079 19077->19072 19088 acb351 19079->19088 19081 acb17b __FrameHandler3::FrameUnwindToState 19080->19081 19144 abf268 EnterCriticalSection 19081->19144 19083 acb185 19145 acb1bc 19083->19145 19089 acb442 19088->19089 19090 acb379 GetCPInfo 19088->19090 19091 ab8107 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 19089->19091 19090->19089 19095 acb391 19090->19095 19093 acb4fb 19091->19093 19092 ac7740 std::_Locinfo::_Locinfo_dtor 44 API calls 19094 acb3f9 19092->19094 19093->19077 19099 ac7a37 19094->19099 19095->19092 19098 ac7a37 46 API calls 19098->19089 19100 ac114a __strnicoll 41 API calls 19099->19100 19101 ac7a4a 19100->19101 19104 ac7849 19101->19104 19105 ac7864 __strnicoll 19104->19105 19106 aca722 __strnicoll MultiByteToWideChar 19105->19106 19109 ac78aa 19106->19109 19107 ac7a22 19108 ab8107 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 19107->19108 19110 ac7a35 19108->19110 19109->19107 19111 ac5bdf __fread_nolock 15 API calls 19109->19111 19113 ac78d0 __alloca_probe_16 19109->19113 19120 ac7956 19109->19120 19110->19098 19111->19113 19112 ab7bc6 __freea 14 API calls 19112->19107 19114 aca722 __strnicoll MultiByteToWideChar 19113->19114 19113->19120 19115 ac7915 19114->19115 19115->19120 19132 ac57e8 19115->19132 19118 ac797f 19121 ac7a0a 19118->19121 19124 ac5bdf __fread_nolock 15 API calls 19118->19124 19125 ac7991 __alloca_probe_16 19118->19125 19119 ac7947 19119->19120 19123 ac57e8 std::_Locinfo::_Locinfo_dtor 7 API calls 19119->19123 19120->19112 19122 ab7bc6 __freea 14 API calls 19121->19122 19122->19120 19123->19120 19124->19125 19125->19121 19126 ac57e8 std::_Locinfo::_Locinfo_dtor 7 API calls 19125->19126 19127 ac79d4 19126->19127 19127->19121 19141 aca79e 19127->19141 19129 ac79ee 19129->19121 19133 ac531a std::_Lockit::_Lockit 5 API calls 19132->19133 19134 ac57f3 19133->19134 19135 ac57f9 LCMapStringEx 19134->19135 19136 ac5820 19134->19136 19140 ac5840 19135->19140 19137 ac5845 __strnicoll 5 API calls 19136->19137 19139 ac5839 LCMapStringW 19137->19139 19139->19140 19140->19118 19140->19119 19140->19120 19142 aca7b5 WideCharToMultiByte 19141->19142 19142->19129 19144->19083 19155 ac065d 19145->19155 19147 acb1de 19148 ac065d __fread_nolock 41 API calls 19147->19148 19149 acb1fd 19148->19149 19150 acb192 19149->19150 19151 ac4beb ___free_lconv_mon 14 API calls 19149->19151 19152 acb1b0 19150->19152 19151->19150 19169 abf2b0 LeaveCriticalSection 19152->19169 19154 acb19e 19154->19058 19156 ac066e 19155->19156 19165 ac066a ctype 19155->19165 19157 ac0675 19156->19157 19161 ac0688 __fread_nolock 19156->19161 19158 ac1137 __dosmaperr 14 API calls 19157->19158 19159 ac067a 19158->19159 19160 abc97f __strnicoll 41 API calls 19159->19160 19160->19165 19162 ac06bf 19161->19162 19163 ac06b6 19161->19163 19161->19165 19162->19165 19167 ac1137 __dosmaperr 14 API calls 19162->19167 19164 ac1137 __dosmaperr 14 API calls 19163->19164 19166 ac06bb 19164->19166 19165->19147 19168 abc97f __strnicoll 41 API calls 19166->19168 19167->19166 19168->19165 19169->19154 19174 ac25e2 19170->19174 19175 ac25b3 19170->19175 19171 ac25f9 19173 ac4beb ___free_lconv_mon 14 API calls 19171->19173 19172 ac4beb ___free_lconv_mon 14 API calls 19172->19174 19173->19175 19174->19171 19174->19172 19175->19004 19176->18816 19177 ad5653 19176->19177 19178 ab217e std::_Throw_Cpp_error 43 API calls 19177->19178 19179 ad5673 19178->19179 19180 ab7dbe codecvt 16 API calls 19179->19180 19181 ad567a 19180->19181 19182 ad568a VirtualAllocEx 19181->19182 19203 ad505a 19181->19203 19194 ab1d8b 19182->19194 19214 ab1da2 19194->19214 19196 ab1d9a 19197 ab48a3 19196->19197 19277 ab3983 19197->19277 19207 ad508a 19203->19207 19213 ad5154 19203->19213 19205 ab217e 43 API calls std::_Throw_Cpp_error 19205->19207 19207->19205 19210 ab4a6d 43 API calls 19207->19210 19211 abd44e 44 API calls 19207->19211 19212 ab4387 41 API calls std::_Throw_Cpp_error 19207->19212 19207->19213 19208 ab8107 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 19209 ad516e 19208->19209 19209->19182 19210->19207 19211->19207 19212->19207 19702 ab4361 19213->19702 19219 ab1b10 19214->19219 19216 ab1dbb 19230 ab38be 19216->19230 19218 ab1dd0 19218->19196 19220 ab1b49 19219->19220 19221 ab1b19 19219->19221 19222 ab7dbe codecvt 16 API calls 19220->19222 19221->19220 19223 ab1b1e 19221->19223 19224 ab1b53 19222->19224 19225 ab7dbe codecvt 16 API calls 19223->19225 19226 ab1b64 19224->19226 19235 ab136c 19224->19235 19229 ab1b29 19225->19229 19226->19216 19229->19216 19231 ab38c6 19230->19231 19232 ab38d4 19231->19232 19269 ab4280 19231->19269 19232->19218 19236 ab137d 19235->19236 19241 ab2849 19236->19241 19238 ab139a 19244 ab1e60 19238->19244 19253 ab3851 19241->19253 19243 ab2857 19243->19238 19263 ab4533 19244->19263 19256 ab1e1a InitOnceBeginInitialize 19253->19256 19255 ab3861 19255->19243 19257 ab1e55 19256->19257 19258 ab1e34 19256->19258 19259 abc9fb __purecall 41 API calls 19257->19259 19260 ab386a 50 API calls 19258->19260 19262 ab1e52 19258->19262 19259->19262 19261 ab1e3e InitOnceComplete 19260->19261 19261->19262 19262->19255 19265 ab2bcf 19263->19265 19266 ab2bda 19265->19266 19267 ab2bec 19265->19267 19268 ab15c5 43 API calls 19266->19268 19268->19267 19274 ab269c 19269->19274 19272 ab9362 Concurrency::cancel_current_task RaiseException 19273 ab429f 19272->19273 19275 ab25eb std::exception::exception 42 API calls 19274->19275 19276 ab26a9 19275->19276 19276->19272 19278 ab398b 19277->19278 19279 ab4280 43 API calls 19278->19279 19280 ab39a4 19279->19280 19281 ab39b7 19280->19281 19285 ab4476 19280->19285 19294 ab3c44 19281->19294 19286 ab4482 __EH_prolog3_catch 19285->19286 19287 ab449b 19286->19287 19299 ab3093 19286->19299 19288 ab3093 53 API calls 19287->19288 19290 ab44be 19287->19290 19288->19290 19291 ab44c6 codecvt 19290->19291 19306 ab3dd9 19290->19306 19291->19281 19380 ab26db 19294->19380 19296 ab9362 Concurrency::cancel_current_task RaiseException 19297 ab3c57 19296->19297 19297->19294 19297->19296 19298 ab4471 19297->19298 19298->19298 19310 ab4999 19299->19310 19301 ab30a2 19302 ab30b6 19301->19302 19316 ab5bc4 19301->19316 19321 ab5a29 19302->19321 19307 ab3de1 19306->19307 19366 ab4be1 19307->19366 19324 ab5a18 19310->19324 19313 ab49a2 19315 ab49b6 19313->19315 19327 ab5d95 19313->19327 19315->19301 19358 ab5b73 19316->19358 19320 ab5be4 19320->19301 19322 ab30bb 19321->19322 19323 ab5a35 ReleaseSRWLockExclusive 19321->19323 19322->19287 19323->19322 19333 ab5a47 GetCurrentThreadId 19324->19333 19328 ab5dab std::_Throw_Cpp_error 19327->19328 19348 ab5cd2 19328->19348 19331 ab9362 Concurrency::cancel_current_task RaiseException 19332 ab5dc9 19331->19332 19334 ab5a71 19333->19334 19335 ab5a90 19333->19335 19336 ab5a76 AcquireSRWLockExclusive 19334->19336 19344 ab5a86 19334->19344 19337 ab5a99 19335->19337 19338 ab5ab0 19335->19338 19336->19344 19339 ab5aa4 AcquireSRWLockExclusive 19337->19339 19337->19344 19340 ab5b0f 19338->19340 19347 ab5ac8 19338->19347 19339->19344 19342 ab5b16 TryAcquireSRWLockExclusive 19340->19342 19340->19344 19341 ab8107 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 19343 ab5a25 19341->19343 19342->19344 19343->19313 19344->19341 19345 ab78e5 GetSystemTimePreciseAsFileTime GetSystemTimeAsFileTime 19345->19347 19346 ab5aff TryAcquireSRWLockExclusive 19346->19344 19346->19347 19347->19344 19347->19345 19347->19346 19349 ab5cde __EH_prolog3_GS 19348->19349 19350 ab217e std::_Throw_Cpp_error 43 API calls 19349->19350 19351 ab5cf2 19350->19351 19352 ab23dc std::_Throw_Cpp_error 43 API calls 19351->19352 19353 ab5d07 19352->19353 19354 ab4387 std::_Throw_Cpp_error 41 API calls 19353->19354 19355 ab5d0f 19354->19355 19356 ab8129 std::_Throw_Cpp_error 5 API calls 19355->19356 19357 ab5d1c 19356->19357 19357->19331 19365 ab5b8e SleepConditionVariableSRW 19358->19365 19360 ab5b80 19361 ab5b84 19360->19361 19362 abc9fb __purecall 41 API calls 19360->19362 19364 ab5bea GetCurrentThreadId 19361->19364 19363 ab5b8d 19362->19363 19364->19320 19365->19360 19369 ab591f 19366->19369 19371 ab593a __InternalCxxFrameHandler 19369->19371 19377 ab5950 19369->19377 19370 ab59c1 RaiseException 19372 ab8107 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 19370->19372 19373 ab9362 Concurrency::cancel_current_task RaiseException 19371->19373 19374 ab4beb 19372->19374 19373->19377 19375 ab59e3 19376 abc9fb __purecall 41 API calls 19375->19376 19378 ab59e8 19376->19378 19377->19370 19377->19375 19379 ab59a1 __alloca_probe_16 19377->19379 19379->19370 19381 ab25eb std::exception::exception 42 API calls 19380->19381 19382 ab26e7 19381->19382 19382->19297 19703 ab4369 19702->19703 19704 ab4379 19702->19704 19705 ab1800 _Deallocate 41 API calls 19703->19705 19704->19208 19705->19704 19707 ac1f5e 19706->19707 19708 ac1f70 19706->19708 19733 ac1ffc GetModuleHandleW 19707->19733 19718 ac1dda 19708->19718 19713 ab8438 19713->18846 19719 ac1de6 __FrameHandler3::FrameUnwindToState 19718->19719 19741 abf268 EnterCriticalSection 19719->19741 19721 ac1df0 19742 ac1e46 19721->19742 19723 ac1dfd 19746 ac1e1b 19723->19746 19726 ac1fc8 19771 ac203f 19726->19771 19729 ac1fe6 19731 ac2061 __FrameHandler3::FrameUnwindToState 3 API calls 19729->19731 19730 ac1fd6 GetCurrentProcess TerminateProcess 19730->19729 19732 ac1fee ExitProcess 19731->19732 19734 ac1f63 19733->19734 19734->19708 19735 ac2061 GetModuleHandleExW 19734->19735 19736 ac20a0 GetProcAddress 19735->19736 19737 ac20c1 19735->19737 19736->19737 19740 ac20b4 19736->19740 19738 ac20c7 FreeLibrary 19737->19738 19739 ac1f6f 19737->19739 19738->19739 19739->19708 19740->19737 19741->19721 19743 ac1e52 __FrameHandler3::FrameUnwindToState 19742->19743 19745 ac1eb9 __FrameHandler3::FrameUnwindToState 19743->19745 19749 ac29d4 19743->19749 19745->19723 19770 abf2b0 LeaveCriticalSection 19746->19770 19748 ac1e09 19748->19713 19748->19726 19750 ac29e0 __EH_prolog3 19749->19750 19753 ac272c 19750->19753 19752 ac2a07 codecvt 19752->19745 19754 ac2738 __FrameHandler3::FrameUnwindToState 19753->19754 19761 abf268 EnterCriticalSection 19754->19761 19756 ac2746 19762 ac28e4 19756->19762 19761->19756 19763 ac2753 19762->19763 19764 ac2903 19762->19764 19766 ac277b 19763->19766 19764->19763 19765 ac4beb ___free_lconv_mon 14 API calls 19764->19765 19765->19763 19769 abf2b0 LeaveCriticalSection 19766->19769 19768 ac2764 19768->19752 19769->19768 19770->19748 19776 ac6b75 GetPEB 19771->19776 19774 ac1fd2 19774->19729 19774->19730 19775 ac2049 GetPEB 19775->19774 19777 ac2044 19776->19777 19778 ac6b8f 19776->19778 19777->19774 19777->19775 19780 ac549c 19778->19780 19781 ac5419 _unexpected 5 API calls 19780->19781 19782 ac54b8 19781->19782 19782->19777 19784 ac5419 _unexpected 5 API calls 19783->19784 19785 ac5742 19784->19785 19786 ac574b 19785->19786 19787 ac5760 InitializeCriticalSectionAndSpinCount 19785->19787 19786->18827 19787->19786 19789 abf2ab 19788->19789 19790 abf28c 19788->19790 19789->18829 19791 abf296 DeleteCriticalSection 19790->19791 19791->19789 19791->19791 19793 ac2b86 19792->19793 19795 ac2b98 ___scrt_uninitialize_crt 19792->19795 19794 ac2b94 19793->19794 19797 ac01bc 19793->19797 19794->18840 19795->18840 19800 ac0049 19797->19800 19803 abff3d 19800->19803 19804 abff49 __FrameHandler3::FrameUnwindToState 19803->19804 19811 abf268 EnterCriticalSection 19804->19811 19806 abffbf 19820 abffdd 19806->19820 19807 abff53 ___scrt_uninitialize_crt 19807->19806 19812 abfeb1 19807->19812 19811->19807 19813 abfebd __FrameHandler3::FrameUnwindToState 19812->19813 19823 abd5f7 EnterCriticalSection 19813->19823 19815 abff00 19837 abff31 19815->19837 19816 abfec7 ___scrt_uninitialize_crt 19816->19815 19824 ac0157 19816->19824 19941 abf2b0 LeaveCriticalSection 19820->19941 19822 abffcb 19822->19794 19823->19816 19825 ac016c _Fputc 19824->19825 19826 ac017e 19825->19826 19827 ac0173 19825->19827 19840 ac00ee 19826->19840 19829 ac0049 ___scrt_uninitialize_crt 70 API calls 19827->19829 19836 ac0179 19829->19836 19831 abc6bb _Fputc 41 API calls 19833 ac01b6 19831->19833 19833->19815 19834 ac019f 19853 ac7d95 19834->19853 19836->19831 19940 abd60b LeaveCriticalSection 19837->19940 19839 abff1f 19839->19807 19841 ac0107 19840->19841 19845 ac012e 19840->19845 19842 ac6a14 _Fputc 41 API calls 19841->19842 19841->19845 19843 ac0123 19842->19843 19864 ac85c0 19843->19864 19845->19836 19846 ac6a14 19845->19846 19847 ac6a35 19846->19847 19848 ac6a20 19846->19848 19847->19834 19849 ac1137 __dosmaperr 14 API calls 19848->19849 19850 ac6a25 19849->19850 19851 abc97f __strnicoll 41 API calls 19850->19851 19852 ac6a30 19851->19852 19852->19834 19854 ac7da6 19853->19854 19857 ac7db3 19853->19857 19855 ac1137 __dosmaperr 14 API calls 19854->19855 19863 ac7dab 19855->19863 19856 ac7dfc 19858 ac1137 __dosmaperr 14 API calls 19856->19858 19857->19856 19859 ac7dda 19857->19859 19860 ac7e01 19858->19860 19907 ac7cf3 19859->19907 19862 abc97f __strnicoll 41 API calls 19860->19862 19862->19863 19863->19836 19866 ac85cc __FrameHandler3::FrameUnwindToState 19864->19866 19865 ac85d4 19865->19845 19866->19865 19867 ac8690 19866->19867 19869 ac8621 19866->19869 19868 abc902 _Fputc 41 API calls 19867->19868 19868->19865 19875 acc1e7 EnterCriticalSection 19869->19875 19871 ac8627 19872 ac8644 19871->19872 19876 ac86c8 19871->19876 19904 ac8688 19872->19904 19875->19871 19877 ac86ed 19876->19877 19895 ac8710 __fread_nolock 19876->19895 19878 ac86f1 19877->19878 19880 ac874f 19877->19880 19879 abc902 _Fputc 41 API calls 19878->19879 19879->19895 19881 ac8766 19880->19881 19883 ac9c4e ___scrt_uninitialize_crt 43 API calls 19880->19883 19882 ac824c ___scrt_uninitialize_crt 42 API calls 19881->19882 19884 ac8770 19882->19884 19883->19881 19885 ac87b6 19884->19885 19886 ac8776 19884->19886 19889 ac8819 WriteFile 19885->19889 19890 ac87ca 19885->19890 19887 ac877d 19886->19887 19888 ac87a0 19886->19888 19887->19895 19896 ac81e4 ___scrt_uninitialize_crt 6 API calls 19887->19896 19891 ac7e12 ___scrt_uninitialize_crt 47 API calls 19888->19891 19892 ac883b GetLastError 19889->19892 19903 ac87b1 19889->19903 19893 ac8807 19890->19893 19894 ac87d2 19890->19894 19891->19903 19892->19903 19897 ac82ca ___scrt_uninitialize_crt 7 API calls 19893->19897 19898 ac87f5 19894->19898 19899 ac87d7 19894->19899 19895->19872 19896->19895 19897->19895 19900 ac848e ___scrt_uninitialize_crt 8 API calls 19898->19900 19899->19895 19901 ac87e0 19899->19901 19900->19903 19902 ac83a5 ___scrt_uninitialize_crt 7 API calls 19901->19902 19902->19895 19903->19895 19905 acc20a ___scrt_uninitialize_crt LeaveCriticalSection 19904->19905 19906 ac868e 19905->19906 19906->19865 19908 ac7cff __FrameHandler3::FrameUnwindToState 19907->19908 19920 acc1e7 EnterCriticalSection 19908->19920 19910 ac7d0e 19918 ac7d53 19910->19918 19921 acc2be 19910->19921 19912 ac1137 __dosmaperr 14 API calls 19914 ac7d5a 19912->19914 19913 ac7d3a FlushFileBuffers 19913->19914 19915 ac7d46 GetLastError 19913->19915 19937 ac7d89 19914->19937 19934 ac1124 19915->19934 19918->19912 19920->19910 19922 acc2cb 19921->19922 19923 acc2e0 19921->19923 19924 ac1124 __dosmaperr 14 API calls 19922->19924 19925 ac1124 __dosmaperr 14 API calls 19923->19925 19927 acc305 19923->19927 19926 acc2d0 19924->19926 19928 acc310 19925->19928 19929 ac1137 __dosmaperr 14 API calls 19926->19929 19927->19913 19931 ac1137 __dosmaperr 14 API calls 19928->19931 19930 acc2d8 19929->19930 19930->19913 19932 acc318 19931->19932 19933 abc97f __strnicoll 41 API calls 19932->19933 19933->19930 19935 ac4a51 __dosmaperr 14 API calls 19934->19935 19936 ac1129 19935->19936 19936->19918 19938 acc20a ___scrt_uninitialize_crt LeaveCriticalSection 19937->19938 19939 ac7d72 19938->19939 19939->19863 19940->19839 19941->19822 20186 ab4088 20187 ab4091 20186->20187 20191 ab40a3 20186->20191 20192 ab467d 20187->20192 20193 ab468f 20192->20193 20203 ab5834 20193->20203 20195 ab409a 20196 ab3375 20195->20196 20197 ab222a 43 API calls 20196->20197 20198 ab3398 20197->20198 20297 ab1f2d 20198->20297 20200 ab33aa shared_ptr 20201 ab433b 41 API calls 20200->20201 20202 ab33cf 20201->20202 20202->20191 20211 ab992b 20203->20211 20205 ab58ba 20206 abf2de ___std_exception_copy 15 API calls 20205->20206 20210 ab58b6 shared_ptr 20206->20210 20208 ab58ad 20214 ab5304 20208->20214 20210->20195 20217 abb366 20211->20217 20213 ab585e 20213->20205 20213->20208 20213->20210 20215 abf2de ___std_exception_copy 15 API calls 20214->20215 20216 ab534d shared_ptr 20215->20216 20216->20210 20230 abb374 20217->20230 20219 abb36b 20219->20213 20244 ac4cf3 20219->20244 20222 abca0b 20224 abca15 IsProcessorFeaturePresent 20222->20224 20229 abca34 20222->20229 20226 abca21 20224->20226 20225 ac2110 __FrameHandler3::FrameUnwindToState 23 API calls 20227 abca3e 20225->20227 20228 abc783 __FrameHandler3::FrameUnwindToState 8 API calls 20226->20228 20228->20229 20229->20225 20231 abb37d 20230->20231 20232 abb380 GetLastError 20230->20232 20231->20219 20274 abc538 20232->20274 20235 abb3fa SetLastError 20235->20219 20236 abc573 ___vcrt_FlsSetValue 6 API calls 20237 abb3ae __Getctype 20236->20237 20238 abb3d6 20237->20238 20239 abc573 ___vcrt_FlsSetValue 6 API calls 20237->20239 20243 abb3b4 20237->20243 20240 abc573 ___vcrt_FlsSetValue 6 API calls 20238->20240 20241 abb3ea 20238->20241 20239->20238 20240->20241 20242 abc9e0 std::_Locinfo::~_Locinfo 14 API calls 20241->20242 20242->20243 20243->20235 20279 ac4c25 20244->20279 20247 ac4d38 20248 ac4d44 __FrameHandler3::FrameUnwindToState 20247->20248 20249 ac4a51 __dosmaperr 14 API calls 20248->20249 20254 ac4d71 __FrameHandler3::FrameUnwindToState 20248->20254 20255 ac4d6b __FrameHandler3::FrameUnwindToState 20248->20255 20249->20255 20250 ac4db8 20252 ac1137 __dosmaperr 14 API calls 20250->20252 20251 ac4da2 20251->20222 20253 ac4dbd 20252->20253 20256 abc97f __strnicoll 41 API calls 20253->20256 20257 ac4de4 20254->20257 20290 abf268 EnterCriticalSection 20254->20290 20255->20250 20255->20251 20255->20254 20256->20251 20260 ac4e26 20257->20260 20261 ac4f17 20257->20261 20272 ac4e55 20257->20272 20268 ac4900 __Getctype 41 API calls 20260->20268 20260->20272 20263 ac4f22 20261->20263 20295 abf2b0 LeaveCriticalSection 20261->20295 20265 ac2110 __FrameHandler3::FrameUnwindToState 23 API calls 20263->20265 20266 ac4f2a 20265->20266 20267 ac4eaa 20267->20251 20273 ac4900 __Getctype 41 API calls 20267->20273 20270 ac4e4a 20268->20270 20269 ac4900 __Getctype 41 API calls 20269->20267 20271 ac4900 __Getctype 41 API calls 20270->20271 20271->20272 20291 ac4ec4 20272->20291 20273->20251 20275 abc3d7 ___vcrt_FlsSetValue 5 API calls 20274->20275 20276 abc552 20275->20276 20277 abc56a TlsGetValue 20276->20277 20278 abb395 20276->20278 20277->20278 20278->20235 20278->20236 20278->20243 20280 ac4c31 __FrameHandler3::FrameUnwindToState 20279->20280 20285 abf268 EnterCriticalSection 20280->20285 20282 ac4c3f 20286 ac4c7d 20282->20286 20285->20282 20289 abf2b0 LeaveCriticalSection 20286->20289 20288 abca00 20288->20222 20288->20247 20289->20288 20290->20257 20292 ac4eca 20291->20292 20293 ac4e9b 20291->20293 20296 abf2b0 LeaveCriticalSection 20292->20296 20293->20251 20293->20267 20293->20269 20295->20263 20296->20293 20298 ab7dbe codecvt 16 API calls 20297->20298 20299 ab1f34 20298->20299 20300 ab1f48 20299->20300 20302 ab1219 20299->20302 20300->20200 20305 ab2292 20302->20305 20306 ab22ab 20305->20306 20307 ab222a 43 API calls 20306->20307 20308 ab123b 20307->20308 20308->20300 22490 acbe9b 22491 acbeb4 22490->22491 22492 acbed2 22490->22492 22491->22492 22493 ac5aa3 2 API calls 22491->22493 22493->22491 22494 ab72ea 22495 ab72f6 __EH_prolog3_GS 22494->22495 22497 ab735c 22495->22497 22498 ab7343 22495->22498 22502 ab730d 22495->22502 22513 ac0256 22497->22513 22510 ab6623 22498->22510 22537 ab8129 22502->22537 22503 ab741b 22505 ab4387 std::_Throw_Cpp_error 41 API calls 22503->22505 22505->22502 22506 ab737b 22506->22503 22507 ab7434 22506->22507 22509 ac0256 43 API calls 22506->22509 22533 ab4a6d 22506->22533 22507->22503 22508 ac1027 43 API calls 22507->22508 22508->22507 22509->22506 22511 ac0256 43 API calls 22510->22511 22512 ab662e 22511->22512 22512->22502 22514 ac0262 __FrameHandler3::FrameUnwindToState 22513->22514 22515 ac026c 22514->22515 22516 ac0284 22514->22516 22517 ac1137 __dosmaperr 14 API calls 22515->22517 22540 abd5f7 EnterCriticalSection 22516->22540 22519 ac0271 22517->22519 22521 abc97f __strnicoll 41 API calls 22519->22521 22520 ac028e 22522 ac032a 22520->22522 22524 ac6a14 _Fputc 41 API calls 22520->22524 22532 ac027c _Fputc 22521->22532 22541 ac021a 22522->22541 22527 ac02ab 22524->22527 22525 ac0330 22548 ac035a 22525->22548 22527->22522 22528 ac0302 22527->22528 22529 ac1137 __dosmaperr 14 API calls 22528->22529 22530 ac0307 22529->22530 22531 abc97f __strnicoll 41 API calls 22530->22531 22531->22532 22532->22506 22534 ab4a79 22533->22534 22535 ab4a94 22533->22535 22534->22506 22552 ab1bc8 22535->22552 22538 ab8107 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 22537->22538 22539 ab8133 22538->22539 22539->22539 22540->22520 22542 ac023b __fread_nolock 22541->22542 22543 ac0226 22541->22543 22542->22525 22544 ac1137 __dosmaperr 14 API calls 22543->22544 22545 ac022b 22544->22545 22546 abc97f __strnicoll 41 API calls 22545->22546 22547 ac0236 22546->22547 22547->22525 22551 abd60b LeaveCriticalSection 22548->22551 22550 ac0360 22550->22532 22551->22550 22553 ab1c4d 22552->22553 22554 ab1be1 std::_Throw_Cpp_error 22552->22554 22555 ab451d std::_Throw_Cpp_error 43 API calls 22553->22555 22557 ab1578 std::_Throw_Cpp_error 43 API calls 22554->22557 22556 ab1c52 22555->22556 22558 ab1c00 22557->22558 22559 ab1c32 22558->22559 22560 ab1800 _Deallocate 41 API calls 22558->22560 22559->22534 22560->22559 20429 ab10e1 20430 ab10e6 20429->20430 20433 ab803d 20430->20433 20436 ab8010 20433->20436 20437 ab801f 20436->20437 20438 ab8026 20436->20438 20442 ac29be 20437->20442 20445 ac2a3b 20438->20445 20441 ab10f2 20443 ac2a3b 44 API calls 20442->20443 20444 ac29d0 20443->20444 20444->20441 20448 ac2787 20445->20448 20449 ac2793 __FrameHandler3::FrameUnwindToState 20448->20449 20456 abf268 EnterCriticalSection 20449->20456 20451 ac27a1 20457 ac27e2 20451->20457 20453 ac27ae 20467 ac27d6 20453->20467 20456->20451 20458 ac27fd 20457->20458 20459 ac2870 _unexpected 20457->20459 20458->20459 20460 ac2850 20458->20460 20470 acbe1c 20458->20470 20459->20453 20460->20459 20461 acbe1c 44 API calls 20460->20461 20463 ac2866 20461->20463 20465 ac4beb ___free_lconv_mon 14 API calls 20463->20465 20464 ac2846 20466 ac4beb ___free_lconv_mon 14 API calls 20464->20466 20465->20459 20466->20460 20498 abf2b0 LeaveCriticalSection 20467->20498 20469 ac27bf 20469->20441 20471 acbe29 20470->20471 20472 acbe44 20470->20472 20471->20472 20473 acbe35 20471->20473 20474 acbe53 20472->20474 20479 ad1559 20472->20479 20475 ac1137 __dosmaperr 14 API calls 20473->20475 20486 aca6ac 20474->20486 20478 acbe3a __fread_nolock 20475->20478 20478->20464 20480 ad1579 HeapSize 20479->20480 20481 ad1564 20479->20481 20480->20474 20482 ac1137 __dosmaperr 14 API calls 20481->20482 20483 ad1569 20482->20483 20484 abc97f __strnicoll 41 API calls 20483->20484 20485 ad1574 20484->20485 20485->20474 20487 aca6b9 20486->20487 20488 aca6c4 20486->20488 20489 ac5bdf __fread_nolock 15 API calls 20487->20489 20490 aca6cc 20488->20490 20496 aca6d5 __dosmaperr 20488->20496 20494 aca6c1 20489->20494 20491 ac4beb ___free_lconv_mon 14 API calls 20490->20491 20491->20494 20492 aca6ff HeapReAlloc 20492->20494 20492->20496 20493 aca6da 20495 ac1137 __dosmaperr 14 API calls 20493->20495 20494->20478 20495->20494 20496->20492 20496->20493 20497 ac1c0b codecvt 2 API calls 20496->20497 20497->20496 20498->20469 20542 ac88c8 20543 ac88d5 20542->20543 20546 ac88ed 20542->20546 20544 ac1137 __dosmaperr 14 API calls 20543->20544 20545 ac88da 20544->20545 20547 abc97f __strnicoll 41 API calls 20545->20547 20548 ac9c6c 14 API calls 20546->20548 20550 ac894c 20546->20550 20556 ac88e5 20546->20556 20547->20556 20548->20550 20549 ac6a14 _Fputc 41 API calls 20551 ac8965 20549->20551 20550->20549 20562 ac9554 20551->20562 20554 ac6a14 _Fputc 41 API calls 20555 ac899e 20554->20555 20555->20556 20557 ac6a14 _Fputc 41 API calls 20555->20557 20558 ac89ac 20557->20558 20558->20556 20559 ac6a14 _Fputc 41 API calls 20558->20559 20560 ac89ba 20559->20560 20561 ac6a14 _Fputc 41 API calls 20560->20561 20561->20556 20563 ac9560 __FrameHandler3::FrameUnwindToState 20562->20563 20564 ac9568 20563->20564 20565 ac9580 20563->20565 20567 ac1124 __dosmaperr 14 API calls 20564->20567 20566 ac963d 20565->20566 20571 ac95b6 20565->20571 20569 ac1124 __dosmaperr 14 API calls 20566->20569 20568 ac956d 20567->20568 20570 ac1137 __dosmaperr 14 API calls 20568->20570 20572 ac9642 20569->20572 20573 ac896d 20570->20573 20574 ac95bf 20571->20574 20575 ac95d4 20571->20575 20576 ac1137 __dosmaperr 14 API calls 20572->20576 20573->20554 20573->20556 20577 ac1124 __dosmaperr 14 API calls 20574->20577 20592 acc1e7 EnterCriticalSection 20575->20592 20587 ac95cc 20576->20587 20579 ac95c4 20577->20579 20582 ac1137 __dosmaperr 14 API calls 20579->20582 20580 ac95da 20583 ac960b 20580->20583 20584 ac95f6 20580->20584 20581 abc97f __strnicoll 41 API calls 20581->20573 20582->20587 20593 ac9668 20583->20593 20585 ac1137 __dosmaperr 14 API calls 20584->20585 20588 ac95fb 20585->20588 20587->20581 20590 ac1124 __dosmaperr 14 API calls 20588->20590 20589 ac9606 20656 ac9635 20589->20656 20590->20589 20592->20580 20594 ac967a 20593->20594 20595 ac9692 20593->20595 20596 ac1124 __dosmaperr 14 API calls 20594->20596 20597 ac99e8 20595->20597 20600 ac96d8 20595->20600 20598 ac967f 20596->20598 20599 ac1124 __dosmaperr 14 API calls 20597->20599 20601 ac1137 __dosmaperr 14 API calls 20598->20601 20602 ac99ed 20599->20602 20603 ac96e3 20600->20603 20607 ac9687 20600->20607 20611 ac9713 20600->20611 20601->20607 20604 ac1137 __dosmaperr 14 API calls 20602->20604 20606 ac1124 __dosmaperr 14 API calls 20603->20606 20605 ac96f0 20604->20605 20609 abc97f __strnicoll 41 API calls 20605->20609 20608 ac96e8 20606->20608 20607->20589 20610 ac1137 __dosmaperr 14 API calls 20608->20610 20609->20607 20610->20605 20612 ac972c 20611->20612 20613 ac9746 20611->20613 20614 ac9777 20611->20614 20612->20613 20621 ac9731 20612->20621 20615 ac1124 __dosmaperr 14 API calls 20613->20615 20616 ac5bdf __fread_nolock 15 API calls 20614->20616 20617 ac974b 20615->20617 20620 ac9788 20616->20620 20618 ac1137 __dosmaperr 14 API calls 20617->20618 20622 ac9752 20618->20622 20619 ad052e __fread_nolock 41 API calls 20623 ac98c4 20619->20623 20624 ac4beb ___free_lconv_mon 14 API calls 20620->20624 20621->20619 20625 abc97f __strnicoll 41 API calls 20622->20625 20626 ac9938 20623->20626 20629 ac98dd GetConsoleMode 20623->20629 20627 ac9791 20624->20627 20655 ac975d __fread_nolock 20625->20655 20628 ac993c ReadFile 20626->20628 20630 ac4beb ___free_lconv_mon 14 API calls 20627->20630 20631 ac9954 20628->20631 20632 ac99b0 GetLastError 20628->20632 20629->20626 20633 ac98ee 20629->20633 20634 ac9798 20630->20634 20631->20632 20637 ac992d 20631->20637 20635 ac99bd 20632->20635 20636 ac9914 20632->20636 20633->20628 20638 ac98f4 ReadConsoleW 20633->20638 20639 ac97bd 20634->20639 20640 ac97a2 20634->20640 20642 ac1137 __dosmaperr 14 API calls 20635->20642 20636->20655 20665 ac10dd 20636->20665 20651 ac9979 20637->20651 20652 ac9990 20637->20652 20637->20655 20638->20637 20644 ac990e GetLastError 20638->20644 20659 ac9c0e 20639->20659 20641 ac1137 __dosmaperr 14 API calls 20640->20641 20646 ac97a7 20641->20646 20647 ac99c2 20642->20647 20644->20636 20645 ac4beb ___free_lconv_mon 14 API calls 20645->20607 20649 ac1124 __dosmaperr 14 API calls 20646->20649 20650 ac1124 __dosmaperr 14 API calls 20647->20650 20649->20655 20650->20655 20670 ac9382 20651->20670 20652->20655 20683 ac91da 20652->20683 20655->20645 20695 acc20a LeaveCriticalSection 20656->20695 20658 ac963b 20658->20573 20660 ac9c22 _Fputc 20659->20660 20661 ac9b2d __fread_nolock 43 API calls 20660->20661 20662 ac9c37 20661->20662 20663 abc6bb _Fputc 41 API calls 20662->20663 20664 ac9c46 20663->20664 20664->20621 20666 ac1124 __dosmaperr 14 API calls 20665->20666 20667 ac10e8 __dosmaperr 20666->20667 20668 ac1137 __dosmaperr 14 API calls 20667->20668 20669 ac10fb 20668->20669 20669->20655 20689 ac908e 20670->20689 20672 aca722 __strnicoll MultiByteToWideChar 20674 ac9496 20672->20674 20677 ac949f GetLastError 20674->20677 20680 ac93ca 20674->20680 20675 ac9424 20681 ac9c0e __fread_nolock 43 API calls 20675->20681 20682 ac93de 20675->20682 20676 ac9414 20678 ac1137 __dosmaperr 14 API calls 20676->20678 20679 ac10dd __dosmaperr 14 API calls 20677->20679 20678->20680 20679->20680 20680->20655 20681->20682 20682->20672 20684 ac9211 20683->20684 20685 ac92a1 20684->20685 20686 ac92a6 ReadFile 20684->20686 20685->20655 20686->20685 20687 ac92c3 20686->20687 20687->20685 20688 ac9c0e __fread_nolock 43 API calls 20687->20688 20688->20685 20690 ac90c2 20689->20690 20691 ac9131 ReadFile 20690->20691 20692 ac912c 20690->20692 20691->20692 20693 ac914a 20691->20693 20692->20675 20692->20676 20692->20680 20692->20682 20693->20692 20694 ac9c0e __fread_nolock 43 API calls 20693->20694 20694->20692 20695->20658 20759 ab70c4 20760 ab70d8 20759->20760 20766 ab7133 20760->20766 20767 ab6ace 20760->20767 20763 ab7120 20763->20766 20779 ac0362 20763->20779 20768 ab6b37 20767->20768 20771 ab6ae8 20767->20771 20769 ab8107 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 20768->20769 20770 ab6b4e 20769->20770 20770->20763 20770->20766 20773 ac09f4 20770->20773 20771->20768 20772 ac0cf6 69 API calls 20771->20772 20772->20768 20774 ac0a07 _Fputc 20773->20774 20793 ac0793 20774->20793 20777 abc6bb _Fputc 41 API calls 20778 ac0a29 20777->20778 20778->20763 20780 ac036d 20779->20780 20781 ac0382 20779->20781 20784 ac1137 __dosmaperr 14 API calls 20780->20784 20782 ac039f 20781->20782 20783 ac038a 20781->20783 20825 ac904d 20782->20825 20785 ac1137 __dosmaperr 14 API calls 20783->20785 20787 ac0372 20784->20787 20788 ac038f 20785->20788 20789 abc97f __strnicoll 41 API calls 20787->20789 20790 abc97f __strnicoll 41 API calls 20788->20790 20792 ac037d 20789->20792 20791 ac039a 20790->20791 20791->20766 20792->20766 20794 ac079f __FrameHandler3::FrameUnwindToState 20793->20794 20795 ac07a5 20794->20795 20797 ac07d9 20794->20797 20796 abc902 _Fputc 41 API calls 20795->20796 20798 ac07c0 20796->20798 20804 abd5f7 EnterCriticalSection 20797->20804 20798->20777 20800 ac07e5 20805 ac0908 20800->20805 20802 ac07fc 20814 ac0825 20802->20814 20804->20800 20806 ac092e 20805->20806 20807 ac091b 20805->20807 20817 ac082f 20806->20817 20807->20802 20809 ac09df 20809->20802 20810 ac0951 20810->20809 20811 ac00ee ___scrt_uninitialize_crt 66 API calls 20810->20811 20813 ac097f 20811->20813 20821 ac9c4e 20813->20821 20824 abd60b LeaveCriticalSection 20814->20824 20816 ac082d 20816->20798 20818 ac0840 20817->20818 20820 ac0898 20817->20820 20819 ac9c0e __fread_nolock 43 API calls 20818->20819 20818->20820 20819->20820 20820->20810 20822 ac9b2d __fread_nolock 43 API calls 20821->20822 20823 ac9c67 20822->20823 20823->20809 20824->20816 20826 ac9061 _Fputc 20825->20826 20831 ac8a62 20826->20831 20829 abc6bb _Fputc 41 API calls 20830 ac907b 20829->20830 20830->20791 20832 ac8a6e __FrameHandler3::FrameUnwindToState 20831->20832 20833 ac8a98 20832->20833 20834 ac8a75 20832->20834 20842 abd5f7 EnterCriticalSection 20833->20842 20835 abc902 _Fputc 41 API calls 20834->20835 20841 ac8a8e 20835->20841 20837 ac8aa6 20843 ac8af1 20837->20843 20839 ac8ab5 20856 ac8ae7 20839->20856 20841->20829 20842->20837 20844 ac8b28 20843->20844 20845 ac8b00 20843->20845 20846 ac6a14 _Fputc 41 API calls 20844->20846 20847 abc902 _Fputc 41 API calls 20845->20847 20848 ac8b31 20846->20848 20854 ac8b1b __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 20847->20854 20859 ac9bf0 20848->20859 20851 ac8bdb 20862 ac8e51 20851->20862 20853 ac8bf2 20853->20854 20874 ac8c92 20853->20874 20854->20839 20881 abd60b LeaveCriticalSection 20856->20881 20858 ac8aef 20858->20841 20860 ac9a07 45 API calls 20859->20860 20861 ac8b4f 20860->20861 20861->20851 20861->20853 20861->20854 20863 ac8e60 ___scrt_uninitialize_crt 20862->20863 20864 ac6a14 _Fputc 41 API calls 20863->20864 20866 ac8e7c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 20864->20866 20865 ab8107 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 20867 ac8ffa 20865->20867 20868 ac9bf0 45 API calls 20866->20868 20873 ac8e88 20866->20873 20867->20854 20869 ac8edc 20868->20869 20870 ac8f0e ReadFile 20869->20870 20869->20873 20871 ac8f35 20870->20871 20870->20873 20872 ac9bf0 45 API calls 20871->20872 20872->20873 20873->20865 20875 ac6a14 _Fputc 41 API calls 20874->20875 20876 ac8ca5 20875->20876 20877 ac9bf0 45 API calls 20876->20877 20880 ac8ced __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 20876->20880 20878 ac8d40 20877->20878 20879 ac9bf0 45 API calls 20878->20879 20878->20880 20879->20880 20880->20854 20881->20858 20021 106018d 20022 10601c5 CreateProcessA VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 20021->20022 20024 10603a2 WriteProcessMemory 20022->20024 20025 10603e7 20024->20025 20026 10603ec WriteProcessMemory 20025->20026 20027 1060429 WriteProcessMemory Wow64SetThreadContext ResumeThread 20025->20027 20026->20025 18095 ad546e 18112 ab7dbe 18095->18112 18098 ad54a3 18102 ad54b5 18098->18102 18141 ab4387 18098->18141 18103 ad54ff 18102->18103 18145 ab19e3 18102->18145 18124 ab222a 18103->18124 18107 ad551e _Ref_count_obj 18108 ad553e 18107->18108 18155 ab1800 18107->18155 18159 ab8107 18108->18159 18111 ad554d 18115 ab7dc3 18112->18115 18114 ab7ddd 18114->18098 18137 ab217e 18114->18137 18115->18114 18117 ab7ddf 18115->18117 18166 abf2de 18115->18166 18176 ac1c0b 18115->18176 18118 ab4246 Concurrency::cancel_current_task 18117->18118 18120 ab7de9 codecvt 18117->18120 18173 ab9362 18118->18173 18122 ab9362 Concurrency::cancel_current_task RaiseException 18120->18122 18121 ab4262 18123 ab8790 18122->18123 18397 ab1777 18124->18397 18126 ab224d 18127 ad554f 18126->18127 18132 ad556a 18127->18132 18136 ad5624 18127->18136 18130 ab13cb 71 API calls 18130->18132 18131 ab1eb7 98 API calls 18131->18132 18132->18130 18132->18131 18135 ab1800 _Deallocate 41 API calls 18132->18135 18132->18136 18557 abd44e 18132->18557 18563 ab1920 18132->18563 18135->18132 18571 ab433b 18136->18571 18138 ab219b _strlen 18137->18138 18755 ab1653 18138->18755 18140 ab21a8 18140->18098 18142 ab439b 18141->18142 18143 ab4392 18141->18143 18142->18102 18144 ab1800 _Deallocate 41 API calls 18143->18144 18144->18142 18146 ab19ef __EH_prolog3_catch 18145->18146 18147 ab1a9b 18146->18147 18148 ab1a0f 18146->18148 18149 ab4528 43 API calls 18147->18149 18151 ab454e 43 API calls 18148->18151 18150 ab1aa0 18149->18150 18152 ab1a24 18151->18152 18153 ab340b 41 API calls 18152->18153 18154 ab1a7a codecvt 18153->18154 18154->18102 18156 ab181a _Ref_count_obj 18155->18156 18157 ab180d 18155->18157 18156->18108 18765 ab30c2 18157->18765 18160 ab810f 18159->18160 18161 ab8110 IsProcessorFeaturePresent 18159->18161 18160->18111 18163 ab89f2 18161->18163 18772 ab89b5 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 18163->18772 18165 ab8ad5 18165->18111 18171 ac5bdf __dosmaperr 18166->18171 18167 ac5c1d 18179 ac1137 18167->18179 18169 ac5c08 RtlAllocateHeap 18170 ac5c1b 18169->18170 18169->18171 18170->18115 18171->18167 18171->18169 18172 ac1c0b codecvt 2 API calls 18171->18172 18172->18171 18174 ab93a9 RaiseException 18173->18174 18175 ab937c 18173->18175 18174->18121 18175->18174 18386 ac1c38 18176->18386 18182 ac4a51 GetLastError 18179->18182 18181 ac113c 18181->18170 18183 ac4a67 18182->18183 18184 ac4a6d 18182->18184 18205 ac562a 18183->18205 18188 ac4a71 SetLastError 18184->18188 18210 ac5669 18184->18210 18188->18181 18191 ac4a9e 18192 ac4aa6 18191->18192 18193 ac4ab7 18191->18193 18194 ac5669 __dosmaperr 6 API calls 18192->18194 18195 ac5669 __dosmaperr 6 API calls 18193->18195 18196 ac4ab4 18194->18196 18197 ac4ac3 18195->18197 18222 ac4beb 18196->18222 18198 ac4ade 18197->18198 18199 ac4ac7 18197->18199 18228 ac472e 18198->18228 18200 ac5669 __dosmaperr 6 API calls 18199->18200 18200->18196 18204 ac4beb ___free_lconv_mon 12 API calls 18204->18188 18233 ac5419 18205->18233 18208 ac564f 18208->18184 18209 ac5661 TlsGetValue 18211 ac5419 _unexpected 5 API calls 18210->18211 18212 ac5685 18211->18212 18213 ac4a89 18212->18213 18214 ac56a3 TlsSetValue 18212->18214 18213->18188 18215 ac511b 18213->18215 18220 ac5128 __dosmaperr 18215->18220 18216 ac5153 HeapAlloc 18218 ac5166 18216->18218 18216->18220 18217 ac5168 18219 ac1137 __dosmaperr 13 API calls 18217->18219 18218->18191 18219->18218 18220->18216 18220->18217 18221 ac1c0b codecvt 2 API calls 18220->18221 18221->18220 18223 ac4bf6 HeapFree 18222->18223 18227 ac4c20 18222->18227 18224 ac4c0b GetLastError 18223->18224 18223->18227 18225 ac4c18 __dosmaperr 18224->18225 18226 ac1137 __dosmaperr 12 API calls 18225->18226 18226->18227 18227->18188 18248 ac45c2 18228->18248 18234 ac5447 18233->18234 18235 ac5443 18233->18235 18234->18235 18240 ac534e 18234->18240 18235->18208 18235->18209 18238 ac5461 GetProcAddress 18238->18235 18239 ac5471 _unexpected 18238->18239 18239->18235 18246 ac535f ___vcrt_FlsSetValue 18240->18246 18241 ac53f5 18241->18235 18241->18238 18242 ac537d LoadLibraryExW 18243 ac53fc 18242->18243 18244 ac5398 GetLastError 18242->18244 18243->18241 18245 ac540e FreeLibrary 18243->18245 18244->18246 18245->18241 18246->18241 18246->18242 18247 ac53cb LoadLibraryExW 18246->18247 18247->18243 18247->18246 18249 ac45ce __FrameHandler3::FrameUnwindToState 18248->18249 18262 abf268 EnterCriticalSection 18249->18262 18251 ac45d8 18263 ac4608 18251->18263 18254 ac46d4 18255 ac46e0 __FrameHandler3::FrameUnwindToState 18254->18255 18267 abf268 EnterCriticalSection 18255->18267 18257 ac46ea 18268 ac48b5 18257->18268 18259 ac4702 18272 ac4722 18259->18272 18262->18251 18266 abf2b0 LeaveCriticalSection 18263->18266 18265 ac45f6 18265->18254 18266->18265 18267->18257 18269 ac48eb __Getctype 18268->18269 18270 ac48c4 __Getctype 18268->18270 18269->18259 18270->18269 18275 acd088 18270->18275 18385 abf2b0 LeaveCriticalSection 18272->18385 18274 ac4710 18274->18204 18277 acd108 18275->18277 18278 acd09e 18275->18278 18279 ac4beb ___free_lconv_mon 14 API calls 18277->18279 18302 acd156 18277->18302 18278->18277 18283 ac4beb ___free_lconv_mon 14 API calls 18278->18283 18285 acd0d1 18278->18285 18280 acd12a 18279->18280 18281 ac4beb ___free_lconv_mon 14 API calls 18280->18281 18286 acd13d 18281->18286 18282 ac4beb ___free_lconv_mon 14 API calls 18287 acd0fd 18282->18287 18289 acd0c6 18283->18289 18284 acd164 18288 acd1c4 18284->18288 18300 ac4beb 14 API calls ___free_lconv_mon 18284->18300 18290 ac4beb ___free_lconv_mon 14 API calls 18285->18290 18301 acd0f3 18285->18301 18291 ac4beb ___free_lconv_mon 14 API calls 18286->18291 18292 ac4beb ___free_lconv_mon 14 API calls 18287->18292 18293 ac4beb ___free_lconv_mon 14 API calls 18288->18293 18303 acc33e 18289->18303 18295 acd0e8 18290->18295 18296 acd14b 18291->18296 18292->18277 18297 acd1ca 18293->18297 18331 acc7f2 18295->18331 18299 ac4beb ___free_lconv_mon 14 API calls 18296->18299 18297->18269 18299->18302 18300->18284 18301->18282 18343 acd1f9 18302->18343 18304 acc34f 18303->18304 18330 acc438 18303->18330 18305 ac4beb ___free_lconv_mon 14 API calls 18304->18305 18308 acc360 18304->18308 18305->18308 18306 acc372 18307 acc384 18306->18307 18310 ac4beb ___free_lconv_mon 14 API calls 18306->18310 18311 acc396 18307->18311 18312 ac4beb ___free_lconv_mon 14 API calls 18307->18312 18308->18306 18309 ac4beb ___free_lconv_mon 14 API calls 18308->18309 18309->18306 18310->18307 18313 acc3a8 18311->18313 18314 ac4beb ___free_lconv_mon 14 API calls 18311->18314 18312->18311 18315 acc3ba 18313->18315 18317 ac4beb ___free_lconv_mon 14 API calls 18313->18317 18314->18313 18316 acc3cc 18315->18316 18318 ac4beb ___free_lconv_mon 14 API calls 18315->18318 18319 acc3de 18316->18319 18320 ac4beb ___free_lconv_mon 14 API calls 18316->18320 18317->18315 18318->18316 18321 acc3f0 18319->18321 18322 ac4beb ___free_lconv_mon 14 API calls 18319->18322 18320->18319 18323 acc402 18321->18323 18325 ac4beb ___free_lconv_mon 14 API calls 18321->18325 18322->18321 18324 acc414 18323->18324 18326 ac4beb ___free_lconv_mon 14 API calls 18323->18326 18327 acc426 18324->18327 18328 ac4beb ___free_lconv_mon 14 API calls 18324->18328 18325->18323 18326->18324 18329 ac4beb ___free_lconv_mon 14 API calls 18327->18329 18327->18330 18328->18327 18329->18330 18330->18285 18332 acc7ff 18331->18332 18333 acc857 18331->18333 18334 acc80f 18332->18334 18335 ac4beb ___free_lconv_mon 14 API calls 18332->18335 18333->18301 18336 acc821 18334->18336 18337 ac4beb ___free_lconv_mon 14 API calls 18334->18337 18335->18334 18338 acc833 18336->18338 18339 ac4beb ___free_lconv_mon 14 API calls 18336->18339 18337->18336 18340 acc845 18338->18340 18341 ac4beb ___free_lconv_mon 14 API calls 18338->18341 18339->18338 18340->18333 18342 ac4beb ___free_lconv_mon 14 API calls 18340->18342 18341->18340 18342->18333 18344 acd206 18343->18344 18348 acd225 18343->18348 18344->18348 18349 accd0d 18344->18349 18347 ac4beb ___free_lconv_mon 14 API calls 18347->18348 18348->18284 18350 accdeb 18349->18350 18351 accd1e 18349->18351 18350->18347 18352 acca6c __Getctype 14 API calls 18351->18352 18353 accd26 18352->18353 18354 acca6c __Getctype 14 API calls 18353->18354 18355 accd31 18354->18355 18356 acca6c __Getctype 14 API calls 18355->18356 18357 accd3c 18356->18357 18358 acca6c __Getctype 14 API calls 18357->18358 18359 accd47 18358->18359 18360 acca6c __Getctype 14 API calls 18359->18360 18361 accd55 18360->18361 18362 ac4beb ___free_lconv_mon 14 API calls 18361->18362 18363 accd60 18362->18363 18364 ac4beb ___free_lconv_mon 14 API calls 18363->18364 18365 accd6b 18364->18365 18366 ac4beb ___free_lconv_mon 14 API calls 18365->18366 18367 accd76 18366->18367 18368 acca6c __Getctype 14 API calls 18367->18368 18369 accd84 18368->18369 18370 acca6c __Getctype 14 API calls 18369->18370 18371 accd92 18370->18371 18372 acca6c __Getctype 14 API calls 18371->18372 18373 accda3 18372->18373 18374 acca6c __Getctype 14 API calls 18373->18374 18375 accdb1 18374->18375 18376 acca6c __Getctype 14 API calls 18375->18376 18377 accdbf 18376->18377 18378 ac4beb ___free_lconv_mon 14 API calls 18377->18378 18379 accdca 18378->18379 18380 ac4beb ___free_lconv_mon 14 API calls 18379->18380 18381 accdd5 18380->18381 18385->18274 18387 ac1c44 __FrameHandler3::FrameUnwindToState 18386->18387 18392 abf268 EnterCriticalSection 18387->18392 18389 ac1c4f 18393 ac1c8b 18389->18393 18392->18389 18396 abf2b0 LeaveCriticalSection 18393->18396 18395 ac1c16 18395->18115 18396->18395 18398 ab1781 18397->18398 18400 ab178a 18397->18400 18401 ab3106 18398->18401 18400->18126 18402 ab312c 18401->18402 18403 ab3116 18401->18403 18415 ab4528 18402->18415 18408 ab454e 18403->18408 18409 ab4559 18408->18409 18410 ab4566 18408->18410 18418 ab1578 18409->18418 18426 ab4246 18410->18426 18413 ab311c 18413->18400 18523 ab4eb5 18415->18523 18419 ab158b 18418->18419 18420 ab1583 18418->18420 18422 ab1597 18419->18422 18424 ab7dbe codecvt 16 API calls 18419->18424 18430 ab159a 18420->18430 18422->18413 18425 ab1595 18424->18425 18425->18413 18427 ab4254 Concurrency::cancel_current_task 18426->18427 18428 ab9362 Concurrency::cancel_current_task RaiseException 18427->18428 18429 ab4262 18428->18429 18431 ab15a9 18430->18431 18432 ab4246 Concurrency::cancel_current_task 18430->18432 18433 ab7dbe codecvt 16 API calls 18431->18433 18435 ab9362 Concurrency::cancel_current_task RaiseException 18432->18435 18434 ab15af 18433->18434 18434->18432 18436 ab1589 18434->18436 18438 abc98f 18434->18438 18437 ab4262 18435->18437 18436->18413 18443 abc8cb 18438->18443 18442 abc9ab 18444 abc8dd _Fputc 18443->18444 18453 abc902 18444->18453 18446 abc8f5 18464 abc6bb 18446->18464 18449 abc9ac IsProcessorFeaturePresent 18450 abc9b8 18449->18450 18517 abc783 18450->18517 18454 abc919 18453->18454 18455 abc912 18453->18455 18460 abc927 18454->18460 18474 abc6f7 18454->18474 18470 abc720 GetLastError 18455->18470 18458 abc94e 18459 abc9ac __Getctype 11 API calls 18458->18459 18458->18460 18461 abc97e 18459->18461 18460->18446 18462 abc8cb __strnicoll 41 API calls 18461->18462 18463 abc98b 18462->18463 18463->18446 18465 abc6c7 18464->18465 18466 abc6de 18465->18466 18499 abc766 18465->18499 18468 abc6f1 18466->18468 18469 abc766 _Fputc 41 API calls 18466->18469 18468->18449 18469->18468 18471 abc739 18470->18471 18477 ac4b02 18471->18477 18475 abc71b 18474->18475 18476 abc702 GetLastError SetLastError 18474->18476 18475->18458 18476->18458 18478 ac4b1b 18477->18478 18479 ac4b15 18477->18479 18481 ac5669 __dosmaperr 6 API calls 18478->18481 18498 abc751 SetLastError 18478->18498 18480 ac562a __dosmaperr 6 API calls 18479->18480 18480->18478 18482 ac4b35 18481->18482 18483 ac511b __dosmaperr 14 API calls 18482->18483 18482->18498 18484 ac4b45 18483->18484 18485 ac4b4d 18484->18485 18486 ac4b62 18484->18486 18488 ac5669 __dosmaperr 6 API calls 18485->18488 18487 ac5669 __dosmaperr 6 API calls 18486->18487 18489 ac4b6e 18487->18489 18490 ac4b59 18488->18490 18491 ac4b81 18489->18491 18492 ac4b72 18489->18492 18495 ac4beb ___free_lconv_mon 14 API calls 18490->18495 18494 ac472e __dosmaperr 14 API calls 18491->18494 18493 ac5669 __dosmaperr 6 API calls 18492->18493 18493->18490 18496 ac4b8c 18494->18496 18495->18498 18497 ac4beb ___free_lconv_mon 14 API calls 18496->18497 18497->18498 18498->18454 18500 abc779 18499->18500 18501 abc770 18499->18501 18500->18466 18502 abc720 _Fputc 16 API calls 18501->18502 18503 abc775 18502->18503 18503->18500 18506 abc9fb 18503->18506 18507 ac4cf3 __FrameHandler3::FrameUnwindToState EnterCriticalSection LeaveCriticalSection 18506->18507 18509 abca00 18507->18509 18508 abca0b 18511 abca34 18508->18511 18512 abca15 IsProcessorFeaturePresent 18508->18512 18509->18508 18510 ac4d38 __FrameHandler3::FrameUnwindToState 40 API calls 18509->18510 18510->18508 18513 ac2110 __FrameHandler3::FrameUnwindToState 23 API calls 18511->18513 18514 abca21 18512->18514 18515 abca3e 18513->18515 18516 abc783 __FrameHandler3::FrameUnwindToState 8 API calls 18514->18516 18516->18511 18518 abc79f __fread_nolock __FrameHandler3::FrameUnwindToState 18517->18518 18519 abc7cb IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 18518->18519 18520 abc89c __FrameHandler3::FrameUnwindToState 18519->18520 18521 ab8107 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 18520->18521 18522 abc8ba GetCurrentProcess TerminateProcess 18521->18522 18522->18442 18528 ab4e4c 18523->18528 18526 ab9362 Concurrency::cancel_current_task RaiseException 18527 ab4ed4 18526->18527 18531 ab25eb 18528->18531 18534 ab92e0 18531->18534 18535 ab2617 18534->18535 18536 ab92ed 18534->18536 18535->18526 18536->18535 18537 abf2de ___std_exception_copy 15 API calls 18536->18537 18538 ab930a 18537->18538 18539 ab931a 18538->18539 18542 ac44aa 18538->18542 18551 abc9e0 18539->18551 18543 ac44b8 18542->18543 18544 ac44c6 18542->18544 18543->18544 18549 ac44de 18543->18549 18545 ac1137 __dosmaperr 14 API calls 18544->18545 18546 ac44ce 18545->18546 18554 abc97f 18546->18554 18548 ac44d8 18548->18539 18549->18548 18550 ac1137 __dosmaperr 14 API calls 18549->18550 18550->18546 18552 ac4beb ___free_lconv_mon 14 API calls 18551->18552 18553 abc9f8 18552->18553 18553->18535 18555 abc8cb __strnicoll 41 API calls 18554->18555 18556 abc98b 18555->18556 18556->18548 18558 abd461 _Fputc 18557->18558 18575 abca70 18558->18575 18560 abd47b 18561 abc6bb _Fputc 41 API calls 18560->18561 18562 abd488 18561->18562 18562->18132 18565 ab192c __EH_prolog3_catch 18563->18565 18564 ab4528 43 API calls 18566 ab19dd 18564->18566 18567 ab454e 43 API calls 18565->18567 18570 ab19b7 codecvt 18565->18570 18568 ab1961 18567->18568 18751 ab340b 18568->18751 18570->18132 18570->18564 18572 ab4353 18571->18572 18573 ab4343 18571->18573 18572->18107 18574 ab1800 _Deallocate 41 API calls 18573->18574 18574->18572 18589 abd37b 18575->18589 18577 abcaca 18583 abcaee 18577->18583 18596 abd320 18577->18596 18578 abca82 18578->18577 18579 abca97 18578->18579 18588 abcab2 std::_Locinfo::_Locinfo_dtor 18578->18588 18581 abc902 _Fputc 41 API calls 18579->18581 18581->18588 18585 abcb12 18583->18585 18603 abd3b8 18583->18603 18584 abcb9a 18586 abd2c1 41 API calls 18584->18586 18585->18584 18610 abd2c1 18585->18610 18586->18588 18588->18560 18590 abd393 18589->18590 18591 abd380 18589->18591 18590->18578 18592 ac1137 __dosmaperr 14 API calls 18591->18592 18593 abd385 18592->18593 18594 abc97f __strnicoll 41 API calls 18593->18594 18595 abd390 18594->18595 18595->18578 18597 abc766 _Fputc 41 API calls 18596->18597 18598 abd330 18597->18598 18616 ac508c 18598->18616 18604 abd3da 18603->18604 18605 abd3c4 18603->18605 18609 abd3ea 18604->18609 18699 ac4f94 18604->18699 18694 abf70f 18605->18694 18608 abd3cf std::_Locinfo::_Locinfo_dtor 18608->18583 18609->18583 18611 abd2d2 18610->18611 18612 abd2e6 18610->18612 18611->18612 18613 ac1137 __dosmaperr 14 API calls 18611->18613 18612->18584 18614 abd2db 18613->18614 18615 abc97f __strnicoll 41 API calls 18614->18615 18615->18612 18617 abd34d 18616->18617 18618 ac50a3 18616->18618 18620 ac50ea 18617->18620 18618->18617 18624 acd2d4 18618->18624 18621 abd35a 18620->18621 18622 ac5101 18620->18622 18621->18583 18622->18621 18673 acb73a 18622->18673 18625 acd2e0 __FrameHandler3::FrameUnwindToState 18624->18625 18637 ac4900 GetLastError 18625->18637 18628 acd32f 18628->18617 18630 acd307 18665 acd355 18630->18665 18635 abc9fb __purecall 41 API calls 18636 acd354 18635->18636 18638 ac4916 18637->18638 18639 ac491c 18637->18639 18640 ac562a __dosmaperr 6 API calls 18638->18640 18641 ac5669 __dosmaperr 6 API calls 18639->18641 18643 ac4920 SetLastError 18639->18643 18640->18639 18642 ac4938 18641->18642 18642->18643 18645 ac511b __dosmaperr 14 API calls 18642->18645 18647 ac49b5 18643->18647 18648 ac49b0 18643->18648 18646 ac494d 18645->18646 18649 ac4955 18646->18649 18650 ac4966 18646->18650 18651 abc9fb __purecall 39 API calls 18647->18651 18648->18628 18664 abf268 EnterCriticalSection 18648->18664 18652 ac5669 __dosmaperr 6 API calls 18649->18652 18653 ac5669 __dosmaperr 6 API calls 18650->18653 18654 ac49ba 18651->18654 18655 ac4963 18652->18655 18656 ac4972 18653->18656 18661 ac4beb ___free_lconv_mon 14 API calls 18655->18661 18657 ac498d 18656->18657 18658 ac4976 18656->18658 18659 ac472e __dosmaperr 14 API calls 18657->18659 18660 ac5669 __dosmaperr 6 API calls 18658->18660 18662 ac4998 18659->18662 18660->18655 18661->18643 18663 ac4beb ___free_lconv_mon 14 API calls 18662->18663 18663->18643 18664->18630 18666 acd318 18665->18666 18667 acd363 __Getctype 18665->18667 18669 acd334 18666->18669 18667->18666 18668 acd088 __Getctype 14 API calls 18667->18668 18668->18666 18672 abf2b0 LeaveCriticalSection 18669->18672 18671 acd32b 18671->18628 18671->18635 18672->18671 18674 ac4900 __Getctype 41 API calls 18673->18674 18675 acb73f 18674->18675 18678 acb652 18675->18678 18679 acb65e __FrameHandler3::FrameUnwindToState 18678->18679 18680 acb678 18679->18680 18689 abf268 EnterCriticalSection 18679->18689 18682 acb67f 18680->18682 18685 abc9fb __purecall 41 API calls 18680->18685 18682->18621 18683 acb6b4 18690 acb6d1 18683->18690 18686 acb6f1 18685->18686 18687 acb688 18687->18683 18688 ac4beb ___free_lconv_mon 14 API calls 18687->18688 18688->18683 18689->18687 18693 abf2b0 LeaveCriticalSection 18690->18693 18692 acb6d8 18692->18680 18693->18692 18695 ac4900 __Getctype 41 API calls 18694->18695 18696 abf71a 18695->18696 18706 ac505f 18696->18706 18710 ac114a 18699->18710 18703 ac4fc1 18704 ab8107 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 18703->18704 18705 ac505d 18704->18705 18705->18609 18707 abf72a 18706->18707 18708 ac5072 18706->18708 18707->18608 18708->18707 18709 acd2d4 __Getctype 41 API calls 18708->18709 18709->18707 18711 ac1168 18710->18711 18717 ac1161 18710->18717 18712 ac4900 __Getctype 41 API calls 18711->18712 18711->18717 18713 ac1189 18712->18713 18714 ac505f __Getctype 41 API calls 18713->18714 18715 ac119f 18714->18715 18733 ac50bd 18715->18733 18717->18703 18718 ac7740 18717->18718 18719 ac114a __strnicoll 41 API calls 18718->18719 18720 ac7760 18719->18720 18737 aca722 18720->18737 18722 ac778d 18723 ac7824 18722->18723 18724 ac781c 18722->18724 18729 ac77b2 __fread_nolock __alloca_probe_16 18722->18729 18740 ac5bdf 18722->18740 18725 ab8107 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 18723->18725 18747 ab7bc6 18724->18747 18728 ac7847 18725->18728 18728->18703 18729->18724 18730 aca722 __strnicoll MultiByteToWideChar 18729->18730 18731 ac77fd 18730->18731 18731->18724 18732 ac7808 GetStringTypeW 18731->18732 18732->18724 18734 ac50e5 18733->18734 18735 ac50d0 18733->18735 18734->18717 18735->18734 18736 acb73a __strnicoll 41 API calls 18735->18736 18736->18734 18739 aca733 MultiByteToWideChar 18737->18739 18739->18722 18741 ac5c1d 18740->18741 18745 ac5bed __dosmaperr 18740->18745 18742 ac1137 __dosmaperr 14 API calls 18741->18742 18744 ac5c1b 18742->18744 18743 ac5c08 RtlAllocateHeap 18743->18744 18743->18745 18744->18729 18745->18741 18745->18743 18746 ac1c0b codecvt 2 API calls 18745->18746 18746->18745 18748 ab7bd0 18747->18748 18750 ab7be1 18747->18750 18749 abc9e0 std::_Locinfo::~_Locinfo 14 API calls 18748->18749 18748->18750 18749->18750 18750->18723 18752 ab3413 18751->18752 18753 ab3423 18751->18753 18754 ab1800 _Deallocate 41 API calls 18752->18754 18753->18570 18754->18753 18756 ab16be 18755->18756 18759 ab1664 std::_Throw_Cpp_error 18755->18759 18762 ab451d 18756->18762 18760 ab1578 std::_Throw_Cpp_error 43 API calls 18759->18760 18761 ab166b std::_Throw_Cpp_error 18759->18761 18760->18761 18761->18140 18763 ab4eb5 std::_Throw_Cpp_error 43 API calls 18762->18763 18764 ab4527 18763->18764 18766 ab30df 18765->18766 18767 ab30dc 18765->18767 18768 abc8cb __strnicoll 41 API calls 18766->18768 18767->18156 18769 abc99e 18768->18769 18770 abc9ac __Getctype 11 API calls 18769->18770 18771 abc9ab 18770->18771 18772->18165 21377 ab7042 21378 ab7055 21377->21378 21380 ab7069 21378->21380 21381 ac1027 21378->21381 21382 ac1033 __FrameHandler3::FrameUnwindToState 21381->21382 21383 ac104f 21382->21383 21384 ac103a 21382->21384 21394 abd5f7 EnterCriticalSection 21383->21394 21385 ac1137 __dosmaperr 14 API calls 21384->21385 21387 ac103f 21385->21387 21390 abc97f __strnicoll 41 API calls 21387->21390 21388 ac1059 21395 ac0f2e 21388->21395 21392 ac104a 21390->21392 21392->21380 21394->21388 21396 ac0f46 21395->21396 21398 ac0fb6 21395->21398 21397 ac6a14 _Fputc 41 API calls 21396->21397 21402 ac0f4c 21397->21402 21399 ac9c6c 14 API calls 21398->21399 21400 ac0fae 21398->21400 21399->21400 21406 ac1092 21400->21406 21401 ac0f9e 21403 ac1137 __dosmaperr 14 API calls 21401->21403 21402->21398 21402->21401 21404 ac0fa3 21403->21404 21405 abc97f __strnicoll 41 API calls 21404->21405 21405->21400 21409 abd60b LeaveCriticalSection 21406->21409 21408 ac1098 21408->21392 21409->21408 22862 ab7253 22863 ab725f 22862->22863 22867 ab7296 22863->22867 22868 ac0ef4 22863->22868 22866 ab6c39 41 API calls 22866->22867 22869 ac0f07 _Fputc 22868->22869 22874 ac0e2b 22869->22874 22871 ac0f1c 22872 abc6bb _Fputc 41 API calls 22871->22872 22873 ab7283 22872->22873 22873->22866 22873->22867 22875 ac0e3d 22874->22875 22877 ac0e60 22874->22877 22876 abc902 _Fputc 41 API calls 22875->22876 22878 ac0e58 22876->22878 22877->22875 22879 ac0e87 22877->22879 22878->22871 22882 ac0d30 22879->22882 22883 ac0d3c __FrameHandler3::FrameUnwindToState 22882->22883 22890 abd5f7 EnterCriticalSection 22883->22890 22885 ac0d4a 22891 ac0d8b 22885->22891 22887 ac0d57 22900 ac0d7f 22887->22900 22890->22885 22892 ac00ee ___scrt_uninitialize_crt 66 API calls 22891->22892 22893 ac0da6 22892->22893 22894 ac59ad 14 API calls 22893->22894 22895 ac0db0 22894->22895 22896 ac511b __dosmaperr 14 API calls 22895->22896 22899 ac0dcb 22895->22899 22897 ac0def 22896->22897 22898 ac4beb ___free_lconv_mon 14 API calls 22897->22898 22898->22899 22899->22887 22903 abd60b LeaveCriticalSection 22900->22903 22902 ac0d68 22902->22871 22903->22902 19942 ac6ba6 19943 ac6a14 _Fputc 41 API calls 19942->19943 19946 ac6bb3 19943->19946 19944 ac6bbf 19945 ac6c0b 19945->19944 19953 ac6c6d 19945->19953 19973 ac6a50 19945->19973 19946->19944 19946->19945 19965 ac6d6e 19946->19965 19954 ac6c9c 19953->19954 19955 ac6a14 _Fputc 41 API calls 19954->19955 19956 ac6cab 19955->19956 19957 ac6cbe 19956->19957 19958 ac6d51 19956->19958 19960 ac6cdb 19957->19960 19963 ac6d02 19957->19963 19959 ac85c0 ___scrt_uninitialize_crt 66 API calls 19958->19959 19961 ac6c7e 19959->19961 19962 ac85c0 ___scrt_uninitialize_crt 66 API calls 19960->19962 19962->19961 19963->19961 19984 ac9bb0 19963->19984 19966 ac6d84 19965->19966 19967 ac6d88 19965->19967 19966->19945 19968 acc2be __fread_nolock 41 API calls 19967->19968 19972 ac6dd7 19967->19972 19969 ac6da9 19968->19969 19970 ac6db1 SetFilePointerEx 19969->19970 19969->19972 19971 ac6dc8 GetFileSizeEx 19970->19971 19970->19972 19971->19972 19972->19945 19974 ac6a5c 19973->19974 19975 ac6a7d 19974->19975 19976 ac6a14 _Fputc 41 API calls 19974->19976 19975->19953 19979 ac9c6c 19975->19979 19977 ac6a77 19976->19977 20012 ad052e 19977->20012 19980 ac511b __dosmaperr 14 API calls 19979->19980 19981 ac9c89 19980->19981 19982 ac4beb ___free_lconv_mon 14 API calls 19981->19982 19983 ac9c93 19982->19983 19983->19953 19985 ac9bc4 _Fputc 19984->19985 19990 ac9a07 19985->19990 19988 abc6bb _Fputc 41 API calls 19989 ac9be8 19988->19989 19989->19961 19992 ac9a13 __FrameHandler3::FrameUnwindToState 19990->19992 19991 ac9a1b 19991->19988 19992->19991 19993 ac9af1 19992->19993 19995 ac9a6f 19992->19995 19994 abc902 _Fputc 41 API calls 19993->19994 19994->19991 20001 acc1e7 EnterCriticalSection 19995->20001 19997 ac9a75 19998 ac9a9a 19997->19998 20002 ac9b2d 19997->20002 20008 ac9ae9 19998->20008 20001->19997 20003 acc2be __fread_nolock 41 API calls 20002->20003 20004 ac9b3f 20003->20004 20005 ac9b5b SetFilePointerEx 20004->20005 20007 ac9b47 __fread_nolock 20004->20007 20006 ac9b73 GetLastError 20005->20006 20005->20007 20006->20007 20007->19998 20011 acc20a LeaveCriticalSection 20008->20011 20010 ac9aef 20010->19991 20011->20010 20013 ad0548 20012->20013 20014 ad053b 20012->20014 20016 ad0554 20013->20016 20017 ac1137 __dosmaperr 14 API calls 20013->20017 20015 ac1137 __dosmaperr 14 API calls 20014->20015 20018 ad0540 20015->20018 20016->19975 20019 ad0575 20017->20019 20018->19975 20020 abc97f __strnicoll 41 API calls 20019->20020 20020->20018 21506 ac05a3 21509 ac05c0 21506->21509 21511 ac05cc __FrameHandler3::FrameUnwindToState 21509->21511 21510 ac05bb 21511->21510 21512 ac05df __fread_nolock 21511->21512 21513 ac0616 21511->21513 21515 ac1137 __dosmaperr 14 API calls 21512->21515 21522 abd5f7 EnterCriticalSection 21513->21522 21517 ac05f9 21515->21517 21516 ac0620 21523 ac03bd 21516->21523 21519 abc97f __strnicoll 41 API calls 21517->21519 21519->21510 21522->21516 21525 ac03ce __fread_nolock 21523->21525 21535 ac03ea 21523->21535 21524 ac03da 21526 ac1137 __dosmaperr 14 API calls 21524->21526 21525->21524 21530 ac042c __fread_nolock 21525->21530 21525->21535 21527 ac03df 21526->21527 21528 abc97f __strnicoll 41 API calls 21527->21528 21528->21535 21529 ac0553 __fread_nolock 21533 ac1137 __dosmaperr 14 API calls 21529->21533 21530->21529 21531 ac065d __fread_nolock 41 API calls 21530->21531 21532 ac6a14 _Fputc 41 API calls 21530->21532 21534 ac9668 __fread_nolock 53 API calls 21530->21534 21530->21535 21531->21530 21532->21530 21533->21527 21534->21530 21536 ac0655 21535->21536 21539 abd60b LeaveCriticalSection 21536->21539 21538 ac065b 21538->21510 21539->21538 21684 ab6d8b 21685 ab6d97 21684->21685 21686 ab6d92 21684->21686 21688 abd5f7 EnterCriticalSection 21686->21688 21688->21685 21689 ab6988 21692 ab685c 21689->21692 21691 ab6993 _Ref_count_obj 21693 ab688d 21692->21693 21694 ab689f 21693->21694 21696 ab6e21 21693->21696 21694->21691 21697 ab6e49 21696->21697 21698 ab6e2b 21696->21698 21697->21694 21699 ab6ace 69 API calls 21698->21699 21700 ab6e38 21699->21700 21702 abfe81 21700->21702 21703 abfe94 _Fputc 21702->21703 21708 abfd5c 21703->21708 21705 abfea0 21706 abc6bb _Fputc 41 API calls 21705->21706 21707 abfeac 21706->21707 21707->21697 21709 abfd68 __FrameHandler3::FrameUnwindToState 21708->21709 21710 abfd72 21709->21710 21711 abfd95 21709->21711 21713 abc902 _Fputc 41 API calls 21710->21713 21712 abfd8d 21711->21712 21719 abd5f7 EnterCriticalSection 21711->21719 21712->21705 21713->21712 21715 abfdb3 21720 abfdf3 21715->21720 21717 abfdc0 21734 abfdeb 21717->21734 21719->21715 21721 abfe23 21720->21721 21722 abfe00 21720->21722 21724 ac00ee ___scrt_uninitialize_crt 66 API calls 21721->21724 21733 abfe1b 21721->21733 21723 abc902 _Fputc 41 API calls 21722->21723 21723->21733 21725 abfe3b 21724->21725 21737 ac59ad 21725->21737 21728 ac6a14 _Fputc 41 API calls 21729 abfe4f 21728->21729 21741 ac7b75 21729->21741 21732 ac4beb ___free_lconv_mon 14 API calls 21732->21733 21733->21717 21783 abd60b LeaveCriticalSection 21734->21783 21736 abfdf1 21736->21712 21738 abfe43 21737->21738 21739 ac59c4 21737->21739 21738->21728 21739->21738 21740 ac4beb ___free_lconv_mon 14 API calls 21739->21740 21740->21738 21742 ac7b9e 21741->21742 21747 abfe56 21741->21747 21743 ac7bed 21742->21743 21745 ac7bc5 21742->21745 21744 abc902 _Fputc 41 API calls 21743->21744 21744->21747 21748 ac7ae4 21745->21748 21747->21732 21747->21733 21749 ac7af0 __FrameHandler3::FrameUnwindToState 21748->21749 21756 acc1e7 EnterCriticalSection 21749->21756 21751 ac7afe 21752 ac7b2f 21751->21752 21757 ac7c18 21751->21757 21770 ac7b69 21752->21770 21756->21751 21758 acc2be __fread_nolock 41 API calls 21757->21758 21761 ac7c28 21758->21761 21759 ac7c2e 21773 acc22d 21759->21773 21761->21759 21762 acc2be __fread_nolock 41 API calls 21761->21762 21769 ac7c60 21761->21769 21765 ac7c57 21762->21765 21763 acc2be __fread_nolock 41 API calls 21766 ac7c6c CloseHandle 21763->21766 21764 ac7c86 __fread_nolock 21764->21752 21767 acc2be __fread_nolock 41 API calls 21765->21767 21766->21759 21768 ac7c78 GetLastError 21766->21768 21767->21769 21768->21759 21769->21759 21769->21763 21782 acc20a LeaveCriticalSection 21770->21782 21772 ac7b52 21772->21747 21774 acc23c 21773->21774 21775 acc2a3 21773->21775 21774->21775 21779 acc266 21774->21779 21776 ac1137 __dosmaperr 14 API calls 21775->21776 21777 acc2a8 21776->21777 21778 ac1124 __dosmaperr 14 API calls 21777->21778 21780 acc293 21778->21780 21779->21780 21781 acc28d SetStdHandle 21779->21781 21780->21764 21781->21780 21782->21772 21783->21736 23034 ac47c7 23035 ac47e2 23034->23035 23036 ac47d2 23034->23036 23040 ac47e8 23036->23040 23039 ac4beb ___free_lconv_mon 14 API calls 23039->23035 23041 ac47fd 23040->23041 23042 ac4803 23040->23042 23044 ac4beb ___free_lconv_mon 14 API calls 23041->23044 23043 ac4beb ___free_lconv_mon 14 API calls 23042->23043 23045 ac480f 23043->23045 23044->23042 23046 ac4beb ___free_lconv_mon 14 API calls 23045->23046 23047 ac481a 23046->23047 23048 ac4beb ___free_lconv_mon 14 API calls 23047->23048 23049 ac4825 23048->23049 23050 ac4beb ___free_lconv_mon 14 API calls 23049->23050 23051 ac4830 23050->23051 23052 ac4beb ___free_lconv_mon 14 API calls 23051->23052 23053 ac483b 23052->23053 23054 ac4beb ___free_lconv_mon 14 API calls 23053->23054 23055 ac4846 23054->23055 23056 ac4beb ___free_lconv_mon 14 API calls 23055->23056 23057 ac4851 23056->23057 23058 ac4beb ___free_lconv_mon 14 API calls 23057->23058 23059 ac485c 23058->23059 23060 ac4beb ___free_lconv_mon 14 API calls 23059->23060 23061 ac486a 23060->23061 23066 ac4614 23061->23066 23067 ac4620 __FrameHandler3::FrameUnwindToState 23066->23067 23082 abf268 EnterCriticalSection 23067->23082 23069 ac4654 23083 ac4673 23069->23083 23072 ac462a 23072->23069 23073 ac4beb ___free_lconv_mon 14 API calls 23072->23073 23073->23069 23074 ac467f 23075 ac468b __FrameHandler3::FrameUnwindToState 23074->23075 23087 abf268 EnterCriticalSection 23075->23087 23077 ac4695 23078 ac48b5 __dosmaperr 14 API calls 23077->23078 23079 ac46a8 23078->23079 23088 ac46c8 23079->23088 23082->23072 23086 abf2b0 LeaveCriticalSection 23083->23086 23085 ac4661 23085->23074 23086->23085 23087->23077 23091 abf2b0 LeaveCriticalSection 23088->23091 23090 ac46b6 23090->23039 23091->23090 22224 abd565 22225 ac01bc ___scrt_uninitialize_crt 70 API calls 22224->22225 22226 abd56d 22225->22226 22234 ac5902 22226->22234 22228 abd572 22229 ac59ad 14 API calls 22228->22229 22230 abd581 DeleteCriticalSection 22229->22230 22230->22228 22231 abd59c 22230->22231 22232 ac4beb ___free_lconv_mon 14 API calls 22231->22232 22233 abd5a7 22232->22233 22235 ac590e __FrameHandler3::FrameUnwindToState 22234->22235 22244 abf268 EnterCriticalSection 22235->22244 22237 ac5985 22245 ac59a4 22237->22245 22239 ac5919 22239->22237 22241 ac5959 DeleteCriticalSection 22239->22241 22242 abfe81 71 API calls 22239->22242 22243 ac4beb ___free_lconv_mon 14 API calls 22241->22243 22242->22239 22243->22239 22244->22239 22248 abf2b0 LeaveCriticalSection 22245->22248 22247 ac5991 22247->22228 22248->22247 23407 ac5b53 23408 ac5b5f __FrameHandler3::FrameUnwindToState 23407->23408 23419 abf268 EnterCriticalSection 23408->23419 23410 ac5b66 23420 acc149 23410->23420 23417 ac5aa3 2 API calls 23418 ac5b84 23417->23418 23439 ac5baa 23418->23439 23419->23410 23421 acc155 __FrameHandler3::FrameUnwindToState 23420->23421 23422 acc15e 23421->23422 23423 acc17f 23421->23423 23424 ac1137 __dosmaperr 14 API calls 23422->23424 23442 abf268 EnterCriticalSection 23423->23442 23426 acc163 23424->23426 23427 abc97f __strnicoll 41 API calls 23426->23427 23428 ac5b75 23427->23428 23428->23418 23433 ac59ed GetStartupInfoW 23428->23433 23430 acc18b 23432 acc1b7 23430->23432 23443 acc099 23430->23443 23450 acc1de 23432->23450 23434 ac5a0a 23433->23434 23435 ac5a9e 23433->23435 23434->23435 23436 acc149 42 API calls 23434->23436 23435->23417 23437 ac5a32 23436->23437 23437->23435 23438 ac5a62 GetFileType 23437->23438 23438->23437 23454 abf2b0 LeaveCriticalSection 23439->23454 23441 ac5b95 23442->23430 23444 ac511b __dosmaperr 14 API calls 23443->23444 23446 acc0ab 23444->23446 23445 acc0b8 23447 ac4beb ___free_lconv_mon 14 API calls 23445->23447 23446->23445 23448 ac5726 _unexpected 6 API calls 23446->23448 23449 acc10d 23447->23449 23448->23446 23449->23430 23453 abf2b0 LeaveCriticalSection 23450->23453 23452 acc1e5 23452->23428 23453->23452 23454->23441

                                    Executed Functions

                                    Function 0106018D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282threadinjectionmemoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,010600FF,010600EF), ref: 010602FC
                                    • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0106030F
                                    • Wow64GetThreadContext.KERNEL32(0000008C,00000000), ref: 0106032D
                                    • ReadProcessMemory.KERNELBASE(00000094,?,01060143,00000004,00000000), ref: 01060351
                                    • VirtualAllocEx.KERNELBASE(00000094,?,?,00003000,00000040), ref: 0106037C
                                    • WriteProcessMemory.KERNELBASE(00000094,00000000,?,?,00000000,?), ref: 010603D4
                                    • WriteProcessMemory.KERNELBASE(00000094,00400000,?,?,00000000,?,00000028), ref: 0106041F
                                    • WriteProcessMemory.KERNELBASE(00000094,-00000008,?,00000004,00000000), ref: 0106045D
                                    • Wow64SetThreadContext.KERNEL32(0000008C,010B0000), ref: 01060499
                                    • ResumeThread.KERNELBASE(0000008C), ref: 010604A8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674992961.0000000001060000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1060000_file.jbxd
                                    Similarity
                                    • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                                    • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                                    • API String ID: 2687962208-1257834847
                                    • Opcode ID: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
                                    • Instruction ID: c69d6f16e011c243ae66d0a5361341066cf044d1a0b54e0836c868aa0d92a393
                                    • Opcode Fuzzy Hash: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
                                    • Instruction Fuzzy Hash: 06B1F67264024AAFDB60CF68CC80BDA77A9FF88714F158164FA0CAB345D774FA418B94
                                    Function 00AC6B75 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 913097a76a2aa3f9716249509b8196a2f4b16ccbac58342a843d0fa289859693
                                    • Instruction ID: ff544ec965548323bb3064bcd7254589d6c88da81195c8473ae1d23f4acb7aef
                                    • Opcode Fuzzy Hash: 913097a76a2aa3f9716249509b8196a2f4b16ccbac58342a843d0fa289859693
                                    • Instruction Fuzzy Hash: B6E08C32911228EBCB14DB98CA45E8AF3FCEB44B01B12409AB501E3101C670EE40C7D0
                                    Function 00AC203F Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 857f0d7d492d1b07fb02e0609ce517428c09b40ad8e6f1d21a06a0ac5173a7a1
                                    • Instruction ID: d91df9f2202501f10b152d55496e5127143ab143932034440f4be05a2e39b5dd
                                    • Opcode Fuzzy Hash: 857f0d7d492d1b07fb02e0609ce517428c09b40ad8e6f1d21a06a0ac5173a7a1
                                    • Instruction Fuzzy Hash: C1C08C3404090086CE398A108371BA43374A391782F81049DC46A4B646CA6F9C83D750
                                    Function 00AC534E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 23 ac534e-ac535a 24 ac53ec-ac53ef 23->24 25 ac535f-ac5370 24->25 26 ac53f5 24->26 28 ac537d-ac5396 LoadLibraryExW 25->28 29 ac5372-ac5375 25->29 27 ac53f7-ac53fb 26->27 32 ac53fc-ac540c 28->32 33 ac5398-ac53a1 GetLastError 28->33 30 ac537b 29->30 31 ac5415-ac5417 29->31 35 ac53e9 30->35 31->27 32->31 34 ac540e-ac540f FreeLibrary 32->34 36 ac53da-ac53e7 33->36 37 ac53a3-ac53b5 call ac4588 33->37 34->31 35->24 36->35 37->36 40 ac53b7-ac53c9 call ac4588 37->40 40->36 43 ac53cb-ac53d8 LoadLibraryExW 40->43 43->32 43->36
                                    APIs
                                    • FreeLibrary.KERNEL32(00000000,?,00AC545B,?,?,00AB4EC6,00000000,?,?,00AC5685,00000021,FlsSetValue,00ADA2C0,00ADA2C8,00AB4EC6), ref: 00AC540F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: FreeLibrary
                                    • String ID: api-ms-$ext-ms-
                                    • API String ID: 3664257935-537541572
                                    • Opcode ID: 3ee43b232700058c67216d6e23498f6e8fbf7127064765435f1222da05d60ddd
                                    • Instruction ID: 1822ce5fdbd5d621dbadb7748b318af955cf41ff2629b2cadd3325cba90be6fc
                                    • Opcode Fuzzy Hash: 3ee43b232700058c67216d6e23498f6e8fbf7127064765435f1222da05d60ddd
                                    • Instruction Fuzzy Hash: CD212B31E41A50A7CB21DB74AD54F9E37B8EB517E0F260219F906AB390D6B0FD40CAE0
                                    Function 00AC7849 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 44 ac7849-ac7862 45 ac7878-ac787d 44->45 46 ac7864-ac7874 call ac16a6 44->46 48 ac788c-ac78b2 call aca722 45->48 49 ac787f-ac7889 45->49 46->45 52 ac7876 46->52 54 ac78b8-ac78c3 48->54 55 ac7a25-ac7a36 call ab8107 48->55 49->48 52->45 57 ac7a18 54->57 58 ac78c9-ac78ce 54->58 61 ac7a1a 57->61 59 ac78d0-ac78d9 call ab8450 58->59 60 ac78e3-ac78ee call ac5bdf 58->60 69 ac78f9-ac78fd 59->69 70 ac78db-ac78e1 59->70 60->69 71 ac78f0 60->71 65 ac7a1c-ac7a23 call ab7bc6 61->65 65->55 69->61 74 ac7903-ac791a call aca722 69->74 73 ac78f6 70->73 71->73 73->69 74->61 77 ac7920-ac7932 call ac57e8 74->77 79 ac7937-ac793b 77->79 80 ac793d-ac7945 79->80 81 ac7956-ac7958 79->81 82 ac797f-ac798b 80->82 83 ac7947-ac794c 80->83 81->61 86 ac798d-ac798f 82->86 87 ac7a0a 82->87 84 ac79fe-ac7a00 83->84 85 ac7952-ac7954 83->85 84->65 85->81 89 ac795d-ac7977 call ac57e8 85->89 90 ac79a4-ac79af call ac5bdf 86->90 91 ac7991-ac799a call ab8450 86->91 88 ac7a0c-ac7a13 call ab7bc6 87->88 88->81 89->84 101 ac797d 89->101 90->88 100 ac79b1 90->100 91->88 102 ac799c-ac79a2 91->102 103 ac79b7-ac79bc 100->103 101->81 102->103 103->88 104 ac79be-ac79d6 call ac57e8 103->104 104->88 107 ac79d8-ac79df 104->107 108 ac79e1-ac79e2 107->108 109 ac7a02-ac7a08 107->109 110 ac79e3-ac79f5 call aca79e 108->110 109->110 110->88 113 ac79f7-ac79fd call ab7bc6 110->113 113->84
                                    APIs
                                    • __alloca_probe_16.LIBCMT ref: 00AC78D0
                                    • __alloca_probe_16.LIBCMT ref: 00AC7991
                                    • __freea.LIBCMT ref: 00AC79F8
                                      • Part of subcall function 00AC5BDF: RtlAllocateHeap.NTDLL(00000000,00AB4EC6,?,?,00AB930A,?,?,?,?,?,00AB2617,00AB4EC6,?,?,?,?), ref: 00AC5C11
                                    • __freea.LIBCMT ref: 00AC7A0D
                                    • __freea.LIBCMT ref: 00AC7A1D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: __freea$__alloca_probe_16$AllocateHeap
                                    • String ID:
                                    • API String ID: 1423051803-0
                                    • Opcode ID: 62e881bdcb30e06d8450efe12ab7721b2b57f58a4a89aff93629dc0ce7e1b4d2
                                    • Instruction ID: 6b2e302d31804d590efd94f929a3317716d475d8dca968eab3d434c1f6146600
                                    • Opcode Fuzzy Hash: 62e881bdcb30e06d8450efe12ab7721b2b57f58a4a89aff93629dc0ce7e1b4d2
                                    • Instruction Fuzzy Hash: 9451C172A04206AFEB219F65CC41FBF3AA9EF44394B16062DFD09E6151EA70CD50CBA0
                                    Function 00AD554F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 116 ad554f-ad5564 117 ad556a-ad5574 116->117 118 ad5627-ad5634 call ab433b 116->118 119 ad557a-ad5588 117->119 120 ad5625-ad5626 117->120 122 ad558c-ad559e call ab13cb 119->122 120->118 125 ad55a3-ad561e call ab1eb7 call ab13cb call ab1eb7 call abd44e call ab1920 call ab1800 122->125 125->122 138 ad5624 125->138 138->120
                                    APIs
                                      • Part of subcall function 00AB13CB: __EH_prolog3_catch.LIBCMT ref: 00AB13D2
                                      • Part of subcall function 00AB13CB: _strlen.LIBCMT ref: 00AB13E4
                                      • Part of subcall function 00AB1920: __EH_prolog3_catch.LIBCMT ref: 00AB1927
                                    • _Deallocate.LIBCONCRT ref: 00AD5606
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: H_prolog3_catch$Deallocate_strlen
                                    • String ID: Earth$Own head
                                    • API String ID: 1170754441-4036566267
                                    • Opcode ID: f3a38d57315ed40c56de109958b4fefe238ba63bd797a306de50d9d3dffcf0ee
                                    • Instruction ID: 82049753fcd11ed584d7c6c170775efb927c3ffbdf1f2b6528934737845edc8b
                                    • Opcode Fuzzy Hash: f3a38d57315ed40c56de109958b4fefe238ba63bd797a306de50d9d3dffcf0ee
                                    • Instruction Fuzzy Hash: 3221D872408742AEC700EF3C98918AFFBE8BD55308F941A5FF09153207D631E649CBA6
                                    Function 00AC1FC8 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetCurrentProcess.KERNEL32(?,?,00AC1FC2,00000016,00ABC782,?,?,240508E6,00ABC782,?), ref: 00AC1FD9
                                    • TerminateProcess.KERNEL32(00000000,?,00AC1FC2,00000016,00ABC782,?,?,240508E6,00ABC782,?), ref: 00AC1FE0
                                    • ExitProcess.KERNEL32 ref: 00AC1FF2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: Process$CurrentExitTerminate
                                    • String ID:
                                    • API String ID: 1703294689-0
                                    • Opcode ID: 29bca0e239a885e1de9c49ce33dca2b6a101c2bc399df894170fd3c0a42675bd
                                    • Instruction ID: 23b0800f88416c4d2ce23372277e4cb76df3c034775821c7c7215490dbff313a
                                    • Opcode Fuzzy Hash: 29bca0e239a885e1de9c49ce33dca2b6a101c2bc399df894170fd3c0a42675bd
                                    • Instruction Fuzzy Hash: 10D09231005108AFCF21AFA4DD0DE5D3F2AAF40795B45802AB90A4A132DB319E93DB80
                                    Function 00AD5653 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00AB217E: _strlen.LIBCMT ref: 00AB2196
                                    • VirtualAllocEx.KERNELBASE(?,00000000,000004AC,00001000,00000040,0000000006:1@0000000005:@), ref: 00AD569D
                                    Strings
                                    • 0000000006:1@0000000005:@, xrefs: 00AD5666
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: AllocVirtual_strlen
                                    • String ID: 0000000006:1@0000000005:@
                                    • API String ID: 3554592677-176982251
                                    • Opcode ID: 14a5792a5075327fbb095503d64a542016e5a8120d6b357df88dc9b53f789870
                                    • Instruction ID: 8c820764eddd4f0f9677ca66bde6d5127eb78c4a1242f74c34dfe44484da0957
                                    • Opcode Fuzzy Hash: 14a5792a5075327fbb095503d64a542016e5a8120d6b357df88dc9b53f789870
                                    • Instruction Fuzzy Hash: 54112371E412086ADB14E7B8ED42FEE77BCEF84761F14412EF112B62C2DE649D0287A0
                                    Function 00AC86C8 Relevance: 3.2, APIs: 2, Instructions: 191fileCOMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 171 ac86c8-ac86e7 172 ac86ed-ac86ef 171->172 173 ac88c1 171->173 174 ac871b-ac8741 172->174 175 ac86f1-ac8710 call abc902 172->175 176 ac88c3-ac88c7 173->176 178 ac8747-ac874d 174->178 179 ac8743-ac8745 174->179 182 ac8713-ac8716 175->182 178->175 181 ac874f-ac8759 178->181 179->178 179->181 183 ac8769-ac8774 call ac824c 181->183 184 ac875b-ac8766 call ac9c4e 181->184 182->176 189 ac87b6-ac87c8 183->189 190 ac8776-ac877b 183->190 184->183 193 ac8819-ac8839 WriteFile 189->193 194 ac87ca-ac87d0 189->194 191 ac877d-ac8781 190->191 192 ac87a0-ac87b4 call ac7e12 190->192 195 ac8889-ac889b 191->195 196 ac8787-ac8796 call ac81e4 191->196 213 ac8799-ac879b 192->213 198 ac883b-ac8841 GetLastError 193->198 199 ac8844 193->199 200 ac8807-ac8812 call ac82ca 194->200 201 ac87d2-ac87d5 194->201 202 ac889d-ac88a3 195->202 203 ac88a5-ac88b7 195->203 196->213 198->199 207 ac8847-ac8852 199->207 212 ac8817 200->212 208 ac87f5-ac8805 call ac848e 201->208 209 ac87d7-ac87da 201->209 202->173 202->203 203->182 214 ac88bc-ac88bf 207->214 215 ac8854-ac8859 207->215 219 ac87f0-ac87f3 208->219 209->195 216 ac87e0-ac87eb call ac83a5 209->216 212->219 213->207 214->176 220 ac885b-ac8860 215->220 221 ac8887 215->221 216->219 219->213 222 ac8879-ac8882 call ac1100 220->222 223 ac8862-ac8874 220->223 221->195 222->182 223->182
                                    APIs
                                      • Part of subcall function 00AC7E12: GetConsoleOutputCP.KERNEL32(240508E6,00000000,00000000,00000000), ref: 00AC7E75
                                    • WriteFile.KERNEL32(?,00000000,00000000,00ABFDC0,00000000,00000000,00000000,00000000,00000000,?,00ABFDC0,00000000,00000000,00AE04B0,00000010,00000000), ref: 00AC8831
                                    • GetLastError.KERNEL32(?,00ABFDC0,00000000,00000000,00AE04B0,00000010,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00AC883B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: ConsoleErrorFileLastOutputWrite
                                    • String ID:
                                    • API String ID: 2915228174-0
                                    • Opcode ID: e4eaa09af940e27605a13e493bf4230d672b973566f6f490fa6fc93083da23e4
                                    • Instruction ID: d9bbffd47a29467b0fb4082ce0ef775e29509023dd46686f2eab601809742968
                                    • Opcode Fuzzy Hash: e4eaa09af940e27605a13e493bf4230d672b973566f6f490fa6fc93083da23e4
                                    • Instruction Fuzzy Hash: 17619071D04149AEDF15CFA8C884FEEBBB9BF09344F164199E814A7252EB39D9418BA0
                                    Function 00ACB74D Relevance: 3.2, APIs: 2, Instructions: 177COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 226 acb74d-acb775 call acb27d 229 acb93d-acb93e call acb2ee 226->229 230 acb77b-acb781 226->230 235 acb943-acb945 229->235 231 acb784-acb78a 230->231 233 acb88c-acb8ab call ab9950 231->233 234 acb790-acb79c 231->234 245 acb8ae-acb8b3 233->245 234->231 236 acb79e-acb7a4 234->236 238 acb946-acb954 call ab8107 235->238 240 acb7aa-acb7b6 IsValidCodePage 236->240 241 acb884-acb887 236->241 240->241 244 acb7bc-acb7c3 240->244 241->238 246 acb7eb-acb7f8 GetCPInfo 244->246 247 acb7c5-acb7d1 244->247 248 acb8b5-acb8ba 245->248 249 acb8f0-acb8fa 245->249 252 acb878-acb87e 246->252 253 acb7fa-acb819 call ab9950 246->253 250 acb7d5-acb7e1 call acb351 247->250 254 acb8bc-acb8c4 248->254 255 acb8ed 248->255 249->245 251 acb8fc-acb926 call acb23f 249->251 262 acb7e6 250->262 266 acb927-acb936 251->266 252->229 252->241 253->250 267 acb81b-acb822 253->267 256 acb8e5-acb8eb 254->256 257 acb8c6-acb8c9 254->257 255->249 256->248 256->255 261 acb8cb-acb8d1 257->261 261->256 265 acb8d3-acb8e3 261->265 262->235 265->256 265->261 266->266 268 acb938 266->268 269 acb84e-acb851 267->269 270 acb824-acb829 267->270 268->229 271 acb856-acb85d 269->271 270->269 272 acb82b-acb833 270->272 271->271 275 acb85f-acb873 call acb23f 271->275 273 acb835-acb83c 272->273 274 acb846-acb84c 272->274 276 acb83d-acb844 273->276 274->269 274->270 275->250 276->274 276->276
                                    APIs
                                      • Part of subcall function 00ACB27D: GetOEMCP.KERNEL32(00000000,?,?,00000000,?), ref: 00ACB2A8
                                    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00ACB594,?,00000000,?,00000000,?), ref: 00ACB7AE
                                    • GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00ACB594,?,00000000,?,00000000,?), ref: 00ACB7F0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: CodeInfoPageValid
                                    • String ID:
                                    • API String ID: 546120528-0
                                    • Opcode ID: a892cf7e7713adb9ca185760f51b959c8d76a66954fcd24a40c2fa634a84c491
                                    • Instruction ID: c85aedd2fcab8cd904d7a84c1832aeea827fb74cf76b16d7fada67c4308a244b
                                    • Opcode Fuzzy Hash: a892cf7e7713adb9ca185760f51b959c8d76a66954fcd24a40c2fa634a84c491
                                    • Instruction Fuzzy Hash: F9511670E102458FDB20CF75C892FEABBF9EF85300F1A856ED0968B252D7769945CB60
                                    Function 00AB13CB Relevance: 3.1, APIs: 2, Instructions: 134COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 279 ab13cb-ab13fe call ab81a1 call abf160 284 ab1400 279->284 285 ab1416-ab1421 279->285 286 ab1402-ab1404 284->286 287 ab1410-ab1414 284->287 288 ab1424-ab1434 call ab277e 285->288 286->285 289 ab1406-ab1408 286->289 287->288 294 ab1440-ab1454 288->294 295 ab1436-ab143b 288->295 289->285 291 ab140a 289->291 291->287 293 ab140c-ab140e 291->293 293->285 293->287 297 ab1492-ab14a2 call ab76d6 294->297 298 ab1456 294->298 296 ab1545-ab156f call ab45c5 call ab2b1a call ab8115 295->296 302 ab14a5-ab14a8 297->302 300 ab1459-ab145b 298->300 303 ab145d 300->303 304 ab1490 300->304 308 ab14aa-ab14ac 302->308 309 ab14ef-ab14f4 302->309 305 ab145f-ab1461 303->305 306 ab1463-ab147a call ab4c21 303->306 304->297 305->304 305->306 306->309 317 ab147c-ab148e 306->317 308->309 313 ab14ae 308->313 311 ab14f7-ab1508 309->311 311->296 316 ab14b1-ab14b3 313->316 319 ab14e8-ab14ed 316->319 320 ab14b5 316->320 317->300 319->311 321 ab14bb-ab14d2 call ab4c21 320->321 322 ab14b7-ab14b9 320->322 321->309 325 ab14d4-ab14e6 321->325 322->319 322->321 325->316
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: H_prolog3_catch_strlen
                                    • String ID:
                                    • API String ID: 3133806014-0
                                    • Opcode ID: c3ba2a98fb7505678333d7d5f350a69bd88d130d743918125d9375edb93278c2
                                    • Instruction ID: 4617a5e41c61cc8eead97307608771489935eebe504612a63fa6ac162adbb51c
                                    • Opcode Fuzzy Hash: c3ba2a98fb7505678333d7d5f350a69bd88d130d743918125d9375edb93278c2
                                    • Instruction Fuzzy Hash: E6519EB1E005148FCB20DFACC9909EDBBF9AF49324B64425AE825EB293D731DD41CB50
                                    Function 00AC82CA Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 327 ac82ca-ac831f call ab8d10 330 ac8394-ac83a4 call ab8107 327->330 331 ac8321 327->331 332 ac8327 331->332 334 ac832d-ac832f 332->334 336 ac8349-ac836e WriteFile 334->336 337 ac8331-ac8336 334->337 340 ac838c-ac8392 GetLastError 336->340 341 ac8370-ac837b 336->341 338 ac833f-ac8347 337->338 339 ac8338-ac833e 337->339 338->334 338->336 339->338 340->330 341->330 342 ac837d-ac8388 341->342 342->332 343 ac838a 342->343 343->330
                                    APIs
                                    • WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,00000000,?,00AC8817,?,00000000,00000000,00000000,00000000,00000000), ref: 00AC8366
                                    • GetLastError.KERNEL32(?,00AC8817,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00ABFDC0,00000000,00000000,00AE04B0,00000010), ref: 00AC838C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: ErrorFileLastWrite
                                    • String ID:
                                    • API String ID: 442123175-0
                                    • Opcode ID: c38c2ee863391d579952fb9adb9b3c653a4001590fddd806b4b94c586da2c21f
                                    • Instruction ID: ad76a15e490af33c72e83ff9562f44a97b92d56ce3efcd17f4967b17c4dcca09
                                    • Opcode Fuzzy Hash: c38c2ee863391d579952fb9adb9b3c653a4001590fddd806b4b94c586da2c21f
                                    • Instruction Fuzzy Hash: CD218234A002599BCF15CF5ADC80ADDB7B9FB49701F1544AEE906DB311DA34DE42CB60
                                    Function 00AC5AA3 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 344 ac5aa3-ac5aa8 345 ac5aaa-ac5ac2 344->345 346 ac5ac4-ac5ac8 345->346 347 ac5ad0-ac5ad9 345->347 346->347 348 ac5aca-ac5ace 346->348 349 ac5aeb 347->349 350 ac5adb-ac5ade 347->350 352 ac5b45-ac5b49 348->352 351 ac5aed-ac5afa GetStdHandle 349->351 353 ac5ae7-ac5ae9 350->353 354 ac5ae0-ac5ae5 350->354 355 ac5afc-ac5afe 351->355 356 ac5b27-ac5b39 351->356 352->345 357 ac5b4f-ac5b52 352->357 353->351 354->351 355->356 358 ac5b00-ac5b09 GetFileType 355->358 356->352 359 ac5b3b-ac5b3e 356->359 358->356 360 ac5b0b-ac5b14 358->360 359->352 361 ac5b1c-ac5b1f 360->361 362 ac5b16-ac5b1a 360->362 361->352 363 ac5b21-ac5b25 361->363 362->352 363->352
                                    APIs
                                    • GetStdHandle.KERNEL32(000000F6), ref: 00AC5AEF
                                    • GetFileType.KERNELBASE(00000000), ref: 00AC5B01
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: FileHandleType
                                    • String ID:
                                    • API String ID: 3000768030-0
                                    • Opcode ID: 0ebcb92fb7fa81f356f76345d02ba1999324582c5c0fc0cdb457f2120c1b34e4
                                    • Instruction ID: 96ce2c225ece764edcd857848495800d9e5d4599616d321882f2a69efd066c16
                                    • Opcode Fuzzy Hash: 0ebcb92fb7fa81f356f76345d02ba1999324582c5c0fc0cdb457f2120c1b34e4
                                    • Instruction Fuzzy Hash: DA115131904F5146C7308B3F9C88F26AEA5A756370B3A071EF0B6965E1D620ECC69650
                                    Function 00AC57E8 Relevance: 3.0, APIs: 2, Instructions: 34COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 364 ac57e8-ac57f7 call ac531a 367 ac57f9-ac581e LCMapStringEx 364->367 368 ac5820-ac583a call ac5845 LCMapStringW 364->368 372 ac5840-ac5842 367->372 368->372
                                    APIs
                                    • LCMapStringEx.KERNELBASE(?,00AC7937,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00AC581C
                                    • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00AC7937,?,?,00000000,?,00000000), ref: 00AC583A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: String
                                    • String ID:
                                    • API String ID: 2568140703-0
                                    • Opcode ID: 924b1a27f5cb8ae33fba955dcf6771e1f31c88e8bbb472529d5f4349b976cf80
                                    • Instruction ID: 857faf4c726bf5b689473eb26a6628f59bd3b2799a46ab77bea331c611e63b84
                                    • Opcode Fuzzy Hash: 924b1a27f5cb8ae33fba955dcf6771e1f31c88e8bbb472529d5f4349b976cf80
                                    • Instruction Fuzzy Hash: 13F0923280051AFBCF125FA0DC15EDE3F26EF48360F068125FE1565121CB32D872AB90
                                    Function 00AD5637 Relevance: 3.0, APIs: 2, Instructions: 12synchronizationthreadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 373 ad5637-ad5652 CreateThread WaitForSingleObject
                                    APIs
                                    • CreateThread.KERNELBASE(00000000,00000000,Function_00025653,00000000,00000000,00000000), ref: 00AD5643
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00AD564C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: CreateObjectSingleThreadWait
                                    • String ID:
                                    • API String ID: 1891408510-0
                                    • Opcode ID: 9eac1ab70c2cf140b06c3f81e665a1bb5af4b4d2bc886c35269dbddefe4beaf7
                                    • Instruction ID: 03e2d2247812966cdf1614e5da502ead8cfa5cc301116c5a30ba0c1fc6d532b3
                                    • Opcode Fuzzy Hash: 9eac1ab70c2cf140b06c3f81e665a1bb5af4b4d2bc886c35269dbddefe4beaf7
                                    • Instruction Fuzzy Hash: C6C092F0A45200BEFF009BF0AD0CC37371CE600B213208F02BE23D21E0C9248C018634
                                    Function 00ACB351 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 374 acb351-acb373 375 acb48c-acb4b2 374->375 376 acb379-acb38b GetCPInfo 374->376 378 acb4b7-acb4bc 375->378 376->375 377 acb391-acb398 376->377 379 acb39a-acb3a4 377->379 380 acb4be-acb4c4 378->380 381 acb4c6-acb4cc 378->381 379->379 382 acb3a6-acb3b9 379->382 383 acb4d4-acb4d6 380->383 384 acb4ce-acb4d1 381->384 385 acb4d8 381->385 387 acb3da-acb3dc 382->387 386 acb4da-acb4ec 383->386 384->383 385->386 386->378 388 acb4ee-acb4fc call ab8107 386->388 389 acb3de-acb415 call ac7740 call ac7a37 387->389 390 acb3bb-acb3c2 387->390 400 acb41a-acb44f call ac7a37 389->400 392 acb3d1-acb3d3 390->392 395 acb3c4-acb3c6 392->395 396 acb3d5-acb3d8 392->396 395->396 398 acb3c8-acb3d0 395->398 396->387 398->392 403 acb451-acb45b 400->403 404 acb45d-acb467 403->404 405 acb469-acb46b 403->405 406 acb47b-acb488 404->406 407 acb46d-acb477 405->407 408 acb479 405->408 406->403 409 acb48a 406->409 407->406 408->406 409->388
                                    APIs
                                    • GetCPInfo.KERNEL32(E8458D00,?,00ACB5A0,00ACB594,00000000), ref: 00ACB383
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: Info
                                    • String ID:
                                    • API String ID: 1807457897-0
                                    • Opcode ID: aa28d0201e56c96696297207f651947e2e5dfe8c563334cb586b48237bf3d7ab
                                    • Instruction ID: c2d79cdc1b2f27c9fd933daeef64461f60801e2e14e389590a72315f977e30ea
                                    • Opcode Fuzzy Hash: aa28d0201e56c96696297207f651947e2e5dfe8c563334cb586b48237bf3d7ab
                                    • Instruction Fuzzy Hash: 6B5146715082589ADB218F28CE85FEA7BB8EB55304F2445EDE59ACB143C336AD46CF30
                                    Function 00AB6F32 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 410 ab6f32-ab6f4c 411 ab6f4e-ab6f50 410->411 412 ab6f55-ab6f5d 410->412 413 ab702c-ab7039 call ab8107 411->413 414 ab6f5f-ab6f69 412->414 415 ab6f81-ab6f85 412->415 414->415 416 ab6f6b-ab6f7c 414->416 417 ab6f8b-ab6f9c call ab6d99 415->417 418 ab7028 415->418 420 ab7024-ab7026 416->420 425 ab6f9e-ab6fa2 417->425 426 ab6fa4-ab6fd8 417->426 422 ab702b 418->422 420->422 422->413 427 ab6feb call ab6643 425->427 433 ab6ffb-ab7003 426->433 434 ab6fda-ab6fdd 426->434 430 ab6ff0-ab6ff4 427->430 430->420 431 ab6ff6-ab6ff9 430->431 431->420 435 ab7018-ab7022 433->435 436 ab7005-ab7016 call ac0cf6 433->436 434->433 437 ab6fdf-ab6fe3 434->437 435->418 435->420 436->418 436->435 437->418 439 ab6fe5-ab6fe8 437->439 439->427
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2a25464a5f2570b282520fde4bc6face5157deb0cf01d1cc89dd512f436f6394
                                    • Instruction ID: f1e36caac6b70e88d7f2b1b9a70696a421f1127ce7397a9b86acaee4a8045235
                                    • Opcode Fuzzy Hash: 2a25464a5f2570b282520fde4bc6face5157deb0cf01d1cc89dd512f436f6394
                                    • Instruction Fuzzy Hash: 5931817690450AEFCB14DF78D9809EEB7BCBF09320B14026AE501A7281EB71ED04CB90
                                    Function 00AC5419 Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e0cb132f5b38ea482ea4e87d3428800e765b56f81842390dae0719c2a8fd0ed3
                                    • Instruction ID: af7307175357aa610c10bba327abf14024e93739dfb5445139dda6dd0f9fb96a
                                    • Opcode Fuzzy Hash: e0cb132f5b38ea482ea4e87d3428800e765b56f81842390dae0719c2a8fd0ed3
                                    • Instruction Fuzzy Hash: 2101F937B005155B9B1A9F79FD41F9A37A7BB85361716C128F905CB144DF30E8818790
                                    Function 00AC5BDF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000,00AB4EC6,?,?,00AB930A,?,?,?,?,?,00AB2617,00AB4EC6,?,?,?,?), ref: 00AC5C11
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 693fce63a43fbc0f9a189e42dacfd188f2b877f310965f8485d2bcd27faa1832
                                    • Instruction ID: 34a86cf28c87c783fae6a8820b0dfbaea1738d26fd4c513fd84ba097ae7b1794
                                    • Opcode Fuzzy Hash: 693fce63a43fbc0f9a189e42dacfd188f2b877f310965f8485d2bcd27faa1832
                                    • Instruction Fuzzy Hash: 38E02B31E0CB1057DB2127799E00F9B3A5C9F427A0F17012CFC0596091EF50ECC185A4
                                    Function 00AD5712 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                    Download Yara Rule
                                    APIs
                                    • FreeConsole.KERNELBASE(00AB83B9,00000000,00000000,00000000,00AE0308,00000014), ref: 00AD5712
                                      • Part of subcall function 00AD5637: CreateThread.KERNELBASE(00000000,00000000,Function_00025653,00000000,00000000,00000000), ref: 00AD5643
                                      • Part of subcall function 00AD5637: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00AD564C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: ConsoleCreateFreeObjectSingleThreadWait
                                    • String ID:
                                    • API String ID: 973188901-0
                                    • Opcode ID: 62072cc2bf1a0de90332a32efb956b429baf37aa2a5a9f52ee826f0f5082a693
                                    • Instruction ID: 53701a5913b75c0aa31a69cc88caed6c2ded75e6012219db61ac88d579a88acc
                                    • Opcode Fuzzy Hash: 62072cc2bf1a0de90332a32efb956b429baf37aa2a5a9f52ee826f0f5082a693
                                    • Instruction Fuzzy Hash: 019002705124808697406770ED090093750664020279885627003C0165DF6285015910

                                    Non-executed Functions

                                    Function 00ACEDCE Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: __floor_pentium4
                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                    • API String ID: 4168288129-2761157908
                                    • Opcode ID: a368c2c2a4b1abb539af1540a5801490ec171aa0b8d31d12693181f557f0aab8
                                    • Instruction ID: c09dc2ebb25a0735c2cb86ce2df50527a8cea0193a9b3bd91cab44566168c789
                                    • Opcode Fuzzy Hash: a368c2c2a4b1abb539af1540a5801490ec171aa0b8d31d12693181f557f0aab8
                                    • Instruction Fuzzy Hash: D8D20672E082298FDB65CF28DD44BEAB7B6EB45304F1541EAD44EE7240D778AE818F41
                                    Function 00ACE230 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoW.KERNEL32(?,2000000B,00ACE54E,00000002,00000000,?,?,?,00ACE54E,?,00000000), ref: 00ACE2C9
                                    • GetLocaleInfoW.KERNEL32(?,20001004,00ACE54E,00000002,00000000,?,?,?,00ACE54E,?,00000000), ref: 00ACE2F2
                                    • GetACP.KERNEL32(?,?,00ACE54E,?,00000000), ref: 00ACE307
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID: ACP$OCP
                                    • API String ID: 2299586839-711371036
                                    • Opcode ID: 87eb97fb83db956a92235208199453bff7d3de29c07ce6232bfc1d31a19cd6fb
                                    • Instruction ID: f3b718e198b3b8fd71ea7681b2409a691d2257efe93371b5d69f0c4e2c986833
                                    • Opcode Fuzzy Hash: 87eb97fb83db956a92235208199453bff7d3de29c07ce6232bfc1d31a19cd6fb
                                    • Instruction Fuzzy Hash: 39213A72600145EAEF35CB94C905FE773AEAB64B61B57852CE90ADB210E732EE41C750
                                    Function 00ACE405 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00AC4900: GetLastError.KERNEL32(?,00000008,00AC4EFF), ref: 00AC4904
                                      • Part of subcall function 00AC4900: SetLastError.KERNEL32(00000000,00AB4EC6,00000002,000000FF), ref: 00AC49A6
                                    • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00ACE511
                                    • IsValidCodePage.KERNEL32(00000000), ref: 00ACE55A
                                    • IsValidLocale.KERNEL32(?,00000001), ref: 00ACE569
                                    • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00ACE5B1
                                    • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00ACE5D0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                    • String ID:
                                    • API String ID: 415426439-0
                                    • Opcode ID: abdc4571124b2184ad910385b8254577ae6d4a7bb988fe43565e6917b015be87
                                    • Instruction ID: 64d31de13264b58850f666fd4146235b6d3a31c3fcb0f3d6e422f61f2e8b698d
                                    • Opcode Fuzzy Hash: abdc4571124b2184ad910385b8254577ae6d4a7bb988fe43565e6917b015be87
                                    • Instruction Fuzzy Hash: 25518D72A00219ABEF10DFA4DD45FAE77B8BF08700F16442DF911EB191EB71EA408B61
                                    Function 00ACDAA1 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00AC4900: GetLastError.KERNEL32(?,00000008,00AC4EFF), ref: 00AC4904
                                      • Part of subcall function 00AC4900: SetLastError.KERNEL32(00000000,00AB4EC6,00000002,000000FF), ref: 00AC49A6
                                    • GetACP.KERNEL32(?,?,?,?,?,?,00AC34A3,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00ACDB62
                                    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00AC34A3,?,?,?,00000055,?,-00000050,?,?), ref: 00ACDB8D
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00ACDCF0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: ErrorLast$CodeInfoLocalePageValid
                                    • String ID: utf8
                                    • API String ID: 607553120-905460609
                                    • Opcode ID: 32bd8f3d7097004196cad2c6bad9c4ebbe0d65e382da346638285e9d52d5b9e2
                                    • Instruction ID: 7932b377f89eecd8eae9868e30ec40823543c9eed2e77e60716c6c5eacec9cab
                                    • Opcode Fuzzy Hash: 32bd8f3d7097004196cad2c6bad9c4ebbe0d65e382da346638285e9d52d5b9e2
                                    • Instruction Fuzzy Hash: B671F771A04206AADB24AB75DD86FBA77E8EF44700F16443EF506EB181EBB0ED41C761
                                    Function 00AC5D32 Relevance: 6.3, APIs: 4, Instructions: 337COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: _strrchr
                                    • String ID:
                                    • API String ID: 3213747228-0
                                    • Opcode ID: 1f47ff457ba235831066e09548e84625a770d893a1596bb91e99954b6fab6d07
                                    • Instruction ID: 6f07e122f9a73542ef24598ee65c546c645b0cb7efab3d136c8abbd911dd51db
                                    • Opcode Fuzzy Hash: 1f47ff457ba235831066e09548e84625a770d893a1596bb91e99954b6fab6d07
                                    • Instruction Fuzzy Hash: FDB12172D046459FDF25CF68C881BEEBBB5EF59340F16816EF905AB242D234AD41CBA0
                                    Function 00AB87A2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00AB87AE
                                    • IsDebuggerPresent.KERNEL32 ref: 00AB887A
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00AB8893
                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 00AB889D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                    • String ID:
                                    • API String ID: 254469556-0
                                    • Opcode ID: c477b45987a0db30e00c07edd40089d9a9ded7a6ed289301148e8cf7b2a3e393
                                    • Instruction ID: 969d083eb743d188eb74f724857f93002cb335bcba473ffef3483d52fdfb5603
                                    • Opcode Fuzzy Hash: c477b45987a0db30e00c07edd40089d9a9ded7a6ed289301148e8cf7b2a3e393
                                    • Instruction Fuzzy Hash: 42310675D013189BEF60DFA4D989BCDBBB8AF08300F1041AAE50DAB251EB759A85CF45
                                    Function 00ACDEB4 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00AC4900: GetLastError.KERNEL32(?,00000008,00AC4EFF), ref: 00AC4904
                                      • Part of subcall function 00AC4900: SetLastError.KERNEL32(00000000,00AB4EC6,00000002,000000FF), ref: 00AC49A6
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00ACDF08
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00ACDF52
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00ACE018
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: InfoLocale$ErrorLast
                                    • String ID:
                                    • API String ID: 661929714-0
                                    • Opcode ID: 011aaa185e20e48df1b34faea9c118a330a582c6fa7c36a8312f358038f6bdaa
                                    • Instruction ID: bab5ab1cee9284511422b5a0152a5951920677cd62a249d6fc4e2106506ed711
                                    • Opcode Fuzzy Hash: 011aaa185e20e48df1b34faea9c118a330a582c6fa7c36a8312f358038f6bdaa
                                    • Instruction Fuzzy Hash: A5616B719402179BDB28DF28DD82FBA77A8FF04300F11817EE916D6581EB74E991CB90
                                    Function 00ABC783 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00AB4EC6), ref: 00ABC87B
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00AB4EC6), ref: 00ABC885
                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00AB4EC6), ref: 00ABC892
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                    • String ID:
                                    • API String ID: 3906539128-0
                                    • Opcode ID: b23f588abad95a1f4ccb65e703a840e61558c055c8f69b3bdf7ee2b23723afa5
                                    • Instruction ID: f506ee94944ea1ef799d53fd2f53998deb4701b4775309875e047c24567ef08c
                                    • Opcode Fuzzy Hash: b23f588abad95a1f4ccb65e703a840e61558c055c8f69b3bdf7ee2b23723afa5
                                    • Instruction Fuzzy Hash: 3F31C2749012289BCB21DF68D989BDDBBB8BF08710F5041EAE41CA7261EB749F858F45
                                    Function 00AC11D0 Relevance: 3.4, APIs: 2, Instructions: 449COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 45359dbdee025ceff4488a092b7096e5c1b1646e308180004250f0db49df2fef
                                    • Instruction ID: 6b138429c5072fde3ac92b6f19aa74cb66a8e32c8c3b9e523e7a0060eaf630e4
                                    • Opcode Fuzzy Hash: 45359dbdee025ceff4488a092b7096e5c1b1646e308180004250f0db49df2fef
                                    • Instruction Fuzzy Hash: DCF11D75E002199FDF14CFA9D980BADB7B1FF89314F26826DE815AB381D730AD458B90
                                    Function 00ACA066 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00ACA061,?,?,00000008,?,?,00AD3135,00000000), ref: 00ACA293
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: ExceptionRaise
                                    • String ID:
                                    • API String ID: 3997070919-0
                                    • Opcode ID: 10914f21a7e03e38263251b5da89efd28d0ece31d89fc41aa178f2182be94bfb
                                    • Instruction ID: f1dc58f6a1f0816e381fecebb6feb3c8315b8b855f81218550f55470a90d1ab7
                                    • Opcode Fuzzy Hash: 10914f21a7e03e38263251b5da89efd28d0ece31d89fc41aa178f2182be94bfb
                                    • Instruction Fuzzy Hash: CAB13C356106098FD715CF28C496FA57BA0FF55368F2A865CE89ACF2A1C335E981CB41
                                    Function 00AB8565 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00AB857B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: FeaturePresentProcessor
                                    • String ID:
                                    • API String ID: 2325560087-0
                                    • Opcode ID: 13904d1608e73435ac939b499bb5f9ecf90c74e1e2c4ee3b2436ddeff42849b5
                                    • Instruction ID: cb66f5b6ad05317fb28e8b450eafa99f2ab794835c4286bb2189ab0fd008b2c2
                                    • Opcode Fuzzy Hash: 13904d1608e73435ac939b499bb5f9ecf90c74e1e2c4ee3b2436ddeff42849b5
                                    • Instruction Fuzzy Hash: B85176B1A12215CFEB19CF59E8917EEBBF8FB48345F24806AC411EB251DB789940CF90
                                    Function 00ACACA1 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c6a851d4a97b38250b82fd2fcf7ae695065165d60fd5b79e7bb7968130b6b373
                                    • Instruction ID: 52080cb0eeaede3bcf659394c144fe085d1c5672b6c06c9ed1546d869f572f92
                                    • Opcode Fuzzy Hash: c6a851d4a97b38250b82fd2fcf7ae695065165d60fd5b79e7bb7968130b6b373
                                    • Instruction Fuzzy Hash: 8341CEB580421DAFCB20DF69CD89FBABBB8EB55308F1542DDE409E3201DA319E858F10
                                    Function 00ACE107 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00AC4900: GetLastError.KERNEL32(?,00000008,00AC4EFF), ref: 00AC4904
                                      • Part of subcall function 00AC4900: SetLastError.KERNEL32(00000000,00AB4EC6,00000002,000000FF), ref: 00AC49A6
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00ACE15B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: ErrorLast$InfoLocale
                                    • String ID:
                                    • API String ID: 3736152602-0
                                    • Opcode ID: 818bd73767f3f9e4b6bf7b52713e9901af6f37f542758af23d2ffa6355664827
                                    • Instruction ID: 89f26f42dc4ee27b4467bb1fc9cab439a94f86652556c29cc421a6c9754872f2
                                    • Opcode Fuzzy Hash: 818bd73767f3f9e4b6bf7b52713e9901af6f37f542758af23d2ffa6355664827
                                    • Instruction Fuzzy Hash: 47218072641206ABDB28DB29ED41FBA77ACEF14314B15417EF901D7141EB34ED51CB50
                                    Function 00ACDD8E Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00AC4900: GetLastError.KERNEL32(?,00000008,00AC4EFF), ref: 00AC4904
                                      • Part of subcall function 00AC4900: SetLastError.KERNEL32(00000000,00AB4EC6,00000002,000000FF), ref: 00AC49A6
                                    • EnumSystemLocalesW.KERNEL32(00ACDEB4,00000001,00000000,?,-00000050,?,00ACE4E5,00000000,?,?,?,00000055,?), ref: 00ACDE00
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem
                                    • String ID:
                                    • API String ID: 2417226690-0
                                    • Opcode ID: 618ae65f6695a5ca9a2748111b31550ed9aafb1357f18b4bafcc7a85791ff491
                                    • Instruction ID: df7aeae72f7d4847049bb84e658462699c8e3d311a2f45dcf9d705a2bef4c698
                                    • Opcode Fuzzy Hash: 618ae65f6695a5ca9a2748111b31550ed9aafb1357f18b4bafcc7a85791ff491
                                    • Instruction Fuzzy Hash: CE1125376003055FDB18AF38D891ABABBA1FF94358B16843DE9878BA40D371B843CB40
                                    Function 00ACE336 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00AC4900: GetLastError.KERNEL32(?,00000008,00AC4EFF), ref: 00AC4904
                                      • Part of subcall function 00AC4900: SetLastError.KERNEL32(00000000,00AB4EC6,00000002,000000FF), ref: 00AC49A6
                                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00ACE0D0,00000000,00000000,?), ref: 00ACE362
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: ErrorLast$InfoLocale
                                    • String ID:
                                    • API String ID: 3736152602-0
                                    • Opcode ID: 9b51a0e2cbb207a987b42436cdcd139a67c7824a7370206b0ae071997502fc4c
                                    • Instruction ID: 921b7c01a255dfe9cd5d9131cf21af04365135dae72a66d308509b80ffc52940
                                    • Opcode Fuzzy Hash: 9b51a0e2cbb207a987b42436cdcd139a67c7824a7370206b0ae071997502fc4c
                                    • Instruction Fuzzy Hash: 20F0A432610156ABDB28DB659D06FBB7BA8EB40754F16482DEC06A7280EB74FE41C690
                                    Function 00ACDC9C Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00AC4900: GetLastError.KERNEL32(?,00000008,00AC4EFF), ref: 00AC4904
                                      • Part of subcall function 00AC4900: SetLastError.KERNEL32(00000000,00AB4EC6,00000002,000000FF), ref: 00AC49A6
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00ACDCF0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: ErrorLast$InfoLocale
                                    • String ID: utf8
                                    • API String ID: 3736152602-905460609
                                    • Opcode ID: e054d5cdbe42cb3f1622e495c46cad8e20606e0fe3ceefbcae4903465acc1567
                                    • Instruction ID: 93b796c035e18ef62d93520f01cf6110d1297cc773c8f54ebf521125603a0480
                                    • Opcode Fuzzy Hash: e054d5cdbe42cb3f1622e495c46cad8e20606e0fe3ceefbcae4903465acc1567
                                    • Instruction Fuzzy Hash: B2F0F432A41105ABC714AB78EC05FFB33ACEB49310B12017EF602D7241DA74AD058790
                                    Function 00ACDE29 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00AC4900: GetLastError.KERNEL32(?,00000008,00AC4EFF), ref: 00AC4904
                                      • Part of subcall function 00AC4900: SetLastError.KERNEL32(00000000,00AB4EC6,00000002,000000FF), ref: 00AC49A6
                                    • EnumSystemLocalesW.KERNEL32(00ACE107,00000001,?,?,-00000050,?,00ACE4A9,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00ACDE73
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem
                                    • String ID:
                                    • API String ID: 2417226690-0
                                    • Opcode ID: 18ec961a0194f0f7e9fd9a68e30d8093cd5fdc521d9e1130428130576d28faf6
                                    • Instruction ID: 7282e3f0aac29750cb0b12a3c4629c1c8c224795a580ed70adb9c9f597a2f8c9
                                    • Opcode Fuzzy Hash: 18ec961a0194f0f7e9fd9a68e30d8093cd5fdc521d9e1130428130576d28faf6
                                    • Instruction Fuzzy Hash: A3F0F63A2003085FDB149F79DC81F7BBB95EF90368B06453DF9458B680C6B1AC02CA50
                                    Function 00AC5185 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00ABF268: EnterCriticalSection.KERNEL32(-00161F0A,?,00AC1C4F,00000000,00AE05F0,0000000C,00AC1C16,?,?,00AC514E,?,?,00AC4A9E,00000001,00000364,00AB4EC6), ref: 00ABF277
                                    • EnumSystemLocalesW.KERNEL32(00AC5178,00000001,00AE07E0,0000000C,00AC55A7,00000000), ref: 00AC51BD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: CriticalEnterEnumLocalesSectionSystem
                                    • String ID:
                                    • API String ID: 1272433827-0
                                    • Opcode ID: 69befbb15b56b92623d87a7aa7a99c9e42c58e757db4a3a07b25ca6260929125
                                    • Instruction ID: ac8a83413f99f2a214c56c706a9ace7eb4d91c3515b74e374af12f441ce32eff
                                    • Opcode Fuzzy Hash: 69befbb15b56b92623d87a7aa7a99c9e42c58e757db4a3a07b25ca6260929125
                                    • Instruction Fuzzy Hash: 46F0F976A54204EFDB00EFA9E946BDD77B0FB46761F10822AF815DB2A2CB755940CF40
                                    Function 00ACDD43 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00AC4900: GetLastError.KERNEL32(?,00000008,00AC4EFF), ref: 00AC4904
                                      • Part of subcall function 00AC4900: SetLastError.KERNEL32(00000000,00AB4EC6,00000002,000000FF), ref: 00AC49A6
                                    • EnumSystemLocalesW.KERNEL32(00ACDC9C,00000001,?,?,?,00ACE507,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00ACDD7A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem
                                    • String ID:
                                    • API String ID: 2417226690-0
                                    • Opcode ID: af4ab22cd454ceccf5e01c2cf7f9e0ae5041f46d10a8a17ebd692adc5d1d9b4d
                                    • Instruction ID: 16051632c97913ad17b9c276646fdb54f98f4e6298974babe9fd2fc84709959d
                                    • Opcode Fuzzy Hash: af4ab22cd454ceccf5e01c2cf7f9e0ae5041f46d10a8a17ebd692adc5d1d9b4d
                                    • Instruction Fuzzy Hash: 1EF0E53A70020557CB05AF75D855B6ABF94EFC2710B07446DEA068B291D6719843CB90
                                    Function 00AC56AB Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00AC4009,?,20001004,00000000,00000002,?,?,00AC360B), ref: 00AC56DF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID:
                                    • API String ID: 2299586839-0
                                    • Opcode ID: 1995e36e5cef170de585aecdc8330456292199bd762f98beb017d8d32c18e799
                                    • Instruction ID: 4aff92c17f2f9c630b32bb944a3a8a03e1aab70f04935c2c24a617578ec87727
                                    • Opcode Fuzzy Hash: 1995e36e5cef170de585aecdc8330456292199bd762f98beb017d8d32c18e799
                                    • Instruction Fuzzy Hash: 9DE02631801618BBCF022FB0DC08F9E3F25EF00751F0A4015FC0526222CB729C61ABD4
                                    Function 00AB88FE Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(Function_0000890A,00AB82B2), ref: 00AB8903
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: 87b5616476564e477cfe95e73d28dd3cd258e22686be71c78f2b418c5d4c9869
                                    • Instruction ID: b9e12613cf20b15f9e1321050fb67fcd96ede76c8723dc7d7700be93ec205af9
                                    • Opcode Fuzzy Hash: 87b5616476564e477cfe95e73d28dd3cd258e22686be71c78f2b418c5d4c9869
                                    • Instruction Fuzzy Hash:
                                    Function 00ACBE89 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: HeapProcess
                                    • String ID:
                                    • API String ID: 54951025-0
                                    • Opcode ID: ab0ab3414eb8b2181a83d329c6683413d1d054b292dbb8e59896c436c39f2654
                                    • Instruction ID: 408cf9e21ec0dccb9bba2789a78d3699629c62c0ccb44be48dd5e9cd87dfc924
                                    • Opcode Fuzzy Hash: ab0ab3414eb8b2181a83d329c6683413d1d054b292dbb8e59896c436c39f2654
                                    • Instruction Fuzzy Hash: 5AA011302022008BA3808FB0AA8830E3BB8AA02280308822AA002C2220EA2080A0AA00
                                    Function 00ABE7B4 Relevance: .3, Instructions: 314COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 77784191631fab09d19da44ed5f7a825e16aab00178e75313aca0a39de58d5d7
                                    • Instruction ID: 7f815a56a05ffe365ee8b46df21a097d81c914d512c5d7bafbaef41fcd584b12
                                    • Opcode Fuzzy Hash: 77784191631fab09d19da44ed5f7a825e16aab00178e75313aca0a39de58d5d7
                                    • Instruction Fuzzy Hash: 7CB1C170900A4A8BCB38CFA8C5956FEBBBDAF44300F144A1ED456E7293D635ED45CB52
                                    Function 00AB7D24 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00AB7D2A
                                    • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00AB7D38
                                    • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00AB7D49
                                    • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00AB7D5A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: AddressProc$HandleModule
                                    • String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
                                    • API String ID: 667068680-1247241052
                                    • Opcode ID: 5047380a458e8b3e4f6854ef74cb561fc336d2a5d699fc960b1fb25b8eaf3325
                                    • Instruction ID: 1b88be4ae9f1e759ce054e66e7384622e99215cccbe1e7bd2522fa7c6547d585
                                    • Opcode Fuzzy Hash: 5047380a458e8b3e4f6854ef74cb561fc336d2a5d699fc960b1fb25b8eaf3325
                                    • Instruction Fuzzy Hash: 76E0B671557220ABC714EBF4BD09ACE3FA8BA0A6223058857F503D2660E67005018BA5
                                    Function 00ABB6E2 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • type_info::operator==.LIBVCRUNTIME ref: 00ABB801
                                    • ___TypeMatch.LIBVCRUNTIME ref: 00ABB90F
                                    • _UnwindNestedFrames.LIBCMT ref: 00ABBA61
                                    • CallUnexpected.LIBVCRUNTIME ref: 00ABBA7C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                    • String ID: csm$csm$csm
                                    • API String ID: 2751267872-393685449
                                    • Opcode ID: 125837015007a6fb17b6778f69a0b14d2f2e4ed56ad2b058b26ff45e727aa1d3
                                    • Instruction ID: 4ff0264ec688eadd15c1f4389f52b23fb873ab93dd350b23bfb85a25b5600d53
                                    • Opcode Fuzzy Hash: 125837015007a6fb17b6778f69a0b14d2f2e4ed56ad2b058b26ff45e727aa1d3
                                    • Instruction Fuzzy Hash: 0EB13371C20209EFCF29DFA4C9819EEBBB9FF14310B14455AE9116B213D7B1DA91CBA1
                                    Function 00AC9668 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID: 0-3907804496
                                    • Opcode ID: 39789dc3cad75230cb0d5a6461600c79c86d3a63a77f0a47ce0c9a9e1b392b02
                                    • Instruction ID: bf710d528f54fc6804c3680e9bfba5e2e849b7f4ddaaf16881b36e847e3dc351
                                    • Opcode Fuzzy Hash: 39789dc3cad75230cb0d5a6461600c79c86d3a63a77f0a47ce0c9a9e1b392b02
                                    • Instruction Fuzzy Hash: 86B13570A04245AFDB11CFA9C884FAEBBB1BF4A304F16424DE515AB3A2C7749D42CB60
                                    Function 00AD1FFA Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetCPInfo.KERNEL32(012A05A8,012A05A8,?,7FFFFFFF,?,00AD22CA,012A05A8,012A05A8,?,012A05A8,?,?,?,?,012A05A8,?), ref: 00AD20A0
                                    • __alloca_probe_16.LIBCMT ref: 00AD215B
                                    • __alloca_probe_16.LIBCMT ref: 00AD21EA
                                    • __freea.LIBCMT ref: 00AD2235
                                    • __freea.LIBCMT ref: 00AD223B
                                    • __freea.LIBCMT ref: 00AD2271
                                    • __freea.LIBCMT ref: 00AD2277
                                    • __freea.LIBCMT ref: 00AD2287
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: __freea$__alloca_probe_16$Info
                                    • String ID:
                                    • API String ID: 127012223-0
                                    • Opcode ID: a546bd4d73acc533d4be9ae76624689beca032af4e8c0d46327050b05dd3e28a
                                    • Instruction ID: f900924e2ebedf9e5000d810625fbf8507876b935cb9fc6a866ee3229da15867
                                    • Opcode Fuzzy Hash: a546bd4d73acc533d4be9ae76624689beca032af4e8c0d46327050b05dd3e28a
                                    • Instruction Fuzzy Hash: 3C71E63290020A6BDF219FA48D42FEEBBB9AF65314F29415BF906A7381D635DC40C7A0
                                    Function 00AB79FA Relevance: 12.2, APIs: 8, Instructions: 175COMMON
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00AB7A43
                                    • __alloca_probe_16.LIBCMT ref: 00AB7A6F
                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00AB7AAE
                                    • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00AB7ACB
                                    • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00AB7B0A
                                    • __alloca_probe_16.LIBCMT ref: 00AB7B27
                                    • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00AB7B69
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00AB7B8C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                    • String ID:
                                    • API String ID: 2040435927-0
                                    • Opcode ID: d54e42d68bfabcdc7ba19460be4dbc4063e2ea183a26b0bea66fbf8e64e5f378
                                    • Instruction ID: 3270dbc6feb4ece2f8f4612c654c95a51b298d244c315074113f4341c1dfa22d
                                    • Opcode Fuzzy Hash: d54e42d68bfabcdc7ba19460be4dbc4063e2ea183a26b0bea66fbf8e64e5f378
                                    • Instruction Fuzzy Hash: 7551AE7250820AABEF209FA4DC45FEE7BBDEF80751F144529F916A6152EBB0CD11CB60
                                    Function 00ABB1B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                    Download Yara Rule
                                    APIs
                                    • _ValidateLocalCookies.LIBCMT ref: 00ABB1E7
                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00ABB1EF
                                    • _ValidateLocalCookies.LIBCMT ref: 00ABB278
                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00ABB2A3
                                    • _ValidateLocalCookies.LIBCMT ref: 00ABB2F8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                    • String ID: csm
                                    • API String ID: 1170836740-1018135373
                                    • Opcode ID: b6762acb38f07719fef1033ea4bcded799d90ba19bc8bb5b21b27bd5645ca7ef
                                    • Instruction ID: 8c515d03e2691d8c8b29a774ab38786d2522d2799f11261241f4fd595acd4057
                                    • Opcode Fuzzy Hash: b6762acb38f07719fef1033ea4bcded799d90ba19bc8bb5b21b27bd5645ca7ef
                                    • Instruction Fuzzy Hash: B341B034A10208AFCF10DF69C895AEEBBB8EF45324F148155E8159B393D771EE01CBA0
                                    Function 00AB665D Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3.LIBCMT ref: 00AB6664
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00AB666E
                                    • int.LIBCPMT ref: 00AB6685
                                      • Part of subcall function 00AB2C1B: std::_Lockit::_Lockit.LIBCPMT ref: 00AB2C2C
                                      • Part of subcall function 00AB2C1B: std::_Lockit::~_Lockit.LIBCPMT ref: 00AB2C46
                                    • codecvt.LIBCPMT ref: 00AB66A8
                                    • std::_Facet_Register.LIBCPMT ref: 00AB66BF
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00AB66DF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                    • String ID:
                                    • API String ID: 712880209-0
                                    • Opcode ID: 8a03ae2a9036c5621321ce25d9baf5358331bc6a7c046d8387603e16d032ce4c
                                    • Instruction ID: 7abed7cadd8efe28ba693a851df793ada3556c1e7ee3e07fe7180d4d6f9d5df3
                                    • Opcode Fuzzy Hash: 8a03ae2a9036c5621321ce25d9baf5358331bc6a7c046d8387603e16d032ce4c
                                    • Instruction Fuzzy Hash: 1B1172719012249BCB14EBA89A426EEBBFCAF45710F14051AF416A7393DF759A01CB91
                                    Function 00ABB374 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,00ABB36B,00AB9930,00AB585E,240508E6,?,?,?,?,00AD3C63,000000FF), ref: 00ABB382
                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00ABB390
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00ABB3A9
                                    • SetLastError.KERNEL32(00000000,?,00ABB36B,00AB9930,00AB585E,240508E6,?,?,?,?,00AD3C63,000000FF), ref: 00ABB3FB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: ErrorLastValue___vcrt_
                                    • String ID:
                                    • API String ID: 3852720340-0
                                    • Opcode ID: b74ff5ae7e40d0d0270d1c8198d75364ff6e4760a692a063a18ed1430de1fef2
                                    • Instruction ID: 5cac55ef0ab36970006bfbf6d4eb825bb6a9009f82b645bfa60b0345ab3d8bad
                                    • Opcode Fuzzy Hash: b74ff5ae7e40d0d0270d1c8198d75364ff6e4760a692a063a18ed1430de1fef2
                                    • Instruction Fuzzy Hash: 1401D87622A6215FE62827B57D86ADA2B9CFB02376720032BF011484F3EF914C4153A4
                                    Function 00AC2061 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,240508E6,?,?,00000000,00AD3E8A,000000FF,?,00AC1FEE,?,?,00AC1FC2,00000016), ref: 00AC2096
                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00AC20A8
                                    • FreeLibrary.KERNEL32(00000000,?,00000000,00AD3E8A,000000FF,?,00AC1FEE,?,?,00AC1FC2,00000016), ref: 00AC20CA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: AddressFreeHandleLibraryModuleProc
                                    • String ID: CorExitProcess$mscoree.dll
                                    • API String ID: 4061214504-1276376045
                                    • Opcode ID: 307dd3f266749b09157f5e1cde48902574668cd17c5f56e2f52e9c6dea426fd5
                                    • Instruction ID: a13848c26270777e3bd148aab1bb74a71e29d23666208885d76dc92b4549f256
                                    • Opcode Fuzzy Hash: 307dd3f266749b09157f5e1cde48902574668cd17c5f56e2f52e9c6dea426fd5
                                    • Instruction Fuzzy Hash: 06016271901615FFDB119F94EC05FAEBBB8FB44B11F01862AF812A26D0DB759900CB90
                                    Function 00AB5A47 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThreadId.KERNEL32 ref: 00AB5A5B
                                    • AcquireSRWLockExclusive.KERNEL32(00000000,?,00AB49A2,?,?,00AB3B2B), ref: 00AB5A7A
                                    • AcquireSRWLockExclusive.KERNEL32(00000000,?,00000000,?,00AB49A2,?,?,00AB3B2B), ref: 00AB5AA8
                                    • TryAcquireSRWLockExclusive.KERNEL32(00000000,?,00000000,?,00AB49A2,?,?,00AB3B2B), ref: 00AB5B03
                                    • TryAcquireSRWLockExclusive.KERNEL32(00000000,?,00000000,?,00AB49A2,?,?,00AB3B2B), ref: 00AB5B1A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: AcquireExclusiveLock$CurrentThread
                                    • String ID:
                                    • API String ID: 66001078-0
                                    • Opcode ID: 3892196ee1d89b26fec0cde68eb4cc3bffd051535a2c4c2428b93f3d028f9eda
                                    • Instruction ID: f18314c97e216fbe24669069c327c251726fbcc1710ed2c842e32b09287fe1ed
                                    • Opcode Fuzzy Hash: 3892196ee1d89b26fec0cde68eb4cc3bffd051535a2c4c2428b93f3d028f9eda
                                    • Instruction Fuzzy Hash: 52412830D00A06DBCB24DF75C485AEAF7F8FF09350B508A2AD456EB642E730E985CB60
                                    Function 00AB5F5B Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3.LIBCMT ref: 00AB5F62
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00AB5F6D
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00AB5FDB
                                      • Part of subcall function 00AB60BE: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00AB60D6
                                    • std::locale::_Setgloballocale.LIBCPMT ref: 00AB5F88
                                    • _Yarn.LIBCPMT ref: 00AB5F9E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                    • String ID:
                                    • API String ID: 1088826258-0
                                    • Opcode ID: bda0d64062f45b18e3124c5bdd55044f63e227eee33d2eab7e506d83015ace67
                                    • Instruction ID: bcf6ba69155f14bef2b641478ee2f155a4067b512f19b057979d6ab824a90595
                                    • Opcode Fuzzy Hash: bda0d64062f45b18e3124c5bdd55044f63e227eee33d2eab7e506d83015ace67
                                    • Instruction Fuzzy Hash: 23017C75A016209BDB06FB64DA856FDB769FF86340B14800AE81257393CF79AE02DBC1
                                    Function 00ABC477 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,00ABC428,?,?,00000000,?,?,?,00ABC552,00000002,FlsGetValue,00AD8080,FlsGetValue), ref: 00ABC484
                                    • GetLastError.KERNEL32(?,00ABC428,?,?,00000000,?,?,?,00ABC552,00000002,FlsGetValue,00AD8080,FlsGetValue,?,?,00ABB395), ref: 00ABC48E
                                    • LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00ABC4B6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: LibraryLoad$ErrorLast
                                    • String ID: api-ms-
                                    • API String ID: 3177248105-2084034818
                                    • Opcode ID: 7acd87d2f30d39a1574b8dae496f49d4281844b67b05a7777a49fd51a62c6cac
                                    • Instruction ID: aa5972d1173147cbde153ec06f4624f8b6b1a317ed8c0e52883b01c5611ab35a
                                    • Opcode Fuzzy Hash: 7acd87d2f30d39a1574b8dae496f49d4281844b67b05a7777a49fd51a62c6cac
                                    • Instruction Fuzzy Hash: E1E04830280208B7DF201B90DD0AF693F5D9B00F54F108021F90DA44E2DB769A519A44
                                    Function 00AC7E12 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetConsoleOutputCP.KERNEL32(240508E6,00000000,00000000,00000000), ref: 00AC7E75
                                      • Part of subcall function 00ACA79E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00AC79EE,?,00000000,-00000008), ref: 00ACA84A
                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00AC80D0
                                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00AC8118
                                    • GetLastError.KERNEL32 ref: 00AC81BB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                    • String ID:
                                    • API String ID: 2112829910-0
                                    • Opcode ID: 8d20f7f13ea63bc8389d40bce8c0eed1f33a29b5ee4219bbf086230f86ee6a08
                                    • Instruction ID: 7153d4d83a5a3229427af5a9813117e24e50c36f9faddd41ce67cad59bf15ca9
                                    • Opcode Fuzzy Hash: 8d20f7f13ea63bc8389d40bce8c0eed1f33a29b5ee4219bbf086230f86ee6a08
                                    • Instruction Fuzzy Hash: 4ED158B5D04248AFCB15CFA8D880EEDBBF4FF09304F19462EE856E7251DA34A946CB50
                                    Function 00ABB48B Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: AdjustPointer
                                    • String ID:
                                    • API String ID: 1740715915-0
                                    • Opcode ID: fdff492e60534a687af70e12ae24b6df99eb5b52c69db27a8859acb67f012284
                                    • Instruction ID: 76ca09082ccf480d0774fff71dc8552491cbb365a1f7482405d184c1442607f4
                                    • Opcode Fuzzy Hash: fdff492e60534a687af70e12ae24b6df99eb5b52c69db27a8859acb67f012284
                                    • Instruction Fuzzy Hash: D251D1B2614606AFEB398F54D951BFA77ADFF04310F144629E90647293D7B2EC80CBA1
                                    Function 00ACAA5E Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00ACA79E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00AC79EE,?,00000000,-00000008), ref: 00ACA84A
                                    • GetLastError.KERNEL32 ref: 00ACAAC2
                                    • __dosmaperr.LIBCMT ref: 00ACAAC9
                                    • GetLastError.KERNEL32(?,?,?,?), ref: 00ACAB03
                                    • __dosmaperr.LIBCMT ref: 00ACAB0A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                    • String ID:
                                    • API String ID: 1913693674-0
                                    • Opcode ID: 72a65498f1d181511cbbd1585ea1afae7b7889dbd26db9c3eda7fdeaf2727c4f
                                    • Instruction ID: ebf9434e45bd537c6e51e392ad649033ac1edd6735fa5bc162ca9a4aaef765a6
                                    • Opcode Fuzzy Hash: 72a65498f1d181511cbbd1585ea1afae7b7889dbd26db9c3eda7fdeaf2727c4f
                                    • Instruction Fuzzy Hash: FA21837170020DAF9B20AFA5C981F7BB7A9EF153A8712851DF92A97151E730EC40CB91
                                    Function 00AC1774 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: daa960839419f1026286907251f955e091c39bc29638153a5dccfc24f31e3996
                                    • Instruction ID: 6defef72c7eecd7d0d7d07a4b579200e21d4f5bb83b51988f63cbb134bad5303
                                    • Opcode Fuzzy Hash: daa960839419f1026286907251f955e091c39bc29638153a5dccfc24f31e3996
                                    • Instruction Fuzzy Hash: 1821A131708205AF9B20AFB5CD80E6B77A9AF13368B56852DF91597142E730EC41CB90
                                    Function 00ACB9F4 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetEnvironmentStringsW.KERNEL32 ref: 00ACB9FC
                                      • Part of subcall function 00ACA79E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00AC79EE,?,00000000,-00000008), ref: 00ACA84A
                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00ACBA34
                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00ACBA54
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                    • String ID:
                                    • API String ID: 158306478-0
                                    • Opcode ID: feab525b4d0475d5d3a85497d710eb870a135fec330ad285d981f6e4f8de89be
                                    • Instruction ID: e4c71be41772b85d05b1f09fed036b2bd7127fd67853be14d8616ef6a5c9467e
                                    • Opcode Fuzzy Hash: feab525b4d0475d5d3a85497d710eb870a135fec330ad285d981f6e4f8de89be
                                    • Instruction Fuzzy Hash: F111E1B291661A7F6A11A7B15DCFE7F7A6CDE883D8B12011EF802D2101FB22DD018171
                                    Function 00AB1F5B Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00AB1F67
                                    • int.LIBCPMT ref: 00AB1F7A
                                      • Part of subcall function 00AB2C1B: std::_Lockit::_Lockit.LIBCPMT ref: 00AB2C2C
                                      • Part of subcall function 00AB2C1B: std::_Lockit::~_Lockit.LIBCPMT ref: 00AB2C46
                                    • std::_Facet_Register.LIBCPMT ref: 00AB1FAD
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00AB1FC3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                    • String ID:
                                    • API String ID: 459529453-0
                                    • Opcode ID: f46523fc74ef5580886e456ffcf433ef4c4ff818179439666481296fa50e6455
                                    • Instruction ID: d7ded6eb2947f513ff7eea687a0cae33207918fd7912bc9f08b5d5bd949a9f01
                                    • Opcode Fuzzy Hash: f46523fc74ef5580886e456ffcf433ef4c4ff818179439666481296fa50e6455
                                    • Instruction Fuzzy Hash: 50012B32900024ABCB14EBB4D9159FD7BACDF41760B10015AF81157293EF30DE42DB80
                                    Function 00AD1E2F Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00AD0770,00000000,00000001,00000000,00000000,?,00AC820F,00000000,00000000,00000000), ref: 00AD1E46
                                    • GetLastError.KERNEL32(?,00AD0770,00000000,00000001,00000000,00000000,?,00AC820F,00000000,00000000,00000000,00000000,00000000,?,00AC8796,?), ref: 00AD1E52
                                      • Part of subcall function 00AD1E18: CloseHandle.KERNEL32(FFFFFFFE,00AD1E62,?,00AD0770,00000000,00000001,00000000,00000000,?,00AC820F,00000000,00000000,00000000,00000000,00000000), ref: 00AD1E28
                                    • ___initconout.LIBCMT ref: 00AD1E62
                                      • Part of subcall function 00AD1DDA: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00AD1E09,00AD075D,00000000,?,00AC820F,00000000,00000000,00000000,00000000), ref: 00AD1DED
                                    • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,00AD0770,00000000,00000001,00000000,00000000,?,00AC820F,00000000,00000000,00000000,00000000), ref: 00AD1E77
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                    • String ID:
                                    • API String ID: 2744216297-0
                                    • Opcode ID: 0518b19ca7bf5280bd150b91f8c96270e20a6b6f7d311538dde5ebf4c55f9068
                                    • Instruction ID: aac3e2dd600c3dc9c8980ecf2e5c2e609e7b5945467a76ab9cf2c444b21e9cb2
                                    • Opcode Fuzzy Hash: 0518b19ca7bf5280bd150b91f8c96270e20a6b6f7d311538dde5ebf4c55f9068
                                    • Instruction Fuzzy Hash: 70F03036101224BBCF225FD5DC04A9E3F66FF493A1B418411FE2A86230CB328820DBD0
                                    Function 00ABBA87 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • EncodePointer.KERNEL32(00000000,?), ref: 00ABBAAC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: EncodePointer
                                    • String ID: MOC$RCC
                                    • API String ID: 2118026453-2084237596
                                    • Opcode ID: ffe065a12b7454702c9d184cca3beeae3ec5bc49caa1c77422b9d687ff790bbb
                                    • Instruction ID: 545a44489130eb299380b68cd02285a482f97417ddec5f575ac6983803b80f1f
                                    • Opcode Fuzzy Hash: ffe065a12b7454702c9d184cca3beeae3ec5bc49caa1c77422b9d687ff790bbb
                                    • Instruction Fuzzy Hash: 31414771900209EFCF16DF98CD81AEEBBB9FF48304F148199F905A6266D3B59990DB60
                                    Function 00AB591F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    • __alloca_probe_16.LIBCMT ref: 00AB59A7
                                    • RaiseException.KERNEL32(?,?,?,00AB4BEB,?,?,?,?,?,?,?,?,?,?,00AB4BEB,00000001), ref: 00AB59CC
                                      • Part of subcall function 00AB9362: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,00AB4ED4,?,00ADFDA8,?), ref: 00AB93C2
                                      • Part of subcall function 00ABC9FB: IsProcessorFeaturePresent.KERNEL32(00000017,00ABC782,?,00ABC6F1,00AB4EC6,00000016,00ABC900,?,?,?,?,?,00000000,?,?), ref: 00ABCA17
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
                                    • String ID: csm
                                    • API String ID: 1924019822-1018135373
                                    • Opcode ID: 00dc05cd86f8a8e41ba6088c18fd82e516eda3bb3b7cc3780f999936319e93f7
                                    • Instruction ID: 78a654af3d4263a7631c70a16c743ddc493de70fe5d7377556ee49e4e63f5173
                                    • Opcode Fuzzy Hash: 00dc05cd86f8a8e41ba6088c18fd82e516eda3bb3b7cc3780f999936319e93f7
                                    • Instruction Fuzzy Hash: 3D216831D00A18EBCF34DFA9D946BEEB7BDEF04720F544809E446AB252DA70AD45CB91
                                    Function 00AB22C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00AB22CF
                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00AB2307
                                      • Part of subcall function 00AB6059: _Yarn.LIBCPMT ref: 00AB6078
                                      • Part of subcall function 00AB6059: _Yarn.LIBCPMT ref: 00AB609C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1674783684.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                    • Associated: 00000000.00000002.1674765115.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674806593.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674823998.0000000000AE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1674918244.0000000000C18000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                    Similarity
                                    • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                    • String ID: bad locale name
                                    • API String ID: 1908188788-1405518554
                                    • Opcode ID: 40b1b5edc882d015914cd657796b2f633f60d66e8e7d288b1292bdb92d04e1b2
                                    • Instruction ID: b48308d14699e1b69ca6475468c71a20167566cb1d0d47493917b2a22c95efa1
                                    • Opcode Fuzzy Hash: 40b1b5edc882d015914cd657796b2f633f60d66e8e7d288b1292bdb92d04e1b2
                                    • Instruction Fuzzy Hash: 32F01D71515B409E83309F7A9581583FBE8BE2C2103508E2FE1DEC3A12D734E404CB69

                                    Execution Graph

                                    Execution Coverage:5.2%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:0%
                                    Total number of Nodes:2000
                                    Total number of Limit Nodes:60
                                    execution_graph 19715 401047 19718 4076be 19715->19718 19721 407691 19718->19721 19722 4076a0 19721->19722 19723 4076a7 19721->19723 19727 4131a3 19722->19727 19730 413220 19723->19730 19726 40104c 19728 413220 44 API calls 19727->19728 19729 4131b5 19728->19729 19729->19726 19733 412f6c 19730->19733 19734 412f78 __FrameHandler3::FrameUnwindToState 19733->19734 19741 40e0b6 EnterCriticalSection 19734->19741 19736 412f86 19742 412fc7 19736->19742 19738 412f93 19752 412fbb 19738->19752 19741->19736 19743 412fe2 19742->19743 19744 413055 std::_Locinfo::_Locinfo_ctor 19742->19744 19743->19744 19745 413035 19743->19745 19755 41ef5b 19743->19755 19744->19738 19745->19744 19747 41ef5b 44 API calls 19745->19747 19749 41304b 19747->19749 19748 41302b 19750 4140e1 ___free_lconv_mon 14 API calls 19748->19750 19751 4140e1 ___free_lconv_mon 14 API calls 19749->19751 19750->19745 19751->19744 19783 40e0fe LeaveCriticalSection 19752->19783 19754 412fa4 19754->19726 19756 41ef68 19755->19756 19759 41ef83 19755->19759 19757 41ef74 19756->19757 19756->19759 19760 40e062 __dosmaperr 14 API calls 19757->19760 19758 41ef92 19771 419bf5 19758->19771 19759->19758 19764 4239e1 19759->19764 19763 41ef79 codecvt 19760->19763 19763->19748 19765 423a01 HeapSize 19764->19765 19766 4239ec 19764->19766 19765->19758 19767 40e062 __dosmaperr 14 API calls 19766->19767 19768 4239f1 19767->19768 19769 40df64 _Ungetc 41 API calls 19768->19769 19770 4239fc 19769->19770 19770->19758 19772 419c02 19771->19772 19773 419c0d 19771->19773 19775 415416 std::_Locinfo::_Locinfo_ctor 15 API calls 19772->19775 19774 419c15 19773->19774 19782 419c1e _unexpected 19773->19782 19776 4140e1 ___free_lconv_mon 14 API calls 19774->19776 19779 419c0a 19775->19779 19776->19779 19777 419c23 19780 40e062 __dosmaperr 14 API calls 19777->19780 19778 419c48 HeapReAlloc 19778->19779 19778->19782 19779->19763 19780->19779 19781 412e88 codecvt 2 API calls 19781->19782 19782->19777 19782->19778 19782->19781 19783->19754 19817 406454 19820 406479 19817->19820 19822 406475 19817->19822 19818 407413 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 19819 4064e1 19818->19819 19820->19822 19823 40652f 19820->19823 19824 4064bd 19820->19824 19822->19818 19823->19822 19825 40dcea 69 API calls 19823->19825 19824->19822 19826 4059db 19824->19826 19825->19822 19829 40e7eb 19826->19829 19830 40e7fe _Fputc 19829->19830 19835 40e5ef 19830->19835 19833 40bbc5 _Fputc 41 API calls 19834 4059e9 19833->19834 19834->19822 19836 40e5fb __FrameHandler3::FrameUnwindToState 19835->19836 19837 40e602 19836->19837 19838 40e627 19836->19838 19839 40dee7 _Fputc 41 API calls 19837->19839 19846 40bb55 EnterCriticalSection 19838->19846 19842 40e61d 19839->19842 19841 40e636 19847 40e6b3 19841->19847 19842->19833 19846->19841 19848 40e6ea 19847->19848 19868 40e6d8 _Fputc 19847->19868 19849 414bc2 _Ungetc 41 API calls 19848->19849 19850 40e6f1 19849->19850 19852 414bc2 _Ungetc 41 API calls 19850->19852 19855 40e719 19850->19855 19851 407413 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 19853 40e647 19851->19853 19854 40e702 19852->19854 19869 40e677 19853->19869 19854->19855 19856 414bc2 _Ungetc 41 API calls 19854->19856 19857 414bc2 _Ungetc 41 API calls 19855->19857 19855->19868 19858 40e70e 19856->19858 19859 40e74c 19857->19859 19860 414bc2 _Ungetc 41 API calls 19858->19860 19861 40e76f 19859->19861 19862 414bc2 _Ungetc 41 API calls 19859->19862 19860->19855 19863 41606a _Fputc 43 API calls 19861->19863 19861->19868 19864 40e758 19862->19864 19863->19868 19864->19861 19865 414bc2 _Ungetc 41 API calls 19864->19865 19866 40e764 19865->19866 19867 414bc2 _Ungetc 41 API calls 19866->19867 19867->19861 19868->19851 19872 40bb69 LeaveCriticalSection 19869->19872 19871 40e67d 19871->19842 19872->19871 21390 40656c 21391 406587 21390->21391 21393 406599 21391->21393 21394 4059f8 21391->21394 21397 40ea5d 21394->21397 21398 40ea69 __FrameHandler3::FrameUnwindToState 21397->21398 21399 40ea70 21398->21399 21400 40ea87 21398->21400 21401 40e062 __dosmaperr 14 API calls 21399->21401 21410 40bb55 EnterCriticalSection 21400->21410 21403 40ea75 21401->21403 21405 40df64 _Ungetc 41 API calls 21403->21405 21404 40ea96 21411 40e9a7 21404->21411 21409 405a0a 21405->21409 21407 40eaa4 21423 40ead3 21407->21423 21409->21393 21410->21404 21412 40e9bd 21411->21412 21417 40ea20 _Ungetc 21411->21417 21413 40e9eb 21412->21413 21414 4180f5 _Ungetc 14 API calls 21412->21414 21412->21417 21415 414bc2 _Ungetc 41 API calls 21413->21415 21413->21417 21414->21413 21416 40e9fd 21415->21416 21416->21417 21418 414bc2 _Ungetc 41 API calls 21416->21418 21417->21407 21419 40ea09 21418->21419 21419->21417 21420 414bc2 _Ungetc 41 API calls 21419->21420 21421 40ea15 21420->21421 21422 414bc2 _Ungetc 41 API calls 21421->21422 21422->21417 21426 40bb69 LeaveCriticalSection 21423->21426 21425 40ead9 21425->21409 21426->21425 21468 40f506 21469 40f519 _Fputc 21468->21469 21474 40f43d 21469->21474 21471 40f52e 21472 40bbc5 _Fputc 41 API calls 21471->21472 21473 40f53b 21472->21473 21475 40f472 21474->21475 21476 40f44f 21474->21476 21475->21476 21479 40f499 21475->21479 21477 40dee7 _Fputc 41 API calls 21476->21477 21478 40f46a 21477->21478 21478->21471 21482 40f342 21479->21482 21483 40f34e __FrameHandler3::FrameUnwindToState 21482->21483 21490 40bb55 EnterCriticalSection 21483->21490 21485 40f35c 21491 40f39d 21485->21491 21487 40f369 21500 40f391 21487->21500 21490->21485 21492 40ed18 ___scrt_uninitialize_crt 66 API calls 21491->21492 21493 40f3b8 21492->21493 21494 414990 14 API calls 21493->21494 21495 40f3c2 21494->21495 21496 414084 _unexpected 14 API calls 21495->21496 21499 40f3dd 21495->21499 21497 40f401 21496->21497 21498 4140e1 ___free_lconv_mon 14 API calls 21497->21498 21498->21499 21499->21487 21503 40bb69 LeaveCriticalSection 21500->21503 21502 40f37a 21502->21471 21503->21502 21511 40bb09 21512 40ede6 ___scrt_uninitialize_crt 70 API calls 21511->21512 21513 40bb11 21512->21513 21521 4148e5 21513->21521 21515 40bb16 21516 414990 14 API calls 21515->21516 21517 40bb25 DeleteCriticalSection 21516->21517 21517->21515 21518 40bb40 21517->21518 21519 4140e1 ___free_lconv_mon 14 API calls 21518->21519 21520 40bb4b 21519->21520 21522 4148f1 __FrameHandler3::FrameUnwindToState 21521->21522 21531 40e0b6 EnterCriticalSection 21522->21531 21524 414968 21532 414987 21524->21532 21525 4148fc 21525->21524 21527 41493c DeleteCriticalSection 21525->21527 21529 40bd89 71 API calls 21525->21529 21530 4140e1 ___free_lconv_mon 14 API calls 21527->21530 21529->21525 21530->21525 21531->21525 21535 40e0fe LeaveCriticalSection 21532->21535 21534 414974 21534->21515 21535->21534 21554 417f10 21555 417f34 21554->21555 21556 417f1f 21554->21556 21560 417f92 21555->21560 21561 4180f5 _Ungetc 14 API calls 21555->21561 21568 417f2f 21555->21568 21557 40e062 __dosmaperr 14 API calls 21556->21557 21558 417f24 21557->21558 21559 40df64 _Ungetc 41 API calls 21558->21559 21559->21568 21562 414bc2 _Ungetc 41 API calls 21560->21562 21561->21560 21563 417fc2 21562->21563 21574 42210c 21563->21574 21566 414bc2 _Ungetc 41 API calls 21567 418004 21566->21567 21567->21568 21569 414bc2 _Ungetc 41 API calls 21567->21569 21570 418012 21569->21570 21570->21568 21571 414bc2 _Ungetc 41 API calls 21570->21571 21572 418020 21571->21572 21573 414bc2 _Ungetc 41 API calls 21572->21573 21573->21568 21575 422118 __FrameHandler3::FrameUnwindToState 21574->21575 21576 422120 21575->21576 21577 422138 21575->21577 21578 40e04f __dosmaperr 14 API calls 21576->21578 21579 4221f5 21577->21579 21584 42216e 21577->21584 21581 422125 21578->21581 21580 40e04f __dosmaperr 14 API calls 21579->21580 21582 4221fa 21580->21582 21583 40e062 __dosmaperr 14 API calls 21581->21583 21587 40e062 __dosmaperr 14 API calls 21582->21587 21603 417fca 21583->21603 21585 422177 21584->21585 21586 42218c 21584->21586 21588 40e04f __dosmaperr 14 API calls 21585->21588 21604 41c9a3 EnterCriticalSection 21586->21604 21590 422184 21587->21590 21591 42217c 21588->21591 21596 40df64 _Ungetc 41 API calls 21590->21596 21593 40e062 __dosmaperr 14 API calls 21591->21593 21592 422192 21594 4221c3 21592->21594 21595 4221ae 21592->21595 21593->21590 21598 422220 __wsopen_s 53 API calls 21594->21598 21597 40e062 __dosmaperr 14 API calls 21595->21597 21596->21603 21599 4221b3 21597->21599 21600 4221be 21598->21600 21601 40e04f __dosmaperr 14 API calls 21599->21601 21605 4221ed 21600->21605 21601->21600 21603->21566 21603->21568 21604->21592 21608 41ca58 LeaveCriticalSection 21605->21608 21607 4221f3 21607->21603 21608->21607 20142 40682d 20143 406839 __EH_prolog3_GS 20142->20143 20145 406888 20143->20145 20149 406850 20143->20149 20153 4068a2 20143->20153 20156 4059b4 20145->20156 20189 4076e7 20149->20189 20152 406951 20184 403f20 20152->20184 20153->20152 20155 40698c 20153->20155 20159 403f70 20153->20159 20164 40ee8b 20153->20164 20155->20152 20192 40f639 20155->20192 20205 40e578 20156->20205 20160 403f97 20159->20160 20161 403f79 20159->20161 20162 404410 43 API calls 20160->20162 20161->20153 20163 403fab 20162->20163 20163->20153 20165 40ee97 __FrameHandler3::FrameUnwindToState 20164->20165 20166 40eea1 20165->20166 20167 40eeb9 20165->20167 20169 40e062 __dosmaperr 14 API calls 20166->20169 20289 40bb55 EnterCriticalSection 20167->20289 20171 40eea6 20169->20171 20170 40eec3 20172 40ef5f 20170->20172 20174 414bc2 _Ungetc 41 API calls 20170->20174 20173 40df64 _Ungetc 41 API calls 20171->20173 20290 40ee44 20172->20290 20183 40eeb1 20173->20183 20179 40eee0 20174->20179 20176 40ef65 20297 40ef8f 20176->20297 20178 40ef37 20180 40e062 __dosmaperr 14 API calls 20178->20180 20179->20172 20179->20178 20181 40ef3c 20180->20181 20182 40df64 _Ungetc 41 API calls 20181->20182 20182->20183 20183->20153 20185 403f2b 20184->20185 20186 403f46 std::ios_base::_Ios_base_dtor 20184->20186 20185->20186 20187 40df74 std::ios_base::_Init 41 API calls 20185->20187 20186->20149 20188 403f6a 20187->20188 20190 407413 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 20189->20190 20191 4076f1 20190->20191 20191->20191 20193 40f645 __FrameHandler3::FrameUnwindToState 20192->20193 20194 40f661 20193->20194 20195 40f64c 20193->20195 20301 40bb55 EnterCriticalSection 20194->20301 20196 40e062 __dosmaperr 14 API calls 20195->20196 20199 40f651 20196->20199 20198 40f66b 20302 40f540 20198->20302 20201 40df64 _Ungetc 41 API calls 20199->20201 20204 40f65c 20201->20204 20204->20155 20206 40e584 __FrameHandler3::FrameUnwindToState 20205->20206 20207 40e5a2 20206->20207 20208 40e58b 20206->20208 20218 40bb55 EnterCriticalSection 20207->20218 20210 40e062 __dosmaperr 14 API calls 20208->20210 20211 40e590 20210->20211 20213 40df64 _Ungetc 41 API calls 20211->20213 20212 40e5ae 20219 40e408 20212->20219 20217 4059bf 20213->20217 20215 40e5b9 20253 40e5e7 20215->20253 20217->20149 20218->20212 20220 40e425 20219->20220 20221 40e48b 20219->20221 20222 414bc2 _Ungetc 41 API calls 20220->20222 20224 414bc2 _Ungetc 41 API calls 20221->20224 20252 40e482 20221->20252 20223 40e42b 20222->20223 20225 40e44e 20223->20225 20227 414bc2 _Ungetc 41 API calls 20223->20227 20226 40e4a0 20224->20226 20225->20221 20237 40e469 20225->20237 20228 40e4c3 20226->20228 20230 414bc2 _Ungetc 41 API calls 20226->20230 20229 40e437 20227->20229 20231 40ee80 41 API calls 20228->20231 20228->20252 20229->20225 20235 414bc2 _Ungetc 41 API calls 20229->20235 20232 40e4ac 20230->20232 20234 40e4e3 20231->20234 20232->20228 20236 414bc2 _Ungetc 41 API calls 20232->20236 20240 40f6f4 __Getctype 41 API calls 20234->20240 20234->20252 20238 40e443 20235->20238 20239 40e4b8 20236->20239 20237->20252 20256 40ee80 20237->20256 20241 414bc2 _Ungetc 41 API calls 20238->20241 20242 414bc2 _Ungetc 41 API calls 20239->20242 20243 40e4fb 20240->20243 20241->20225 20242->20228 20244 40e525 20243->20244 20246 40ee80 41 API calls 20243->20246 20263 416341 20244->20263 20248 40e50c 20246->20248 20248->20244 20249 40e512 20248->20249 20250 40f639 43 API calls 20249->20250 20250->20252 20251 40e062 __dosmaperr 14 API calls 20251->20252 20252->20215 20288 40bb69 LeaveCriticalSection 20253->20288 20255 40e5ed 20255->20217 20257 40ee44 20256->20257 20258 40e062 __dosmaperr 14 API calls 20257->20258 20260 40ee65 20257->20260 20259 40ee55 20258->20259 20261 40df64 _Ungetc 41 API calls 20259->20261 20260->20237 20262 40ee60 20261->20262 20262->20237 20264 416354 _Fputc 20263->20264 20269 41620e 20264->20269 20267 40bbc5 _Fputc 41 API calls 20268 40e539 20267->20268 20268->20251 20268->20252 20270 416232 20269->20270 20271 416222 20269->20271 20270->20267 20271->20270 20272 416257 20271->20272 20275 40d720 _Fputc 41 API calls 20271->20275 20273 416268 20272->20273 20274 41628b 20272->20274 20281 421a73 20273->20281 20274->20270 20277 4162b3 20274->20277 20278 416307 20274->20278 20275->20272 20277->20270 20280 41afff __wsopen_s MultiByteToWideChar 20277->20280 20279 41afff __wsopen_s MultiByteToWideChar 20278->20279 20279->20270 20280->20270 20284 423fc6 20281->20284 20287 423ff1 _Fputc 20284->20287 20285 407413 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 20286 421a8e 20285->20286 20286->20270 20287->20285 20288->20255 20289->20170 20291 40ee50 20290->20291 20293 40ee65 20290->20293 20292 40e062 __dosmaperr 14 API calls 20291->20292 20294 40ee55 20292->20294 20293->20176 20295 40df64 _Ungetc 41 API calls 20294->20295 20296 40ee60 20295->20296 20296->20176 20300 40bb69 LeaveCriticalSection 20297->20300 20299 40ef95 20299->20183 20300->20299 20301->20198 20303 40f558 20302->20303 20306 40f5c8 20302->20306 20304 414bc2 _Ungetc 41 API calls 20303->20304 20305 40f55e 20304->20305 20305->20306 20309 40f5b0 20305->20309 20307 40f5c0 20306->20307 20316 4180f5 20306->20316 20313 40f6a4 20307->20313 20310 40e062 __dosmaperr 14 API calls 20309->20310 20311 40f5b5 20310->20311 20312 40df64 _Ungetc 41 API calls 20311->20312 20312->20307 20321 40bb69 LeaveCriticalSection 20313->20321 20315 40f6aa 20315->20204 20317 414084 _unexpected 14 API calls 20316->20317 20318 418112 20317->20318 20319 4140e1 ___free_lconv_mon 14 API calls 20318->20319 20320 41811c 20319->20320 20320->20307 20321->20315 20424 4060c1 20425 406114 20424->20425 20426 4060c8 20424->20426 20429 40bb55 EnterCriticalSection 20426->20429 20428 4060cd 20429->20428 17060 4073c2 17069 407c11 GetModuleHandleW 17060->17069 17063 407400 17074 411567 17063->17074 17064 4073ce 17065 4073d9 17064->17065 17071 411549 17064->17071 17070 4073ca 17069->17070 17070->17063 17070->17064 17077 41138b 17071->17077 17075 41138b std::locale::_Setgloballocale 23 API calls 17074->17075 17076 407408 17075->17076 17078 4113b8 17077->17078 17079 4113ca 17077->17079 17089 411453 GetModuleHandleW 17078->17089 17097 411253 17079->17097 17084 411407 17084->17065 17090 4113bd 17089->17090 17090->17079 17091 4114b8 GetModuleHandleExW 17090->17091 17092 4114f7 GetProcAddress 17091->17092 17093 411518 17091->17093 17092->17093 17094 41150b 17092->17094 17095 4113c9 17093->17095 17096 41151e FreeLibrary 17093->17096 17094->17093 17095->17079 17096->17095 17098 41125f __FrameHandler3::FrameUnwindToState 17097->17098 17112 40e0b6 EnterCriticalSection 17098->17112 17100 411269 17113 4112a0 17100->17113 17102 411276 17117 411294 17102->17117 17105 411422 17174 411496 17105->17174 17108 411440 17110 4114b8 std::locale::_Setgloballocale 3 API calls 17108->17110 17109 411430 GetCurrentProcess TerminateProcess 17109->17108 17111 411448 ExitProcess 17110->17111 17112->17100 17114 4112ac __FrameHandler3::FrameUnwindToState 17113->17114 17116 411313 std::locale::_Setgloballocale 17114->17116 17120 4131b9 17114->17120 17116->17102 17173 40e0fe LeaveCriticalSection 17117->17173 17119 411282 17119->17084 17119->17105 17121 4131c5 __EH_prolog3 17120->17121 17124 412f11 17121->17124 17123 4131ec codecvt 17123->17116 17125 412f1d __FrameHandler3::FrameUnwindToState 17124->17125 17132 40e0b6 EnterCriticalSection 17125->17132 17127 412f2b 17133 4130c9 17127->17133 17132->17127 17134 412f38 17133->17134 17135 4130e8 17133->17135 17137 412f60 17134->17137 17135->17134 17140 4140e1 17135->17140 17172 40e0fe LeaveCriticalSection 17137->17172 17139 412f49 17139->17123 17141 4140ec HeapFree 17140->17141 17145 414116 17140->17145 17142 414101 GetLastError 17141->17142 17141->17145 17143 41410e __dosmaperr 17142->17143 17146 40e062 17143->17146 17145->17134 17149 41527c GetLastError 17146->17149 17148 40e067 17148->17145 17150 415292 17149->17150 17151 415298 17149->17151 17152 4145cd _unexpected 6 API calls 17150->17152 17153 41460c _unexpected 6 API calls 17151->17153 17155 41529c SetLastError 17151->17155 17152->17151 17154 4152b4 17153->17154 17154->17155 17157 414084 _unexpected 12 API calls 17154->17157 17155->17148 17158 4152c9 17157->17158 17159 4152d1 17158->17159 17160 4152e2 17158->17160 17161 41460c _unexpected 6 API calls 17159->17161 17162 41460c _unexpected 6 API calls 17160->17162 17163 4152df 17161->17163 17164 4152ee 17162->17164 17168 4140e1 ___free_lconv_mon 12 API calls 17163->17168 17165 4152f2 17164->17165 17166 415309 17164->17166 17167 41460c _unexpected 6 API calls 17165->17167 17169 414f59 _unexpected 12 API calls 17166->17169 17167->17163 17168->17155 17170 415314 17169->17170 17171 4140e1 ___free_lconv_mon 12 API calls 17170->17171 17171->17155 17172->17139 17173->17119 17179 41913c GetPEB 17174->17179 17177 4114a0 GetPEB 17178 41142c 17177->17178 17178->17108 17178->17109 17180 41149b 17179->17180 17181 419156 17179->17181 17180->17177 17180->17178 17183 41443f 17181->17183 17186 4143bc 17183->17186 17185 41445b 17185->17180 17187 4143ea 17186->17187 17191 4143e6 std::_Locinfo::_Locinfo_ctor 17186->17191 17187->17191 17192 4142f1 17187->17192 17190 414404 GetProcAddress 17190->17191 17191->17185 17198 414302 ___vcrt_InitializeCriticalSectionEx 17192->17198 17193 414398 17193->17190 17193->17191 17194 414320 LoadLibraryExW 17195 41433b GetLastError 17194->17195 17196 41439f 17194->17196 17195->17198 17196->17193 17197 4143b1 FreeLibrary 17196->17197 17197->17193 17198->17193 17198->17194 17199 41436e LoadLibraryExW 17198->17199 17199->17196 17199->17198 21774 41efda 21775 41efe8 21774->21775 21776 41f012 21775->21776 21777 414b36 46 API calls 21775->21777 21778 414a86 2 API calls 21775->21778 21777->21775 21778->21775 20576 411add 20579 4117a9 20576->20579 20580 4117b5 __FrameHandler3::FrameUnwindToState 20579->20580 20587 40e0b6 EnterCriticalSection 20580->20587 20582 4117ed 20588 41180b 20582->20588 20584 4117bf 20584->20582 20586 41dcb6 __Getctype 14 API calls 20584->20586 20586->20584 20587->20584 20591 40e0fe LeaveCriticalSection 20588->20591 20590 4117f9 20591->20590 20592 4066de 20593 406700 20592->20593 20597 406715 20592->20597 20598 405e55 20593->20598 20601 405e70 20598->20601 20603 405ec1 20598->20603 20599 407413 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 20600 405ed9 20599->20600 20600->20597 20604 40eff2 20600->20604 20602 40dcea 69 API calls 20601->20602 20601->20603 20602->20603 20603->20599 20605 40f012 20604->20605 20606 40effd 20604->20606 20605->20606 20608 40f019 20605->20608 20607 40e062 __dosmaperr 14 API calls 20606->20607 20609 40f002 20607->20609 20614 40f308 20608->20614 20611 40df64 _Ungetc 41 API calls 20609->20611 20613 40f00d 20611->20613 20613->20597 20615 40f31b _Fputc 20614->20615 20620 40f0a7 20615->20620 20618 40bbc5 _Fputc 41 API calls 20619 40f028 20618->20619 20619->20597 20622 40f0b3 __FrameHandler3::FrameUnwindToState 20620->20622 20621 40f0b9 20624 40dee7 _Fputc 41 API calls 20621->20624 20622->20621 20623 40f0ed 20622->20623 20631 40bb55 EnterCriticalSection 20623->20631 20626 40f0d4 20624->20626 20626->20618 20627 40f0f9 20632 40f21c 20627->20632 20629 40f110 20641 40f139 20629->20641 20631->20627 20633 40f242 20632->20633 20634 40f22f 20632->20634 20644 40f143 20633->20644 20634->20629 20636 40ed18 ___scrt_uninitialize_crt 66 API calls 20638 40f293 20636->20638 20637 40f265 20637->20636 20640 40f2f3 20637->20640 20639 418ae3 __wsopen_s 43 API calls 20638->20639 20639->20640 20640->20629 20648 40bb69 LeaveCriticalSection 20641->20648 20643 40f141 20643->20626 20645 40f154 20644->20645 20647 40f1ac 20644->20647 20646 418aa3 __wsopen_s 43 API calls 20645->20646 20645->20647 20646->20647 20647->20637 20648->20643 17200 413ee2 17205 413cb8 17200->17205 17204 413f21 17206 413cd7 17205->17206 17207 413cea 17206->17207 17215 413cff 17206->17215 17208 40e062 __dosmaperr 14 API calls 17207->17208 17209 413cef 17208->17209 17225 40df64 17209->17225 17211 413cfa 17211->17204 17222 41fe7d 17211->17222 17212 40e062 __dosmaperr 14 API calls 17213 413ed0 17212->17213 17214 40df64 _Ungetc 41 API calls 17213->17214 17214->17211 17215->17215 17220 413e1f 17215->17220 17228 41f70f 17215->17228 17217 413e6f 17218 41f70f 41 API calls 17217->17218 17217->17220 17219 413e8d 17218->17219 17219->17220 17221 41f70f 41 API calls 17219->17221 17220->17211 17220->17212 17221->17220 17573 41f847 17222->17573 17242 40deb0 17225->17242 17229 41f766 17228->17229 17230 41f71e 17228->17230 17496 41f77c 17229->17496 17231 41f724 17230->17231 17235 41f741 17230->17235 17234 40e062 __dosmaperr 14 API calls 17231->17234 17233 41f734 17233->17217 17236 41f729 17234->17236 17238 40e062 __dosmaperr 14 API calls 17235->17238 17241 41f75f 17235->17241 17237 40df64 _Ungetc 41 API calls 17236->17237 17237->17233 17239 41f750 17238->17239 17240 40df64 _Ungetc 41 API calls 17239->17240 17240->17233 17241->17217 17243 40dec2 _Fputc 17242->17243 17248 40dee7 17243->17248 17245 40deda 17259 40bbc5 17245->17259 17249 40defe 17248->17249 17250 40def7 17248->17250 17255 40df0c 17249->17255 17269 40dd3f 17249->17269 17265 40bd26 GetLastError 17250->17265 17253 40df33 17253->17255 17272 40df91 IsProcessorFeaturePresent 17253->17272 17255->17245 17256 40df63 17257 40deb0 _Ungetc 41 API calls 17256->17257 17258 40df70 17257->17258 17258->17245 17260 40bbd1 17259->17260 17261 40bbe8 17260->17261 17403 40bd6c 17260->17403 17263 40bbfb 17261->17263 17264 40bd6c _Fputc 41 API calls 17261->17264 17263->17211 17264->17263 17266 40bd3f 17265->17266 17276 41532d 17266->17276 17270 40dd63 17269->17270 17271 40dd4a GetLastError SetLastError 17269->17271 17270->17253 17271->17253 17273 40df9d 17272->17273 17389 40dd68 17273->17389 17277 415340 17276->17277 17278 415346 17276->17278 17298 4145cd 17277->17298 17297 40bd57 SetLastError 17278->17297 17303 41460c 17278->17303 17284 415378 17286 41460c _unexpected 6 API calls 17284->17286 17285 41538d 17287 41460c _unexpected 6 API calls 17285->17287 17288 415384 17286->17288 17289 415399 17287->17289 17292 4140e1 ___free_lconv_mon 14 API calls 17288->17292 17290 41539d 17289->17290 17291 4153ac 17289->17291 17293 41460c _unexpected 6 API calls 17290->17293 17315 414f59 17291->17315 17292->17297 17293->17288 17296 4140e1 ___free_lconv_mon 14 API calls 17296->17297 17297->17249 17299 4143bc std::_Locinfo::_Locinfo_ctor 5 API calls 17298->17299 17300 4145e9 17299->17300 17301 4145f2 17300->17301 17302 414604 TlsGetValue 17300->17302 17301->17278 17304 4143bc std::_Locinfo::_Locinfo_ctor 5 API calls 17303->17304 17305 414628 17304->17305 17306 414631 17305->17306 17307 414646 TlsSetValue 17305->17307 17306->17297 17308 414084 17306->17308 17313 414091 _unexpected 17308->17313 17309 4140d1 17311 40e062 __dosmaperr 13 API calls 17309->17311 17310 4140bc RtlAllocateHeap 17312 4140cf 17310->17312 17310->17313 17311->17312 17312->17284 17312->17285 17313->17309 17313->17310 17320 412e88 17313->17320 17333 414ded 17315->17333 17323 412eb5 17320->17323 17324 412ec1 __FrameHandler3::FrameUnwindToState 17323->17324 17329 40e0b6 EnterCriticalSection 17324->17329 17326 412ecc 17330 412f08 17326->17330 17329->17326 17331 40e0fe std::_Lockit::~_Lockit LeaveCriticalSection 17330->17331 17332 412e93 17331->17332 17332->17313 17334 414df9 __FrameHandler3::FrameUnwindToState 17333->17334 17347 40e0b6 EnterCriticalSection 17334->17347 17336 414e03 17348 414e33 17336->17348 17339 414eff 17340 414f0b __FrameHandler3::FrameUnwindToState 17339->17340 17352 40e0b6 EnterCriticalSection 17340->17352 17342 414f15 17353 4150e0 17342->17353 17344 414f2d 17357 414f4d 17344->17357 17347->17336 17351 40e0fe LeaveCriticalSection 17348->17351 17350 414e21 17350->17339 17351->17350 17352->17342 17354 415116 __Getctype 17353->17354 17355 4150ef __Getctype 17353->17355 17354->17344 17355->17354 17360 41d9e9 17355->17360 17388 40e0fe LeaveCriticalSection 17357->17388 17359 414f3b 17359->17296 17362 41da69 17360->17362 17363 41d9ff 17360->17363 17361 41db5a __Getctype 14 API calls 17369 41dac5 17361->17369 17364 4140e1 ___free_lconv_mon 14 API calls 17362->17364 17387 41dab7 17362->17387 17363->17362 17368 4140e1 ___free_lconv_mon 14 API calls 17363->17368 17370 41da32 17363->17370 17365 41da8b 17364->17365 17366 4140e1 ___free_lconv_mon 14 API calls 17365->17366 17371 41da9e 17366->17371 17367 4140e1 ___free_lconv_mon 14 API calls 17372 41da5e 17367->17372 17374 41da27 17368->17374 17373 41db25 17369->17373 17380 4140e1 14 API calls ___free_lconv_mon 17369->17380 17375 4140e1 ___free_lconv_mon 14 API calls 17370->17375 17386 41da54 17370->17386 17376 4140e1 ___free_lconv_mon 14 API calls 17371->17376 17377 4140e1 ___free_lconv_mon 14 API calls 17372->17377 17378 4140e1 ___free_lconv_mon 14 API calls 17373->17378 17379 41cc9f ___free_lconv_mon 14 API calls 17374->17379 17381 41da49 17375->17381 17382 41daac 17376->17382 17377->17362 17383 41db2b 17378->17383 17379->17370 17380->17369 17384 41d153 __Getctype 14 API calls 17381->17384 17385 4140e1 ___free_lconv_mon 14 API calls 17382->17385 17383->17354 17384->17386 17385->17387 17386->17367 17387->17361 17388->17359 17390 40dd84 codecvt std::locale::_Setgloballocale 17389->17390 17391 40ddb0 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 17390->17391 17392 40de81 std::locale::_Setgloballocale 17391->17392 17395 407413 17392->17395 17394 40de9f GetCurrentProcess TerminateProcess 17394->17256 17396 40741b 17395->17396 17397 40741c IsProcessorFeaturePresent 17395->17397 17396->17394 17399 407da2 17397->17399 17402 407d65 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 17399->17402 17401 407e85 17401->17394 17402->17401 17404 40bd76 17403->17404 17405 40bd7f 17403->17405 17406 40bd26 _Fputc 16 API calls 17404->17406 17405->17261 17407 40bd7b 17406->17407 17407->17405 17410 40e12c 17407->17410 17421 41749e 17410->17421 17413 40e13c 17415 40e146 IsProcessorFeaturePresent 17413->17415 17416 40e165 17413->17416 17418 40e152 17415->17418 17417 411567 std::locale::_Setgloballocale 23 API calls 17416->17417 17420 40e16f 17417->17420 17419 40dd68 std::locale::_Setgloballocale 8 API calls 17418->17419 17419->17416 17451 4173d0 17421->17451 17424 4174e3 17425 4174ef __FrameHandler3::FrameUnwindToState 17424->17425 17426 41527c __dosmaperr 14 API calls 17425->17426 17430 41751c std::locale::_Setgloballocale 17425->17430 17433 417516 std::locale::_Setgloballocale 17425->17433 17426->17433 17427 417563 17429 40e062 __dosmaperr 14 API calls 17427->17429 17428 41754d 17428->17413 17431 417568 17429->17431 17432 41758f 17430->17432 17462 40e0b6 EnterCriticalSection 17430->17462 17434 40df64 _Ungetc 41 API calls 17431->17434 17437 4175d1 17432->17437 17438 4176c2 17432->17438 17448 417600 17432->17448 17433->17427 17433->17428 17433->17430 17434->17428 17437->17448 17463 41512b GetLastError 17437->17463 17439 4176cd 17438->17439 17494 40e0fe LeaveCriticalSection 17438->17494 17441 411567 std::locale::_Setgloballocale 23 API calls 17439->17441 17442 4176d5 17441->17442 17445 41512b _unexpected 41 API calls 17449 417655 17445->17449 17447 41512b _unexpected 41 API calls 17447->17448 17490 41766f 17448->17490 17449->17428 17450 41512b _unexpected 41 API calls 17449->17450 17450->17428 17452 4173dc __FrameHandler3::FrameUnwindToState 17451->17452 17457 40e0b6 EnterCriticalSection 17452->17457 17454 4173ea 17458 417428 17454->17458 17457->17454 17461 40e0fe LeaveCriticalSection 17458->17461 17460 40e131 17460->17413 17460->17424 17461->17460 17462->17432 17464 415141 17463->17464 17465 415147 17463->17465 17467 4145cd _unexpected 6 API calls 17464->17467 17466 41460c _unexpected 6 API calls 17465->17466 17469 41514b SetLastError 17465->17469 17468 415163 17466->17468 17467->17465 17468->17469 17471 414084 _unexpected 14 API calls 17468->17471 17473 4151e0 17469->17473 17474 4151db 17469->17474 17472 415178 17471->17472 17475 415191 17472->17475 17476 415180 17472->17476 17477 40e12c __purecall 39 API calls 17473->17477 17474->17447 17479 41460c _unexpected 6 API calls 17475->17479 17478 41460c _unexpected 6 API calls 17476->17478 17480 4151e5 17477->17480 17481 41518e 17478->17481 17482 41519d 17479->17482 17485 4140e1 ___free_lconv_mon 14 API calls 17481->17485 17483 4151a1 17482->17483 17484 4151b8 17482->17484 17487 41460c _unexpected 6 API calls 17483->17487 17486 414f59 _unexpected 14 API calls 17484->17486 17485->17469 17488 4151c3 17486->17488 17487->17481 17489 4140e1 ___free_lconv_mon 14 API calls 17488->17489 17489->17469 17491 417675 17490->17491 17492 417646 17490->17492 17495 40e0fe LeaveCriticalSection 17491->17495 17492->17428 17492->17445 17492->17449 17494->17439 17495->17492 17497 41f7a6 17496->17497 17498 41f78c 17496->17498 17499 41f7c5 17497->17499 17500 41f7ae 17497->17500 17501 40e062 __dosmaperr 14 API calls 17498->17501 17503 41f7d1 17499->17503 17504 41f7e8 17499->17504 17502 40e062 __dosmaperr 14 API calls 17500->17502 17505 41f791 17501->17505 17507 41f7b3 17502->17507 17508 40e062 __dosmaperr 14 API calls 17503->17508 17512 41f79c 17504->17512 17514 40fc50 17504->17514 17506 40df64 _Ungetc 41 API calls 17505->17506 17506->17512 17510 40df64 _Ungetc 41 API calls 17507->17510 17511 41f7d6 17508->17511 17510->17512 17513 40df64 _Ungetc 41 API calls 17511->17513 17512->17233 17513->17512 17515 40fc67 17514->17515 17516 40fc6e 17514->17516 17515->17512 17516->17515 17517 41512b _unexpected 41 API calls 17516->17517 17518 40fc8f 17517->17518 17522 415464 17518->17522 17523 415477 17522->17523 17525 40fca5 17522->17525 17523->17525 17530 41dc35 17523->17530 17526 4154c2 17525->17526 17527 4154ea 17526->17527 17528 4154d5 17526->17528 17527->17515 17528->17527 17552 41c173 17528->17552 17531 41dc41 __FrameHandler3::FrameUnwindToState 17530->17531 17532 41512b _unexpected 41 API calls 17531->17532 17533 41dc4a 17532->17533 17534 41dc90 17533->17534 17543 40e0b6 EnterCriticalSection 17533->17543 17534->17525 17536 41dc68 17544 41dcb6 17536->17544 17541 40e12c __purecall 41 API calls 17542 41dcb5 17541->17542 17543->17536 17545 41dcc4 __Getctype 17544->17545 17547 41dc79 17544->17547 17546 41d9e9 __Getctype 14 API calls 17545->17546 17545->17547 17546->17547 17548 41dc95 17547->17548 17551 40e0fe LeaveCriticalSection 17548->17551 17550 41dc8c 17550->17534 17550->17541 17551->17550 17553 41512b _unexpected 41 API calls 17552->17553 17554 41c178 17553->17554 17557 41c08b 17554->17557 17558 41c097 __FrameHandler3::FrameUnwindToState 17557->17558 17566 41c0b1 17558->17566 17568 40e0b6 EnterCriticalSection 17558->17568 17560 41c0ed 17569 41c10a 17560->17569 17561 40e12c __purecall 41 API calls 17565 41c12a 17561->17565 17562 41c0b8 17562->17527 17563 41c0c1 17563->17560 17567 4140e1 ___free_lconv_mon 14 API calls 17563->17567 17566->17561 17566->17562 17567->17560 17568->17563 17572 40e0fe LeaveCriticalSection 17569->17572 17571 41c111 17571->17566 17572->17571 17576 41f853 __FrameHandler3::FrameUnwindToState 17573->17576 17574 41f85a 17575 40e062 __dosmaperr 14 API calls 17574->17575 17577 41f85f 17575->17577 17576->17574 17578 41f885 17576->17578 17579 40df64 _Ungetc 41 API calls 17577->17579 17584 41fe0f 17578->17584 17583 41f869 17579->17583 17583->17204 17597 41b2e4 17584->17597 17590 41fe45 17591 4140e1 ___free_lconv_mon 14 API calls 17590->17591 17592 41f8a9 17590->17592 17591->17592 17593 41f8dc 17592->17593 17594 41f8e2 17593->17594 17596 41f906 17593->17596 18088 41ca58 LeaveCriticalSection 17594->18088 17596->17583 17598 40fc50 __wsopen_s 41 API calls 17597->17598 17599 41b2f6 17598->17599 17601 41b308 17599->17601 17651 41447f 17599->17651 17602 410954 17601->17602 17657 4107e0 17602->17657 17605 41fe9d 17606 41feba 17605->17606 17607 41fee8 17606->17607 17608 41fecf 17606->17608 17705 41ca7b 17607->17705 17610 40e04f __dosmaperr 14 API calls 17608->17610 17625 41fed4 17610->17625 17612 41fef6 17614 40e04f __dosmaperr 14 API calls 17612->17614 17613 41ff0d 17718 41fb56 CreateFileW 17613->17718 17617 41fefb 17614->17617 17616 40e062 __dosmaperr 14 API calls 17642 41fee1 17616->17642 17619 40e062 __dosmaperr 14 API calls 17617->17619 17618 41ff46 17620 41ffc3 GetFileType 17618->17620 17622 41ff98 GetLastError 17618->17622 17719 41fb56 CreateFileW 17618->17719 17619->17625 17621 41ffce GetLastError 17620->17621 17627 420015 17620->17627 17624 40e008 __dosmaperr 14 API calls 17621->17624 17623 40e008 __dosmaperr 14 API calls 17622->17623 17623->17625 17626 41ffdc CloseHandle 17624->17626 17625->17616 17626->17625 17629 420005 17626->17629 17720 41c9c6 17627->17720 17632 40e062 __dosmaperr 14 API calls 17629->17632 17631 41ff8b 17631->17620 17631->17622 17635 42000a 17632->17635 17634 420082 17639 420089 17634->17639 17750 41f908 17634->17750 17635->17625 17744 414d1d 17639->17744 17640 4200c5 17640->17642 17643 420141 CloseHandle 17640->17643 17642->17590 17777 41fb56 CreateFileW 17643->17777 17645 42016c 17646 420176 GetLastError 17645->17646 17647 4201a2 17645->17647 17648 40e008 __dosmaperr 14 API calls 17646->17648 17647->17642 17649 420182 17648->17649 17778 41cb8e 17649->17778 17654 4141d3 17651->17654 17655 4143bc std::_Locinfo::_Locinfo_ctor 5 API calls 17654->17655 17656 4141e9 17655->17656 17656->17601 17658 410808 17657->17658 17659 4107ee 17657->17659 17661 41080f 17658->17661 17662 41082e 17658->17662 17675 410995 17659->17675 17667 4107f8 17661->17667 17679 4109d6 17661->17679 17684 41afff 17662->17684 17664 41083d 17666 410844 GetLastError 17664->17666 17669 41086a 17664->17669 17671 4109d6 __wsopen_s 15 API calls 17664->17671 17687 40e008 17666->17687 17667->17590 17667->17605 17669->17667 17672 41afff __wsopen_s MultiByteToWideChar 17669->17672 17671->17669 17674 410881 17672->17674 17673 40e062 __dosmaperr 14 API calls 17673->17667 17674->17666 17674->17667 17676 4109a0 17675->17676 17677 4109a8 17675->17677 17678 4140e1 ___free_lconv_mon 14 API calls 17676->17678 17677->17667 17678->17677 17680 410995 __wsopen_s 14 API calls 17679->17680 17681 4109e4 17680->17681 17692 410a15 17681->17692 17685 41b010 MultiByteToWideChar 17684->17685 17685->17664 17702 40e04f 17687->17702 17689 40e013 __dosmaperr 17690 40e062 __dosmaperr 14 API calls 17689->17690 17691 40e026 17690->17691 17691->17673 17695 415416 17692->17695 17696 415454 17695->17696 17700 415424 _unexpected 17695->17700 17697 40e062 __dosmaperr 14 API calls 17696->17697 17699 4109f5 17697->17699 17698 41543f HeapAlloc 17698->17699 17698->17700 17699->17667 17700->17696 17700->17698 17701 412e88 codecvt 2 API calls 17700->17701 17701->17700 17703 41527c __dosmaperr 14 API calls 17702->17703 17704 40e054 17703->17704 17704->17689 17706 41ca87 __FrameHandler3::FrameUnwindToState 17705->17706 17787 40e0b6 EnterCriticalSection 17706->17787 17708 41ca8e 17710 41cab3 17708->17710 17714 41cb22 EnterCriticalSection 17708->17714 17715 41cad5 17708->17715 17791 41c855 17710->17791 17714->17715 17716 41cb2f LeaveCriticalSection 17714->17716 17788 41cb85 17715->17788 17716->17708 17718->17618 17719->17631 17721 41c9d5 17720->17721 17722 41ca3e 17720->17722 17721->17722 17727 41c9fb __wsopen_s 17721->17727 17723 40e062 __dosmaperr 14 API calls 17722->17723 17724 41ca43 17723->17724 17725 40e04f __dosmaperr 14 API calls 17724->17725 17726 41ca2b 17725->17726 17726->17634 17729 41fd65 17726->17729 17727->17726 17728 41ca25 SetStdHandle 17727->17728 17728->17726 17730 41fd8d 17729->17730 17731 41fdbf 17729->17731 17730->17731 17805 418aa3 17730->17805 17731->17634 17734 41fdc3 17811 422220 17734->17811 17735 41fdad 17737 40e04f __dosmaperr 14 API calls 17735->17737 17739 41fdb2 17737->17739 17738 41fdd5 17739->17731 17741 40e062 __dosmaperr 14 API calls 17739->17741 17741->17731 17745 414d30 _Fputc 17744->17745 18046 414d4d 17745->18046 17747 414d3c 17748 40bbc5 _Fputc 41 API calls 17747->17748 17749 414d48 17748->17749 17749->17642 17751 41f939 17750->17751 17773 41fa1c 17750->17773 17758 41f959 17751->17758 18059 4115b9 17751->18059 17753 41f950 17754 41fb4b 17753->17754 17753->17758 17755 40df91 __Getctype 11 API calls 17754->17755 17756 41fb55 17755->17756 17757 41fa42 17759 422220 __wsopen_s 53 API calls 17757->17759 17757->17773 17775 41fa4c 17757->17775 17758->17757 17760 418aa3 __wsopen_s 43 API calls 17758->17760 17762 41fa13 17758->17762 17758->17773 17763 41fa74 17759->17763 17761 41fa2c 17760->17761 17761->17762 17767 41fa37 17761->17767 17762->17773 17762->17775 18066 416c60 17762->18066 17764 41fadf 17763->17764 17765 41fab9 17763->17765 17766 41faac 17763->17766 17763->17773 17763->17775 17774 418aa3 __wsopen_s 43 API calls 17764->17774 17765->17764 17772 41fac1 17765->17772 17770 40e062 __dosmaperr 14 API calls 17766->17770 17771 418aa3 __wsopen_s 43 API calls 17767->17771 17769 40e062 __dosmaperr 14 API calls 17769->17773 17770->17775 17771->17757 17776 418aa3 __wsopen_s 43 API calls 17772->17776 17773->17639 17773->17640 17774->17775 17775->17769 17775->17773 17776->17775 17777->17645 17779 41cc04 17778->17779 17780 41cb9d 17778->17780 17781 40e062 __dosmaperr 14 API calls 17779->17781 17780->17779 17785 41cbc7 __wsopen_s 17780->17785 17782 41cc09 17781->17782 17783 40e04f __dosmaperr 14 API calls 17782->17783 17784 41cbf4 17783->17784 17784->17647 17785->17784 17786 41cbee SetStdHandle 17785->17786 17786->17784 17787->17708 17799 40e0fe LeaveCriticalSection 17788->17799 17790 41caf5 17790->17612 17790->17613 17792 414084 _unexpected 14 API calls 17791->17792 17793 41c867 17792->17793 17797 41c874 17793->17797 17800 4146c9 17793->17800 17794 4140e1 ___free_lconv_mon 14 API calls 17796 41c8c9 17794->17796 17796->17715 17798 41c9a3 EnterCriticalSection 17796->17798 17797->17794 17798->17715 17799->17790 17801 4143bc std::_Locinfo::_Locinfo_ctor 5 API calls 17800->17801 17802 4146e5 17801->17802 17803 414703 InitializeCriticalSectionAndSpinCount 17802->17803 17804 4146ee 17802->17804 17803->17804 17804->17793 17806 418ab7 _Fputc 17805->17806 17880 4189c2 17806->17880 17808 418acc 17809 40bbc5 _Fputc 41 API calls 17808->17809 17810 418adb 17809->17810 17810->17734 17810->17735 17812 422232 17811->17812 17813 42224a 17811->17813 17814 40e04f __dosmaperr 14 API calls 17812->17814 17815 4225a0 17813->17815 17824 422290 17813->17824 17816 422237 17814->17816 17817 40e04f __dosmaperr 14 API calls 17815->17817 17818 40e062 __dosmaperr 14 API calls 17816->17818 17819 4225a5 17817->17819 17820 42223f 17818->17820 17820->17738 17822 42229b 17823 40e04f __dosmaperr 14 API calls 17822->17823 17824->17820 17824->17822 17828 4222cb 17824->17828 17830 4222e4 17828->17830 17831 4222fe 17828->17831 17832 42232f 17828->17832 17830->17831 17886 41cc1f 17880->17886 17882 4189d4 17883 4189f0 SetFilePointerEx 17882->17883 17885 4189dc __wsopen_s 17882->17885 17884 418a08 GetLastError 17883->17884 17883->17885 17884->17885 17885->17808 17887 41cc2c 17886->17887 17888 41cc41 17886->17888 17889 40e04f __dosmaperr 14 API calls 17887->17889 17891 40e04f __dosmaperr 14 API calls 17888->17891 17893 41cc66 17888->17893 17890 41cc31 17889->17890 17892 40e062 __dosmaperr 14 API calls 17890->17892 17894 41cc71 17891->17894 17895 41cc39 17892->17895 17893->17882 17896 40e062 __dosmaperr 14 API calls 17894->17896 17895->17882 17897 41cc79 17896->17897 17898 40df64 _Ungetc 41 API calls 17897->17898 17898->17895 18047 41cc1f __wsopen_s 41 API calls 18046->18047 18049 414d5d 18047->18049 18048 414d63 18050 41cb8e __wsopen_s 15 API calls 18048->18050 18049->18048 18051 414d95 18049->18051 18052 41cc1f __wsopen_s 41 API calls 18049->18052 18058 414dbb __wsopen_s 18050->18058 18051->18048 18053 41cc1f __wsopen_s 41 API calls 18051->18053 18055 414d8c 18052->18055 18054 414da1 FindCloseChangeNotification 18053->18054 18054->18048 18056 414dad GetLastError 18054->18056 18057 41cc1f __wsopen_s 41 API calls 18055->18057 18056->18048 18057->18051 18058->17747 18060 4115c5 18059->18060 18061 4115da 18059->18061 18062 40e062 __dosmaperr 14 API calls 18060->18062 18061->17753 18063 4115ca 18062->18063 18064 40df64 _Ungetc 41 API calls 18063->18064 18065 4115d5 18064->18065 18065->17753 18067 416c73 _Fputc 18066->18067 18072 416c97 18067->18072 18070 40bbc5 _Fputc 41 API calls 18071 416c92 18070->18071 18071->17762 18075 416ca3 __FrameHandler3::FrameUnwindToState 18072->18075 18073 416c85 18073->18070 18074 416d67 18076 40dee7 _Fputc 41 API calls 18074->18076 18075->18073 18075->18074 18077 416cf8 18075->18077 18076->18073 18083 41c9a3 EnterCriticalSection 18077->18083 18079 416cfe 18080 416d1b 18079->18080 18081 416d9f __wsopen_s 64 API calls 18079->18081 18084 416d5f 18080->18084 18081->18080 18083->18079 18087 41ca58 LeaveCriticalSection 18084->18087 18086 416d65 18086->18073 18087->18086 18088->17596 21894 40edef 21895 40ee01 21894->21895 21897 40ee0a ___scrt_uninitialize_crt 21894->21897 21896 40ec73 ___scrt_uninitialize_crt 70 API calls 21895->21896 21898 40ee07 21896->21898 21899 40ee1b 21897->21899 21902 40ec13 21897->21902 21903 40ec1f __FrameHandler3::FrameUnwindToState 21902->21903 21910 40bb55 EnterCriticalSection 21903->21910 21905 40ec2d 21906 40ed81 ___scrt_uninitialize_crt 70 API calls 21905->21906 21907 40ec3e 21906->21907 21911 40ec67 21907->21911 21910->21905 21914 40bb69 LeaveCriticalSection 21911->21914 21913 40ec50 21914->21913 21919 414ff2 21920 414ffd 21919->21920 21921 41500d 21919->21921 21925 415013 21920->21925 21924 4140e1 ___free_lconv_mon 14 API calls 21924->21921 21926 415028 21925->21926 21929 41502e 21925->21929 21927 4140e1 ___free_lconv_mon 14 API calls 21926->21927 21927->21929 21928 4140e1 ___free_lconv_mon 14 API calls 21930 41503a 21928->21930 21929->21928 21931 4140e1 ___free_lconv_mon 14 API calls 21930->21931 21932 415045 21931->21932 21933 4140e1 ___free_lconv_mon 14 API calls 21932->21933 21934 415050 21933->21934 21935 4140e1 ___free_lconv_mon 14 API calls 21934->21935 21936 41505b 21935->21936 21937 4140e1 ___free_lconv_mon 14 API calls 21936->21937 21938 415066 21937->21938 21939 4140e1 ___free_lconv_mon 14 API calls 21938->21939 21940 415071 21939->21940 21941 4140e1 ___free_lconv_mon 14 API calls 21940->21941 21942 41507c 21941->21942 21943 4140e1 ___free_lconv_mon 14 API calls 21942->21943 21944 415087 21943->21944 21945 4140e1 ___free_lconv_mon 14 API calls 21944->21945 21946 415095 21945->21946 21951 414e3f 21946->21951 21952 414e4b __FrameHandler3::FrameUnwindToState 21951->21952 21967 40e0b6 EnterCriticalSection 21952->21967 21954 414e7f 21968 414e9e 21954->21968 21957 414e55 21957->21954 21958 4140e1 ___free_lconv_mon 14 API calls 21957->21958 21958->21954 21959 414eaa 21960 414eb6 __FrameHandler3::FrameUnwindToState 21959->21960 21972 40e0b6 EnterCriticalSection 21960->21972 21962 414ec0 21963 4150e0 _unexpected 14 API calls 21962->21963 21964 414ed3 21963->21964 21973 414ef3 21964->21973 21967->21957 21971 40e0fe LeaveCriticalSection 21968->21971 21970 414e8c 21970->21959 21971->21970 21972->21962 21976 40e0fe LeaveCriticalSection 21973->21976 21975 414ee1 21975->21924 21976->21975 18089 407287 18090 407293 __FrameHandler3::FrameUnwindToState 18089->18090 18115 4074f8 18090->18115 18092 40729a 18093 4073f3 18092->18093 18101 4072c4 ___scrt_release_startup_lock std::locale::_Setgloballocale 18092->18101 18150 407af1 IsProcessorFeaturePresent 18093->18150 18095 4073fa 18133 4115a3 18095->18133 18098 411567 std::locale::_Setgloballocale 23 API calls 18099 407408 18098->18099 18100 4072e3 18101->18100 18104 407364 18101->18104 18136 41157d 18101->18136 18126 4111e1 18104->18126 18105 40736a 18130 403ed0 CreateThread WaitForSingleObject 18105->18130 18108 407c11 GetModuleHandleW 18109 40738b 18108->18109 18109->18095 18110 40738f 18109->18110 18111 407398 18110->18111 18141 411558 18110->18141 18144 407669 18111->18144 18116 407501 18115->18116 18154 4077d0 IsProcessorFeaturePresent 18116->18154 18120 407516 18120->18092 18121 407512 18121->18120 18164 41334e 18121->18164 18124 40752d 18124->18092 18127 4111ef 18126->18127 18128 4111ea 18126->18128 18127->18105 18278 410f3b 18128->18278 18131 407413 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 18130->18131 18545 4038b0 18130->18545 18132 403f12 18131->18132 18132->18108 18134 41138b std::locale::_Setgloballocale 23 API calls 18133->18134 18135 407400 18134->18135 18135->18098 18137 411593 std::_Locinfo::_Locinfo_ctor 18136->18137 18138 4107a4 __FrameHandler3::FrameUnwindToState 18136->18138 18137->18104 18138->18136 18139 41512b _unexpected 41 API calls 18138->18139 18140 40e12c __purecall 41 API calls 18138->18140 18139->18138 18140->18138 18142 41138b std::locale::_Setgloballocale 23 API calls 18141->18142 18143 411563 18142->18143 18143->18111 18145 407675 18144->18145 18146 4073a1 18145->18146 19586 413360 18145->19586 18146->18100 18148 407683 18149 40a59d ___scrt_uninitialize_crt 7 API calls 18148->18149 18149->18146 18151 407b07 codecvt std::locale::_Setgloballocale 18150->18151 18152 407bb2 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 18151->18152 18153 407bfd std::locale::_Setgloballocale 18152->18153 18153->18095 18155 40750d 18154->18155 18156 40a57e 18155->18156 18173 40b657 18156->18173 18159 40a587 18159->18121 18161 40a58f 18162 40a59a 18161->18162 18187 40b693 18161->18187 18162->18121 18227 41efe4 18164->18227 18167 40a59d 18168 40a5b0 18167->18168 18169 40a5a6 18167->18169 18168->18120 18170 40a716 ___vcrt_uninitialize_ptd 6 API calls 18169->18170 18171 40a5ab 18170->18171 18172 40b693 ___vcrt_uninitialize_locks DeleteCriticalSection 18171->18172 18172->18168 18174 40b660 18173->18174 18176 40b689 18174->18176 18178 40a583 18174->18178 18191 40b89c 18174->18191 18177 40b693 ___vcrt_uninitialize_locks DeleteCriticalSection 18176->18177 18177->18178 18178->18159 18179 40a6e3 18178->18179 18208 40b7ad 18179->18208 18182 40a6f8 18182->18161 18185 40a713 18185->18161 18188 40b6bd 18187->18188 18189 40b69e 18187->18189 18188->18159 18190 40b6a8 DeleteCriticalSection 18189->18190 18190->18188 18190->18190 18196 40b6c2 18191->18196 18194 40b8d4 InitializeCriticalSectionAndSpinCount 18195 40b8bf 18194->18195 18195->18174 18197 40b6df 18196->18197 18200 40b6e3 18196->18200 18197->18194 18197->18195 18198 40b74b GetProcAddress 18198->18197 18200->18197 18200->18198 18201 40b73c 18200->18201 18203 40b762 LoadLibraryExW 18200->18203 18201->18198 18202 40b744 FreeLibrary 18201->18202 18202->18198 18204 40b779 GetLastError 18203->18204 18205 40b7a9 18203->18205 18204->18205 18206 40b784 ___vcrt_InitializeCriticalSectionEx 18204->18206 18205->18200 18206->18205 18207 40b79a LoadLibraryExW 18206->18207 18207->18200 18209 40b6c2 ___vcrt_InitializeCriticalSectionEx 5 API calls 18208->18209 18210 40b7c7 18209->18210 18211 40b7e0 TlsAlloc 18210->18211 18212 40a6ed 18210->18212 18212->18182 18213 40b85e 18212->18213 18214 40b6c2 ___vcrt_InitializeCriticalSectionEx 5 API calls 18213->18214 18215 40b878 18214->18215 18216 40b893 TlsSetValue 18215->18216 18217 40a706 18215->18217 18216->18217 18217->18185 18218 40a716 18217->18218 18219 40a720 18218->18219 18221 40a726 18218->18221 18222 40b7e8 18219->18222 18221->18182 18223 40b6c2 ___vcrt_InitializeCriticalSectionEx 5 API calls 18222->18223 18224 40b802 18223->18224 18225 40b81a TlsFree 18224->18225 18226 40b80e 18224->18226 18225->18226 18226->18221 18228 41eff4 18227->18228 18229 40751f 18227->18229 18228->18229 18232 414b36 18228->18232 18244 414a86 18228->18244 18229->18124 18229->18167 18233 414b42 __FrameHandler3::FrameUnwindToState 18232->18233 18249 40e0b6 EnterCriticalSection 18233->18249 18235 414b49 18250 41c905 18235->18250 18238 414b67 18269 414b8d 18238->18269 18243 414a86 2 API calls 18243->18238 18245 414a8d 18244->18245 18246 414ad0 GetStdHandle 18245->18246 18247 414b32 18245->18247 18248 414ae3 GetFileType 18245->18248 18246->18245 18247->18228 18248->18245 18249->18235 18251 41c911 __FrameHandler3::FrameUnwindToState 18250->18251 18252 41c93b 18251->18252 18253 41c91a 18251->18253 18272 40e0b6 EnterCriticalSection 18252->18272 18254 40e062 __dosmaperr 14 API calls 18253->18254 18256 41c91f 18254->18256 18258 40df64 _Ungetc 41 API calls 18256->18258 18257 41c947 18260 41c973 18257->18260 18262 41c855 __wsopen_s 15 API calls 18257->18262 18259 414b58 18258->18259 18259->18238 18263 4149d0 GetStartupInfoW 18259->18263 18273 41c99a 18260->18273 18262->18257 18264 4149ed 18263->18264 18266 414a81 18263->18266 18265 41c905 42 API calls 18264->18265 18264->18266 18267 414a15 18265->18267 18266->18243 18267->18266 18268 414a45 GetFileType 18267->18268 18268->18267 18277 40e0fe LeaveCriticalSection 18269->18277 18271 414b78 18271->18228 18272->18257 18276 40e0fe LeaveCriticalSection 18273->18276 18275 41c9a1 18275->18259 18276->18275 18277->18271 18279 410f44 18278->18279 18282 410f5a 18278->18282 18279->18282 18284 410f67 18279->18284 18281 410f51 18281->18282 18301 4110d2 18281->18301 18282->18127 18285 410f70 18284->18285 18286 410f73 18284->18286 18285->18281 18309 41c12b 18286->18309 18291 410f90 18336 410fc1 18291->18336 18292 410f84 18293 4140e1 ___free_lconv_mon 14 API calls 18292->18293 18295 410f8a 18293->18295 18295->18281 18297 4140e1 ___free_lconv_mon 14 API calls 18298 410fb4 18297->18298 18299 4140e1 ___free_lconv_mon 14 API calls 18298->18299 18300 410fba 18299->18300 18300->18281 18302 4110e1 18301->18302 18303 411143 18301->18303 18302->18303 18304 414084 _unexpected 14 API calls 18302->18304 18305 411147 18302->18305 18306 41b07b WideCharToMultiByte _Fputc 18302->18306 18308 4140e1 ___free_lconv_mon 14 API calls 18302->18308 18303->18282 18304->18302 18307 4140e1 ___free_lconv_mon 14 API calls 18305->18307 18306->18302 18307->18303 18308->18302 18310 410f79 18309->18310 18311 41c134 18309->18311 18315 41c42d GetEnvironmentStringsW 18310->18315 18358 4151e6 18311->18358 18316 41c445 18315->18316 18321 410f7e 18315->18321 18317 41b07b _Fputc WideCharToMultiByte 18316->18317 18318 41c462 18317->18318 18319 41c477 18318->18319 18320 41c46c FreeEnvironmentStringsW 18318->18320 18322 415416 std::_Locinfo::_Locinfo_ctor 15 API calls 18319->18322 18320->18321 18321->18291 18321->18292 18323 41c47e 18322->18323 18324 41c497 18323->18324 18325 41c486 18323->18325 18327 41b07b _Fputc WideCharToMultiByte 18324->18327 18326 4140e1 ___free_lconv_mon 14 API calls 18325->18326 18328 41c48b FreeEnvironmentStringsW 18326->18328 18329 41c4a7 18327->18329 18328->18321 18330 41c4b6 18329->18330 18331 41c4ae 18329->18331 18333 4140e1 ___free_lconv_mon 14 API calls 18330->18333 18332 4140e1 ___free_lconv_mon 14 API calls 18331->18332 18334 41c4b4 FreeEnvironmentStringsW 18332->18334 18333->18334 18334->18321 18337 410fd6 18336->18337 18338 414084 _unexpected 14 API calls 18337->18338 18339 410ffd 18338->18339 18340 411005 18339->18340 18341 41100f 18339->18341 18342 4140e1 ___free_lconv_mon 14 API calls 18340->18342 18343 41106c 18341->18343 18346 414084 _unexpected 14 API calls 18341->18346 18347 41107b 18341->18347 18352 411096 18341->18352 18354 4140e1 ___free_lconv_mon 14 API calls 18341->18354 18530 4133ef 18341->18530 18344 410f97 18342->18344 18345 4140e1 ___free_lconv_mon 14 API calls 18343->18345 18344->18297 18345->18344 18346->18341 18539 4110a3 18347->18539 18351 4140e1 ___free_lconv_mon 14 API calls 18353 411088 18351->18353 18355 40df91 __Getctype 11 API calls 18352->18355 18356 4140e1 ___free_lconv_mon 14 API calls 18353->18356 18354->18341 18357 4110a2 18355->18357 18356->18344 18359 4151f1 18358->18359 18360 4151f7 18358->18360 18361 4145cd _unexpected 6 API calls 18359->18361 18362 41460c _unexpected 6 API calls 18360->18362 18381 4151fd 18360->18381 18361->18360 18363 415211 18362->18363 18364 414084 _unexpected 14 API calls 18363->18364 18363->18381 18366 415221 18364->18366 18365 40e12c __purecall 41 API calls 18367 41527b 18365->18367 18369 415229 18366->18369 18370 41523e 18366->18370 18368 415202 18383 41bf36 18368->18383 18371 41460c _unexpected 6 API calls 18369->18371 18372 41460c _unexpected 6 API calls 18370->18372 18373 415235 18371->18373 18374 41524a 18372->18374 18378 4140e1 ___free_lconv_mon 14 API calls 18373->18378 18375 41525d 18374->18375 18376 41524e 18374->18376 18377 414f59 _unexpected 14 API calls 18375->18377 18379 41460c _unexpected 6 API calls 18376->18379 18380 415268 18377->18380 18378->18381 18379->18373 18382 4140e1 ___free_lconv_mon 14 API calls 18380->18382 18381->18365 18381->18368 18382->18368 18384 41c08b __wsopen_s 41 API calls 18383->18384 18385 41bf60 18384->18385 18406 41bcb6 18385->18406 18388 415416 std::_Locinfo::_Locinfo_ctor 15 API calls 18389 41bf8a 18388->18389 18390 41bfa0 18389->18390 18391 41bf92 18389->18391 18413 41c186 18390->18413 18393 4140e1 ___free_lconv_mon 14 API calls 18391->18393 18394 41bf79 18393->18394 18394->18310 18396 41bfd8 18397 40e062 __dosmaperr 14 API calls 18396->18397 18398 41bfdd 18397->18398 18401 4140e1 ___free_lconv_mon 14 API calls 18398->18401 18399 41c01f 18400 41c068 18399->18400 18424 41bba8 18399->18424 18404 4140e1 ___free_lconv_mon 14 API calls 18400->18404 18401->18394 18402 41bff3 18402->18399 18405 4140e1 ___free_lconv_mon 14 API calls 18402->18405 18404->18394 18405->18399 18407 40fc50 __wsopen_s 41 API calls 18406->18407 18408 41bcc8 18407->18408 18409 41bcd7 GetOEMCP 18408->18409 18410 41bce9 18408->18410 18412 41bd00 18409->18412 18411 41bcee GetACP 18410->18411 18410->18412 18411->18412 18412->18388 18412->18394 18414 41bcb6 43 API calls 18413->18414 18415 41c1a6 18414->18415 18417 41c1e3 IsValidCodePage 18415->18417 18421 41c21f codecvt 18415->18421 18416 407413 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 18418 41bfcd 18416->18418 18419 41c1f5 18417->18419 18417->18421 18418->18396 18418->18402 18420 41c224 GetCPInfo 18419->18420 18423 41c1fe codecvt 18419->18423 18420->18421 18420->18423 18421->18416 18432 41bd8a 18423->18432 18425 41bbb4 __FrameHandler3::FrameUnwindToState 18424->18425 18504 40e0b6 EnterCriticalSection 18425->18504 18427 41bbbe 18505 41bbf5 18427->18505 18433 41bdb2 GetCPInfo 18432->18433 18442 41be7b 18432->18442 18434 41bdca 18433->18434 18433->18442 18443 418d98 18434->18443 18436 407413 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 18438 41bf34 18436->18438 18438->18421 18442->18436 18444 40fc50 __wsopen_s 41 API calls 18443->18444 18445 418db8 18444->18445 18446 41afff __wsopen_s MultiByteToWideChar 18445->18446 18449 418de5 18446->18449 18447 418e7c 18450 407413 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 18447->18450 18448 418e74 18463 40715f 18448->18463 18449->18447 18449->18448 18452 415416 std::_Locinfo::_Locinfo_ctor 15 API calls 18449->18452 18454 418e0a __alloca_probe_16 codecvt 18449->18454 18453 418e9f 18450->18453 18452->18454 18458 41908f 18453->18458 18454->18448 18455 41afff __wsopen_s MultiByteToWideChar 18454->18455 18456 418e55 18455->18456 18456->18448 18457 418e60 GetStringTypeW 18456->18457 18457->18448 18459 40fc50 __wsopen_s 41 API calls 18458->18459 18460 4190a2 18459->18460 18470 418ea1 18460->18470 18464 407169 18463->18464 18465 40717a 18463->18465 18464->18465 18467 40dd24 18464->18467 18465->18447 18468 4140e1 ___free_lconv_mon 14 API calls 18467->18468 18469 40dd3c 18468->18469 18469->18465 18504->18427 18515 410168 18505->18515 18507 41bc17 18508 410168 41 API calls 18507->18508 18510 41bc36 18508->18510 18509 41bbcb 18512 41bbe9 18509->18512 18510->18509 18511 4140e1 ___free_lconv_mon 14 API calls 18510->18511 18511->18509 18529 40e0fe LeaveCriticalSection 18512->18529 18516 410179 18515->18516 18520 410175 codecvt 18515->18520 18517 410180 18516->18517 18522 410193 codecvt 18516->18522 18518 40e062 __dosmaperr 14 API calls 18517->18518 18519 410185 18518->18519 18521 40df64 _Ungetc 41 API calls 18519->18521 18520->18507 18521->18520 18522->18520 18523 4101c1 18522->18523 18524 4101ca 18522->18524 18525 40e062 __dosmaperr 14 API calls 18523->18525 18524->18520 18526 40e062 __dosmaperr 14 API calls 18524->18526 18527 4101c6 18525->18527 18526->18527 18528 40df64 _Ungetc 41 API calls 18527->18528 18528->18520 18531 4133fd 18530->18531 18533 41340b 18530->18533 18531->18533 18537 413423 18531->18537 18532 40e062 __dosmaperr 14 API calls 18534 413413 18532->18534 18533->18532 18535 40df64 _Ungetc 41 API calls 18534->18535 18536 41341d 18535->18536 18536->18341 18537->18536 18538 40e062 __dosmaperr 14 API calls 18537->18538 18538->18534 18540 4110b0 18539->18540 18541 411081 18539->18541 18542 4110c7 18540->18542 18543 4140e1 ___free_lconv_mon 14 API calls 18540->18543 18541->18351 18544 4140e1 ___free_lconv_mon 14 API calls 18542->18544 18543->18540 18544->18541 18584 407421 18545->18584 18547 4038d3 std::ios_base::_Ios_base_dtor 18548 4038f2 LoadLibraryW 18547->18548 18594 402310 18548->18594 18586 407426 18584->18586 18587 407440 18586->18587 18588 412e88 codecvt 2 API calls 18586->18588 18590 407442 codecvt 18586->18590 18680 40e170 18586->18680 18587->18547 18588->18586 18589 407f7e codecvt 18591 408080 CallUnexpected RaiseException 18589->18591 18590->18589 18689 408080 18590->18689 18592 407f9b 18591->18592 18597 402358 std::ios_base::_Ios_base_dtor 18594->18597 18601 4036b0 std::ios_base::_Ios_base_dtor 18594->18601 18595 407413 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 18596 403713 18595->18596 18605 401fd0 18596->18605 18598 404380 std::ios_base::_Init 43 API calls 18597->18598 18600 4036b2 18597->18600 18597->18601 18602 403717 18597->18602 18692 401110 18597->18692 18598->18597 18600->18601 18600->18602 18601->18595 18696 40df74 18602->18696 18923 403fb0 18605->18923 18681 415416 18680->18681 18682 415454 18681->18682 18684 415428 _unexpected 18681->18684 18685 41543f HeapAlloc 18681->18685 18683 40e062 __dosmaperr 14 API calls 18682->18683 18687 415459 18683->18687 18684->18682 18684->18685 18688 412e88 codecvt 2 API calls 18684->18688 18685->18684 18686 415452 18685->18686 18686->18687 18687->18586 18688->18684 18690 4080c7 RaiseException 18689->18690 18691 40809a 18689->18691 18690->18589 18691->18690 18693 401122 18692->18693 18701 40d97e 18693->18701 18697 40deb0 _Ungetc 41 API calls 18696->18697 18698 40df83 18697->18698 18699 40df91 __Getctype 11 API calls 18698->18699 18700 40df90 18699->18700 18702 40d992 _Fputc 18701->18702 18703 40d9b4 18702->18703 18704 40d9db 18702->18704 18705 40dee7 _Fputc 41 API calls 18703->18705 18710 40bdb9 18704->18710 18707 40d9cf 18705->18707 18708 40bbc5 _Fputc 41 API calls 18707->18708 18709 40113c 18708->18709 18709->18597 18711 40bdc5 __FrameHandler3::FrameUnwindToState 18710->18711 18718 40bb55 EnterCriticalSection 18711->18718 18713 40bdd3 18719 40c96a 18713->18719 18718->18713 18733 4163c8 18719->18733 18721 40c991 18742 40cb75 18721->18742 18728 407413 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 18729 40bde0 18728->18729 18730 40be08 18729->18730 18764 41638d 18733->18764 18735 4163d9 18736 416452 18735->18736 18737 416429 18735->18737 18736->18721 18738 415416 std::_Locinfo::_Locinfo_ctor 15 API calls 18737->18738 18739 416433 18738->18739 18740 4140e1 ___free_lconv_mon 14 API calls 18739->18740 18741 41643c 18740->18741 18741->18736 18777 40d796 18742->18777 18745 40cb9e 18746 40dee7 _Fputc 41 API calls 18745->18746 18747 40c9d8 18746->18747 18757 40c92c 18747->18757 18750 40d720 _Fputc 41 API calls 18752 40cbc9 std::_Locinfo::_Locinfo_ctor 18750->18752 18752->18747 18752->18750 18753 40cda6 18752->18753 18783 40cafd 18752->18783 18786 40ce21 18752->18786 18820 40cf7f 18752->18820 18754 40dee7 _Fputc 41 API calls 18753->18754 18755 40cdc2 18754->18755 18756 40dee7 _Fputc 41 API calls 18755->18756 18756->18747 18758 4140e1 ___free_lconv_mon 14 API calls 18757->18758 18759 40c93c 18758->18759 18760 416474 18759->18760 18761 40c9f2 18760->18761 18762 41647f 18760->18762 18761->18728 18762->18761 18916 40ed18 18762->18916 18766 416399 18764->18766 18765 4163ba 18765->18735 18766->18765 18770 414bc2 18766->18770 18768 4163b4 18769 421bbe __wsopen_s 41 API calls 18768->18769 18769->18765 18771 414be3 18770->18771 18772 414bce 18770->18772 18771->18768 18773 40e062 __dosmaperr 14 API calls 18772->18773 18774 414bd3 18773->18774 18775 40df64 _Ungetc 41 API calls 18774->18775 18776 414bde 18775->18776 18776->18768 18778 40d7a1 18777->18778 18779 40d7c3 18777->18779 18780 40dee7 _Fputc 41 API calls 18778->18780 18849 40d7ce 18779->18849 18782 40cb90 18780->18782 18782->18745 18782->18747 18782->18752 18857 40bf0f 18783->18857 18785 40cb38 18785->18752 18787 40ce28 18786->18787 18788 40ce3f 18786->18788 18790 40cfa3 18787->18790 18791 40d014 18787->18791 18792 40ce7e 18787->18792 18789 40dee7 _Fputc 41 API calls 18788->18789 18788->18792 18795 40ce73 18789->18795 18796 40d041 18790->18796 18797 40cfa9 18790->18797 18793 40d067 18791->18793 18794 40d019 18791->18794 18792->18752 18793->18796 18804 40cfe6 18793->18804 18819 40cfcb 18793->18819 18798 40d05b 18794->18798 18799 40d01b 18794->18799 18795->18752 18886 40c2b9 18796->18886 18797->18804 18806 40cfaf 18797->18806 18903 40d635 18798->18903 18800 40d020 18799->18800 18801 40cfbd 18799->18801 18800->18796 18805 40d025 18800->18805 18818 40cfdf 18801->18818 18801->18819 18893 40d375 18801->18893 18804->18818 18867 40c436 18804->18867 18809 40d038 18805->18809 18810 40d02a 18805->18810 18806->18801 18808 40cffb 18806->18808 18806->18819 18808->18818 18874 40d4ff 18808->18874 18810->18818 18813 407413 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 18815 40d2c5 18813->18815 18815->18752 18818->18813 18819->18818 18906 41606a 18819->18906 18821 40cfa3 18820->18821 18822 40d014 18820->18822 18825 40d041 18821->18825 18826 40cfa9 18821->18826 18823 40d067 18822->18823 18824 40d019 18822->18824 18823->18825 18833 40cfe6 18823->18833 18847 40cfcb 18823->18847 18827 40d05b 18824->18827 18828 40d01b 18824->18828 18829 40c2b9 42 API calls 18825->18829 18826->18833 18834 40cfaf 18826->18834 18832 40d635 42 API calls 18827->18832 18830 40d020 18828->18830 18831 40cfbd 18828->18831 18829->18847 18830->18825 18836 40d025 18830->18836 18835 40d375 44 API calls 18831->18835 18831->18847 18848 40cfdf 18831->18848 18832->18847 18838 40c436 42 API calls 18833->18838 18833->18848 18834->18831 18837 40cffb 18834->18837 18834->18847 18835->18847 18839 40d038 18836->18839 18840 40d02a 18836->18840 18842 40d4ff 43 API calls 18837->18842 18837->18848 18838->18847 18841 40d594 41 API calls 18839->18841 18845 40d618 42 API calls 18840->18845 18840->18848 18841->18847 18842->18847 18843 407413 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 18844 40d2c5 18843->18844 18844->18752 18845->18847 18846 41606a _Fputc 43 API calls 18846->18847 18847->18846 18847->18848 18848->18843 18850 40d84c 18849->18850 18851 40d7e2 18849->18851 18850->18782 18852 414bc2 _Ungetc 41 API calls 18851->18852 18853 40d7e9 18852->18853 18853->18850 18854 40e062 __dosmaperr 14 API calls 18853->18854 18855 40d841 18854->18855 18856 40df64 _Ungetc 41 API calls 18855->18856 18856->18850 18858 40d77b std::_Locinfo::_Locinfo_ctor 41 API calls 18857->18858 18859 40bf21 18858->18859 18860 40bf36 18859->18860 18863 40bf69 18859->18863 18866 40bf51 std::_Locinfo::_Locinfo_ctor 18859->18866 18861 40dee7 _Fputc 41 API calls 18860->18861 18861->18866 18862 40c000 18864 40d6bc 41 API calls 18862->18864 18863->18862 18865 40d6bc 41 API calls 18863->18865 18864->18866 18865->18862 18866->18785 18868 40c44a 18867->18868 18869 40c46c 18868->18869 18871 40c493 18868->18871 18875 40d51a 18874->18875 18887 40c2cd 18886->18887 18888 40c2ef 18887->18888 18890 40c316 18887->18890 18889 40dee7 _Fputc 41 API calls 18888->18889 18892 40c30c 18889->18892 18891 40be2c 15 API calls 18890->18891 18890->18892 18891->18892 18892->18819 18894 40d38f 18893->18894 18895 40be2c 15 API calls 18894->18895 18904 40c436 42 API calls 18903->18904 18905 40d64a 18904->18905 18905->18819 18908 41607f 18906->18908 18907 4160c0 18911 41b07b _Fputc WideCharToMultiByte 18907->18911 18914 416083 codecvt _Fputc 18907->18914 18915 4160ac codecvt 18907->18915 18908->18907 18910 40d720 _Fputc 41 API calls 18908->18910 18908->18914 18908->18915 18910->18907 18914->18819 18915->18914 18917 40ed31 18916->18917 18921 40ed58 18916->18921 18918 414bc2 _Ungetc 41 API calls 18917->18918 18917->18921 18921->18761 18924 403ff2 18923->18924 18993 4046f0 18924->18993 18926 40404c 18928 404b10 72 API calls 18926->18928 18932 404052 std::ios_base::_Ios_base_dtor 18926->18932 18928->18932 18929 404246 18930 401fff 18929->18930 19008 404a80 18929->19008 18933 404b10 18930->18933 18998 401f00 18932->18998 19116 405464 18933->19116 18936 405464 std::_Lockit::_Lockit 7 API calls 18937 404b5e 18936->18937 18941 4054bc std::_Lockit::~_Lockit 2 API calls 18937->18941 18939 404bad 18942 407413 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 18939->18942 18940 404b82 18943 404ba1 18940->18943 18945 407421 codecvt 16 API calls 18940->18945 18941->18940 18944 402020 18942->18944 19122 4054bc 18943->19122 18976 404880 18944->18976 18946 404bf3 18945->18946 18947 405464 std::_Lockit::_Lockit 7 API calls 18946->18947 18948 404c1f 18947->18948 18949 404d88 18948->18949 18950 404c69 18948->18950 19167 40560e 18949->19167 19129 40589a 18950->19129 18977 4046f0 43 API calls 18976->18977 18978 4048be 18977->18978 18979 401f00 std::ios_base::_Init 43 API calls 18978->18979 18980 40494b 18979->18980 18994 40470c 18993->18994 18995 404720 18994->18995 18996 404770 43 API calls 18994->18996 18995->18926 18997 40473f 18996->18997 18997->18926 18999 401f1a 18998->18999 18999->18929 19000 408080 CallUnexpected RaiseException 18999->19000 19001 401f32 std::ios_base::_Init 18999->19001 19000->19001 19012 401e50 19001->19012 19003 401f68 19009 404ae3 19008->19009 19010 404abe 19008->19010 19009->18930 19010->19009 19113 4049f0 19010->19113 19013 401e90 19012->19013 19013->19013 19014 404380 std::ios_base::_Init 43 API calls 19013->19014 19015 401ea6 19014->19015 19037 4013b0 19015->19037 19017 401edf std::ios_base::_Ios_base_dtor 19017->19003 19018 401eb7 19018->19017 19019 40df74 std::ios_base::_Init 41 API calls 19018->19019 19020 401efe 19019->19020 19020->19003 19038 4013f3 19037->19038 19039 401641 19038->19039 19042 401408 19038->19042 19090 4012d0 19039->19090 19041 401646 19043 40df74 std::ios_base::_Init 41 API calls 19041->19043 19044 401415 codecvt 19042->19044 19061 404a30 19042->19061 19046 40164b 19043->19046 19047 401490 19044->19047 19075 404550 19044->19075 19048 40df74 std::ios_base::_Init 41 API calls 19046->19048 19053 404550 std::ios_base::_Init 43 API calls 19047->19053 19054 40150a codecvt 19047->19054 19049 401650 19048->19049 19095 40803e 19049->19095 19052 401672 std::ios_base::_Ios_base_dtor 19052->19018 19053->19054 19054->19041 19055 401580 std::ios_base::_Ios_base_dtor 19054->19055 19056 407fdb ___std_exception_copy 42 API calls 19055->19056 19057 4015dc 19056->19057 19057->19046 19059 40160d std::ios_base::_Ios_base_dtor 19057->19059 19058 407413 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 19060 40163b 19058->19060 19059->19058 19060->19018 19062 404a3b 19061->19062 19063 404a5d 19061->19063 19065 404a72 19062->19065 19066 404a42 19062->19066 19064 404a6d 19063->19064 19068 407421 codecvt 16 API calls 19063->19068 19064->19044 19099 401250 19065->19099 19067 407421 codecvt 16 API calls 19066->19067 19070 404a48 19067->19070 19071 404a67 19068->19071 19072 404a51 19070->19072 19073 40df74 std::ios_base::_Init 41 API calls 19070->19073 19071->19044 19072->19044 19074 404a7c 19073->19074 19076 4046a0 19075->19076 19077 404577 19075->19077 19078 4012d0 std::ios_base::_Init 43 API calls 19076->19078 19080 4045e6 19077->19080 19081 4045d9 19077->19081 19083 404590 19077->19083 19079 4046a5 19078->19079 19082 401250 std::ios_base::_Init 43 API calls 19079->19082 19085 407421 codecvt 16 API calls 19080->19085 19088 4045a0 codecvt 19080->19088 19081->19079 19081->19083 19082->19088 19084 407421 codecvt 16 API calls 19083->19084 19084->19088 19085->19088 19086 40df74 std::ios_base::_Init 41 API calls 19087 4046af 19086->19087 19088->19086 19089 404659 std::ios_base::_Ios_base_dtor codecvt 19088->19089 19089->19047 19105 4055ce 19090->19105 19096 40804b 19095->19096 19098 408052 19095->19098 19097 40dd24 __freea 14 API calls 19096->19097 19097->19098 19098->19052 19100 40125b codecvt 19099->19100 19101 408080 CallUnexpected RaiseException 19100->19101 19102 40126a 19101->19102 19103 407fdb ___std_exception_copy 42 API calls 19102->19103 19104 401291 19103->19104 19104->19070 19110 40550e 19105->19110 19108 408080 CallUnexpected RaiseException 19109 4055ed 19108->19109 19111 401150 std::invalid_argument::invalid_argument 42 API calls 19110->19111 19112 405520 19111->19112 19112->19108 19114 401f00 std::ios_base::_Init 43 API calls 19113->19114 19115 404a0f 19114->19115 19115->19009 19117 405473 19116->19117 19118 40547a 19116->19118 19172 40e115 19117->19172 19120 404b41 19118->19120 19177 406f2c EnterCriticalSection 19118->19177 19120->18936 19120->18940 19123 40e123 19122->19123 19125 4054c6 19122->19125 19227 40e0fe LeaveCriticalSection 19123->19227 19124 4054d9 19124->18939 19125->19124 19226 406f3a LeaveCriticalSection 19125->19226 19128 40e12a 19128->18939 19228 40e3d0 19129->19228 19372 405582 19167->19372 19178 414864 19172->19178 19177->19120 19179 4141d3 std::_Locinfo::_Locinfo_ctor 5 API calls 19178->19179 19180 414869 19179->19180 19199 4141ed 19180->19199 19200 4143bc std::_Locinfo::_Locinfo_ctor 5 API calls 19199->19200 19201 414203 19200->19201 19202 414207 19201->19202 19203 4143bc std::_Locinfo::_Locinfo_ctor 5 API calls 19202->19203 19204 41421d 19203->19204 19205 414221 19204->19205 19206 4143bc std::_Locinfo::_Locinfo_ctor 5 API calls 19205->19206 19207 414237 19206->19207 19208 41423b 19207->19208 19209 4143bc std::_Locinfo::_Locinfo_ctor 5 API calls 19208->19209 19226->19124 19227->19128 19229 414864 std::_Locinfo::_Locinfo_ctor 5 API calls 19228->19229 19230 40e3dd 19229->19230 19239 40e17b 19230->19239 19240 40e187 __FrameHandler3::FrameUnwindToState 19239->19240 19247 40e0b6 EnterCriticalSection 19240->19247 19375 401150 19372->19375 19376 407fdb ___std_exception_copy 42 API calls 19375->19376 19377 401188 19376->19377 19378 407413 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 19377->19378 19379 401199 19378->19379 19587 41336b 19586->19587 19588 41337d ___scrt_uninitialize_crt 19586->19588 19589 413379 19587->19589 19591 40ede6 19587->19591 19588->18148 19589->18148 19594 40ec73 19591->19594 19597 40eb67 19594->19597 19598 40eb73 __FrameHandler3::FrameUnwindToState 19597->19598 19605 40e0b6 EnterCriticalSection 19598->19605 19600 40ebe9 19614 40ec07 19600->19614 19603 40eb7d ___scrt_uninitialize_crt 19603->19600 19606 40eadb 19603->19606 19605->19603 19607 40eae7 __FrameHandler3::FrameUnwindToState 19606->19607 19617 40bb55 EnterCriticalSection 19607->19617 19609 40eaf1 ___scrt_uninitialize_crt 19613 40eb2a 19609->19613 19618 40ed81 19609->19618 19631 40eb5b 19613->19631 19663 40e0fe LeaveCriticalSection 19614->19663 19616 40ebf5 19616->19589 19617->19609 19619 40ed96 _Fputc 19618->19619 19620 40eda8 19619->19620 19621 40ed9d 19619->19621 19623 40ed18 ___scrt_uninitialize_crt 66 API calls 19620->19623 19622 40ec73 ___scrt_uninitialize_crt 70 API calls 19621->19622 19624 40eda3 19622->19624 19625 40edb2 19623->19625 19626 40bbc5 _Fputc 41 API calls 19624->19626 19625->19624 19628 414bc2 _Ungetc 41 API calls 19625->19628 19627 40ede0 19626->19627 19627->19613 19629 40edc9 19628->19629 19634 4181f3 19629->19634 19662 40bb69 LeaveCriticalSection 19631->19662 19633 40eb49 19633->19603 19635 418211 19634->19635 19636 418204 19634->19636 19638 41825a 19635->19638 19642 418238 19635->19642 19637 40e062 __dosmaperr 14 API calls 19636->19637 19640 418209 19637->19640 19639 40e062 __dosmaperr 14 API calls 19638->19639 19641 41825f 19639->19641 19640->19624 19643 40df64 _Ungetc 41 API calls 19641->19643 19645 418151 19642->19645 19643->19640 19646 41815d __FrameHandler3::FrameUnwindToState 19645->19646 19658 41c9a3 EnterCriticalSection 19646->19658 19648 41816c 19650 41cc1f __wsopen_s 41 API calls 19648->19650 19656 4181b1 19648->19656 19649 40e062 __dosmaperr 14 API calls 19651 4181b8 19649->19651 19652 418198 FlushFileBuffers 19650->19652 19659 4181e7 19651->19659 19652->19651 19653 4181a4 GetLastError 19652->19653 19654 40e04f __dosmaperr 14 API calls 19653->19654 19654->19656 19656->19649 19658->19648 19660 41ca58 __wsopen_s LeaveCriticalSection 19659->19660 19661 4181d0 19660->19661 19661->19640 19662->19633 19663->19616 20942 417095 20943 414bc2 _Ungetc 41 API calls 20942->20943 20945 4170a2 20943->20945 20944 4170ae 20945->20944 20946 4170fc 20945->20946 20954 417335 20945->20954 20946->20944 20948 41715e 20946->20948 20950 41638d 41 API calls 20946->20950 20962 417261 20948->20962 20952 417151 20950->20952 20952->20948 20953 4180f5 _Ungetc 14 API calls 20952->20953 20953->20948 20955 41734b 20954->20955 20956 41734f 20954->20956 20955->20946 20957 41cc1f __wsopen_s 41 API calls 20956->20957 20961 41739e 20956->20961 20958 417370 20957->20958 20959 417378 SetFilePointerEx 20958->20959 20958->20961 20960 41738f GetFileSizeEx 20959->20960 20959->20961 20960->20961 20961->20946 20963 414bc2 _Ungetc 41 API calls 20962->20963 20964 417270 20963->20964 20965 417283 20964->20965 20966 417319 20964->20966 20968 4172a4 20965->20968 20971 4172ca 20965->20971 20967 416c97 __wsopen_s 66 API calls 20966->20967 20970 41716f 20967->20970 20969 416c97 __wsopen_s 66 API calls 20968->20969 20969->20970 20971->20970 20973 418a45 20971->20973 20974 418a59 _Fputc 20973->20974 20979 41889c 20974->20979 20977 40bbc5 _Fputc 41 API calls 20978 418a7d 20977->20978 20978->20970 20980 4188a8 __FrameHandler3::FrameUnwindToState 20979->20980 20981 4188b0 20980->20981 20982 418986 20980->20982 20984 418904 20980->20984 20981->20977 20983 40dee7 _Fputc 41 API calls 20982->20983 20983->20981 20990 41c9a3 EnterCriticalSection 20984->20990 20986 41890a 20987 41892f 20986->20987 20988 4189c2 __wsopen_s 43 API calls 20986->20988 20991 41897e 20987->20991 20988->20987 20990->20986 20994 41ca58 LeaveCriticalSection 20991->20994 20993 418984 20993->20981 20994->20993 22131 40ef97 22132 40efa2 22131->22132 22133 40efb7 22131->22133 22134 40e062 __dosmaperr 14 API calls 22132->22134 22135 40efd4 22133->22135 22136 40efbf 22133->22136 22138 40efa7 22134->22138 22145 41885b 22135->22145 22139 40e062 __dosmaperr 14 API calls 22136->22139 22140 40df64 _Ungetc 41 API calls 22138->22140 22141 40efc4 22139->22141 22142 40efb2 22140->22142 22143 40df64 _Ungetc 41 API calls 22141->22143 22144 40efcf 22143->22144 22146 41886f _Fputc 22145->22146 22151 418270 22146->22151 22149 40bbc5 _Fputc 41 API calls 22150 418889 22149->22150 22150->22144 22152 41827c __FrameHandler3::FrameUnwindToState 22151->22152 22153 418283 22152->22153 22154 4182a6 22152->22154 22155 40dee7 _Fputc 41 API calls 22153->22155 22162 40bb55 EnterCriticalSection 22154->22162 22157 41829c 22155->22157 22157->22149 22158 4182b4 22163 4182ff 22158->22163 22160 4182c3 22176 4182f5 22160->22176 22162->22158 22164 418336 22163->22164 22165 41830e 22163->22165 22166 414bc2 _Ungetc 41 API calls 22164->22166 22167 40dee7 _Fputc 41 API calls 22165->22167 22168 41833f 22166->22168 22175 418329 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 22167->22175 22179 418a85 22168->22179 22171 4183e9 22182 41865f 22171->22182 22173 418400 22173->22175 22194 4184a0 22173->22194 22175->22160 22201 40bb69 LeaveCriticalSection 22176->22201 22178 4182fd 22178->22157 22180 41889c 45 API calls 22179->22180 22181 41835d 22180->22181 22181->22171 22181->22173 22181->22175 22183 41866e __wsopen_s 22182->22183 22184 414bc2 _Ungetc 41 API calls 22183->22184 22186 41868a __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 22184->22186 22185 407413 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 22187 418808 22185->22187 22188 418a85 45 API calls 22186->22188 22193 418696 22186->22193 22187->22175 22189 4186ea 22188->22189 22190 41871c ReadFile 22189->22190 22189->22193 22191 418743 22190->22191 22190->22193 22192 418a85 45 API calls 22191->22192 22192->22193 22193->22185 22195 414bc2 _Ungetc 41 API calls 22194->22195 22196 4184b3 22195->22196 22197 418a85 45 API calls 22196->22197 22200 4184fb __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 22196->22200 22198 41854e 22197->22198 22199 418a85 45 API calls 22198->22199 22198->22200 22199->22200 22200->22175 22201->22178

                                    Executed Functions

                                    Function 0041FE9D Relevance: 13.8, APIs: 9, Instructions: 273COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 0041FB56: CreateFileW.KERNELBASE(?,00000000,?,0041FF46,?,?,00000000,?,0041FF46,?,0000000C), ref: 0041FB73
                                    • GetLastError.KERNEL32 ref: 0041FFB1
                                    • __dosmaperr.LIBCMT ref: 0041FFB8
                                    • GetFileType.KERNELBASE(00000000), ref: 0041FFC4
                                    • GetLastError.KERNEL32 ref: 0041FFCE
                                    • __dosmaperr.LIBCMT ref: 0041FFD7
                                    • CloseHandle.KERNEL32(00000000), ref: 0041FFF7
                                    • CloseHandle.KERNEL32(?), ref: 00420144
                                    • GetLastError.KERNEL32 ref: 00420176
                                    • __dosmaperr.LIBCMT ref: 0042017D
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                    • String ID:
                                    • API String ID: 4237864984-0
                                    • Opcode ID: 8a6ad238e456dfb5c6acf6d43a8fdbc71dc0bcedd465f29062b7f109bfad7472
                                    • Instruction ID: bfa7e2cc036e27e26c30110013f893a37d44138e153881355e96e1974d99462b
                                    • Opcode Fuzzy Hash: 8a6ad238e456dfb5c6acf6d43a8fdbc71dc0bcedd465f29062b7f109bfad7472
                                    • Instruction Fuzzy Hash: 6AA14832A041148FCF19EF68EC91BAE3BA0AB06314F14016EF801EB3D2C7799857DB59
                                    Function 004038B0 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 401libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 69 4038b0-40397c call 407421 call 407451 LoadLibraryW call 402310 call 401fd0 * 2 81 403980-403985 69->81 81->81 82 403987-4039d0 call 404380 call 403720 call 404290 81->82 90 4039d2 82->90 91 4039d4-403aaf call 4084b0 82->91 90->91 97 403ab1-403abc 91->97 98 403adc-403ae3 91->98 99 403ad2-403ad9 call 407451 97->99 100 403abe-403acc 97->100 101 403b12-403b2e 98->101 102 403ae5-403af2 98->102 99->98 100->99 103 403b30-403b3d 101->103 104 403b5d-403bc4 call 40ba1a call 40dcea call 40bd89 101->104 106 403af4-403b02 102->106 107 403b08-403b0f call 407451 102->107 108 403b53-403b5a call 407451 103->108 109 403b3f-403b4d 103->109 121 403bc7-403bcc 104->121 106->107 107->101 108->104 109->108 121->121 122 403bce-403c14 call 404380 call 403720 call 404290 121->122 130 403c16 122->130 131 403c18-403cdf call 4084b0 122->131 130->131 137 403ce1-403cec 131->137 138 403d0c-403d13 131->138 141 403d02-403d09 call 407451 137->141 142 403cee-403cfc 137->142 139 403d42-403d5e 138->139 140 403d15-403d22 138->140 146 403d60-403d6d 139->146 147 403d8d-403e28 call 40ba1a call 40dcea call 40bd89 call 402310 ShellExecuteA * 2 139->147 144 403d24-403d32 140->144 145 403d38-403d3f call 407451 140->145 141->138 142->141 144->145 145->139 151 403d83-403d8a call 407451 146->151 152 403d6f-403d7d 146->152 163 403e57-403e7c 147->163 164 403e2a-403e37 147->164 151->147 152->151 167 403eaa-403ebd call 407413 163->167 168 403e7e-403e8e 163->168 165 403e39-403e47 164->165 166 403e4d-403e54 call 407451 164->166 165->166 166->163 171 403ea0-403ea7 call 407451 168->171 172 403e90-403e9e 168->172 171->167 172->171
                                    APIs
                                    • LoadLibraryW.KERNEL32(shell32.dll), ref: 004038FA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID: .exe$open$shell32.dll
                                    • API String ID: 1029625771-3690275032
                                    • Opcode ID: e775d6892c25faa95a05c525a488c036ad5d4599d8dc378a214577adff5531ff
                                    • Instruction ID: 14fe3df552432e6a967aecc37bb9e99df197d976610ec85d051c98f51ab10010
                                    • Opcode Fuzzy Hash: e775d6892c25faa95a05c525a488c036ad5d4599d8dc378a214577adff5531ff
                                    • Instruction Fuzzy Hash: 2EE118312083408BE318DF28CD45B6FBBE5BF85305F144A2DF489AB2D2D779E5458B9A
                                    Function 00411422 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetCurrentProcess.KERNEL32(?,?,0041141C,00000016,0040BD88,?,?,4A8DC782,0040BD88,?), ref: 00411433
                                    • TerminateProcess.KERNEL32(00000000,?,0041141C,00000016,0040BD88,?,?,4A8DC782,0040BD88,?), ref: 0041143A
                                    • ExitProcess.KERNEL32 ref: 0041144C
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CurrentExitTerminate
                                    • String ID:
                                    • API String ID: 1703294689-0
                                    • Opcode ID: fdc9db31659cbe28c415a8b0888f718e5b65b0592ff8268f2e9698ce38014a47
                                    • Instruction ID: 9f5cffd960a9e5e784bd49b974cdbcfa3e36e1e28e8dab912b0267a8a3414f4f
                                    • Opcode Fuzzy Hash: fdc9db31659cbe28c415a8b0888f718e5b65b0592ff8268f2e9698ce38014a47
                                    • Instruction Fuzzy Hash: 76D09E31100508AFCF117F61DC0DA993F2AAF44745B858025BA0556131CB3A9993EA5D
                                    Function 00416D9F Relevance: 3.2, APIs: 2, Instructions: 191fileCOMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 295 416d9f-416dbe 296 416dc4-416dc6 295->296 297 416f98 295->297 298 416df2-416e18 296->298 299 416dc8-416de7 call 40dee7 296->299 300 416f9a-416f9e 297->300 302 416e1a-416e1c 298->302 303 416e1e-416e24 298->303 306 416dea-416ded 299->306 302->303 305 416e26-416e30 302->305 303->299 303->305 307 416e40-416e4b call 4168ec 305->307 308 416e32-416e3d call 418ae3 305->308 306->300 313 416e8d-416e9f 307->313 314 416e4d-416e52 307->314 308->307 317 416ea1-416ea7 313->317 318 416ef0-416f10 WriteFile 313->318 315 416e54-416e58 314->315 316 416e77-416e8b call 4164b2 314->316 319 416f60-416f72 315->319 320 416e5e-416e6d call 416884 315->320 337 416e70-416e72 316->337 324 416ea9-416eac 317->324 325 416ede-416eee call 41696a 317->325 322 416f12-416f18 GetLastError 318->322 323 416f1b 318->323 326 416f74-416f7a 319->326 327 416f7c-416f8e 319->327 320->337 322->323 331 416f1e-416f29 323->331 332 416ecc-416edc call 416b2e 324->332 333 416eae-416eb1 324->333 342 416ec7-416eca 325->342 326->297 326->327 327->306 338 416f93-416f96 331->338 339 416f2b-416f30 331->339 332->342 333->319 340 416eb7-416ec2 call 416a45 333->340 337->331 338->300 343 416f32-416f37 339->343 344 416f5e 339->344 340->342 342->337 346 416f50-416f59 call 40e02b 343->346 347 416f39-416f4b 343->347 344->319 346->306 347->306
                                    APIs
                                      • Part of subcall function 004164B2: GetConsoleOutputCP.KERNEL32(4A8DC782,00000000,00000000,0040BDA8), ref: 00416515
                                    • WriteFile.KERNELBASE(FFBF5BE8,00000000,?,0040BC65,00000000,00000000,00000000,00000000,?,?,0040BC65,?,?,004328B8,00000010,0040BDA8), ref: 00416F08
                                    • GetLastError.KERNEL32(?,0040BC65,?,?,004328B8,00000010,0040BDA8,?,?,00000000,?), ref: 00416F12
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ConsoleErrorFileLastOutputWrite
                                    • String ID:
                                    • API String ID: 2915228174-0
                                    • Opcode ID: f464ed671a76038d08897ffb1fb948258ea98ac2c0acb72c9529f46f39d22c7a
                                    • Instruction ID: 2fa65d471856ac80343e11fa98bfc53c13d7c1330e77fa5001ed2fcda6fa269c
                                    • Opcode Fuzzy Hash: f464ed671a76038d08897ffb1fb948258ea98ac2c0acb72c9529f46f39d22c7a
                                    • Instruction Fuzzy Hash: 9F61D675D00249AFDF10DFA9C844AEF7FB9AF09308F16415AF800A7252D339D986CB69
                                    Function 00414A86 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 350 414a86-414a8b 351 414a8d-414aa5 350->351 352 414ab3-414abc 351->352 353 414aa7-414aab 351->353 354 414ace 352->354 355 414abe-414ac1 352->355 353->352 356 414aad-414ab1 353->356 360 414ad0-414add GetStdHandle 354->360 358 414ac3-414ac8 355->358 359 414aca-414acc 355->359 357 414b28-414b2c 356->357 357->351 363 414b32-414b35 357->363 358->360 359->360 361 414b0a-414b1c 360->361 362 414adf-414ae1 360->362 361->357 365 414b1e-414b21 361->365 362->361 364 414ae3-414aec GetFileType 362->364 364->361 366 414aee-414af7 364->366 365->357 367 414af9-414afd 366->367 368 414aff-414b02 366->368 367->357 368->357 369 414b04-414b08 368->369 369->357
                                    APIs
                                    • GetStdHandle.KERNEL32(000000F6), ref: 00414AD2
                                    • GetFileType.KERNELBASE(00000000), ref: 00414AE4
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileHandleType
                                    • String ID:
                                    • API String ID: 3000768030-0
                                    • Opcode ID: 14da27bdb5d952759cc947a18c1f6313485b17a09da5127208cbfccaf6a1781a
                                    • Instruction ID: 4e087d3bc1b4666987605100f3b436e0893c23e8d8c69b4c439a0a09699761cd
                                    • Opcode Fuzzy Hash: 14da27bdb5d952759cc947a18c1f6313485b17a09da5127208cbfccaf6a1781a
                                    • Instruction Fuzzy Hash: 8E1175715087514AC7308E3D8C88B637B94ABD6371B39071BE5B6C76F1C228E8C6D64D
                                    Function 00414D4D Relevance: 3.1, APIs: 2, Instructions: 63COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 370 414d4d-414d61 call 41cc1f 373 414d63-414d65 370->373 374 414d67-414d6f 370->374 375 414db5-414dd5 call 41cb8e 373->375 376 414d71-414d78 374->376 377 414d7a-414d7d 374->377 386 414de7 375->386 387 414dd7-414de5 call 40e02b 375->387 376->377 379 414d85-414d99 call 41cc1f * 2 376->379 380 414d9b-414dab call 41cc1f FindCloseChangeNotification 377->380 381 414d7f-414d83 377->381 379->373 379->380 380->373 389 414dad-414db3 GetLastError 380->389 381->379 381->380 391 414de9-414dec 386->391 387->391 389->375
                                    APIs
                                    • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00414C34,00000000,CF830579,00432C48,0000000C,00414CF0,0040BCFB,?), ref: 00414DA3
                                    • GetLastError.KERNEL32(?,00414C34,00000000,CF830579,00432C48,0000000C,00414CF0,0040BCFB,?), ref: 00414DAD
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ChangeCloseErrorFindLastNotification
                                    • String ID:
                                    • API String ID: 1687624791-0
                                    • Opcode ID: cf05b64a0bbd980239ba65db1c1c6f103e722fbee84b5f4660c8636332b429dd
                                    • Instruction ID: 85074f4f6ff141bd7efcce855698502eef5de44000b51f9bf88cca9df30e92f5
                                    • Opcode Fuzzy Hash: cf05b64a0bbd980239ba65db1c1c6f103e722fbee84b5f4660c8636332b429dd
                                    • Instruction Fuzzy Hash: 77114C326041105ACB206675BC857FE27459BD2738F25025FF908C72C2EB388CC1529D
                                    Function 00403ED0 Relevance: 3.0, APIs: 2, Instructions: 22synchronizationthreadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 395 403ed0-403f0d CreateThread WaitForSingleObject call 407413 397 403f12-403f15 395->397
                                    APIs
                                    • CreateThread.KERNELBASE(00000000,00000000,004038B0,00000000,00000000,4A8DC782), ref: 00403EF6
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00403EFF
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateObjectSingleThreadWait
                                    • String ID:
                                    • API String ID: 1891408510-0
                                    • Opcode ID: 9419f3325bceeff1f49f4aa1ba74e54397c78aa36a806008d2e466c127b4d74a
                                    • Instruction ID: 586eb301f3ad505b2fb8a5e2c0845f04df15ed7da879dad1818cca3ffdf321d7
                                    • Opcode Fuzzy Hash: 9419f3325bceeff1f49f4aa1ba74e54397c78aa36a806008d2e466c127b4d74a
                                    • Instruction Fuzzy Hash: 7EE08675748300ABD720FF24DC07F1A3BE4BB48B01F914A39F595A62D0D6747404965E
                                    Function 004143BC Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 426 4143bc-4143e4 427 4143e6-4143e8 426->427 428 4143ea-4143ec 426->428 429 41443b-41443e 427->429 430 4143f2-414402 call 4142f1 428->430 431 4143ee-4143f0 428->431 434 414421-414438 430->434 435 414404-414412 GetProcAddress 430->435 431->429 437 41443a 434->437 435->434 436 414414-41441f call 410ba3 435->436 436->437 437->429
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 672b8ef80a1082ffe797a66fe554d50d659c07feffc08aafbed84bfcd02d8428
                                    • Instruction ID: 2b8528776d8d16502f0b8a76a82d10506d50424a6c704f85483994a1d03f90d6
                                    • Opcode Fuzzy Hash: 672b8ef80a1082ffe797a66fe554d50d659c07feffc08aafbed84bfcd02d8428
                                    • Instruction Fuzzy Hash: 9D012D377001255FDF25CE6EEC40BDB3396EBC47243548536F914DB544DA34D8829759
                                    Function 00413EE2 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 440 413ee2-413f08 call 413cb8 443 413f61-413f64 440->443 444 413f0a-413f1c call 41fe7d 440->444 446 413f21-413f26 444->446 446->443 447 413f28-413f60 446->447
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __wsopen_s
                                    • String ID:
                                    • API String ID: 3347428461-0
                                    • Opcode ID: caa3c88317b3bbee83e5854bbea9c678844db8772e50a39c133be3f8c5400fb7
                                    • Instruction ID: ec9553a80a63d261aca480410fc230252e3ea256619d772961208cbce9478613
                                    • Opcode Fuzzy Hash: caa3c88317b3bbee83e5854bbea9c678844db8772e50a39c133be3f8c5400fb7
                                    • Instruction Fuzzy Hash: F6111871A0420AAFCF05DF58E9419DF7BF4EF48304F0440AAF805AB351D631DA15CBA8
                                    Function 00414084 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 448 414084-41408f 449 414091-41409b 448->449 450 41409d-4140a3 448->450 449->450 451 4140d1-4140dc call 40e062 449->451 452 4140a5-4140a6 450->452 453 4140bc-4140cd RtlAllocateHeap 450->453 459 4140de-4140e0 451->459 452->453 455 4140a8-4140af call 412e3d 453->455 456 4140cf 453->456 455->451 461 4140b1-4140ba call 412e88 455->461 456->459 461->451 461->453
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000008,0000000C,?,?,004152C9,00000001,00000364,?,00000006,000000FF,?,?,0040E067,00415459), ref: 004140C5
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 14b8f9ac75b8980b6812ff089cde42dce8ba1f12a125e940596199f5ca44a4d3
                                    • Instruction ID: 3ab61ddca1e281f31ccd9bd3b5a9704ff4491f1e9476c0382436f1b215dccb25
                                    • Opcode Fuzzy Hash: 14b8f9ac75b8980b6812ff089cde42dce8ba1f12a125e940596199f5ca44a4d3
                                    • Instruction Fuzzy Hash: 83F0BB31144624A6DB215A639C05BDB3F889FC5760F158127F908EA590CA78DCD582AD
                                    Function 0041FB56 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 464 41fb56-41fb7a CreateFileW
                                    APIs
                                    • CreateFileW.KERNELBASE(?,00000000,?,0041FF46,?,?,00000000,?,0041FF46,?,0000000C), ref: 0041FB73
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: 32f1cee3c5876f16e38c750b1e34007635eee82df29fa4d42b06ff8a7cf34f14
                                    • Instruction ID: 28cfbda6749b70c9de2fbd9d245fef773b8951bf2dd70127050a9a6bf190398c
                                    • Opcode Fuzzy Hash: 32f1cee3c5876f16e38c750b1e34007635eee82df29fa4d42b06ff8a7cf34f14
                                    • Instruction Fuzzy Hash: 05D06C3210010DFBDF128F84DC06EDA3FAAFB4C714F018010FA5856021C732E832AB94

                                    Non-executed Functions

                                    Function 0041EB91 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoW.KERNEL32(3FC00000,2000000B,0041EEAF,00000002,00000000,?,?,?,0041EEAF,?,00000000), ref: 0041EC2A
                                    • GetLocaleInfoW.KERNEL32(3FC00000,20001004,0041EEAF,00000002,00000000,?,?,?,0041EEAF,?,00000000), ref: 0041EC53
                                    • GetACP.KERNEL32(?,?,0041EEAF,?,00000000), ref: 0041EC68
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID: ACP$OCP
                                    • API String ID: 2299586839-711371036
                                    • Opcode ID: ae0517b9bda7198648f1cbed6e652a34a4e79f3510d6da964a24c0c18db862fc
                                    • Instruction ID: c85fc144d60ddc6525dae33cd09e0d060d1fedf04b2ffe12a12074c054b5e7b8
                                    • Opcode Fuzzy Hash: ae0517b9bda7198648f1cbed6e652a34a4e79f3510d6da964a24c0c18db862fc
                                    • Instruction Fuzzy Hash: 0D218E3A704104EADB38CF16CD05AD772A6AB54B54B5A8426ED0AD7304F73ADEC1C798
                                    Function 0041ED66 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041512B: GetLastError.KERNEL32(?,00000008,004176AA), ref: 0041512F
                                      • Part of subcall function 0041512B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151D1
                                    • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0041EE72
                                    • IsValidCodePage.KERNEL32(00000000), ref: 0041EEBB
                                    • IsValidLocale.KERNEL32(?,00000001), ref: 0041EECA
                                    • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0041EF12
                                    • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0041EF31
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                    • String ID:
                                    • API String ID: 415426439-0
                                    • Opcode ID: cb1f43e0842fc1b57530168fcb5aadb50c479eb7f68bca799765aa874482350f
                                    • Instruction ID: 6dcde63b9ee3f13586b647639649f64518bbb4cfa058cf0b9fa01e7f3d3dbd24
                                    • Opcode Fuzzy Hash: cb1f43e0842fc1b57530168fcb5aadb50c479eb7f68bca799765aa874482350f
                                    • Instruction Fuzzy Hash: 2951A075A00206ABDF20EFA6DC45AEB77B8BF04700F49452AED11E7290D7789981CB69
                                    Function 0041E402 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041512B: GetLastError.KERNEL32(?,00000008,004176AA), ref: 0041512F
                                      • Part of subcall function 0041512B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151D1
                                    • GetACP.KERNEL32(?,?,?,?,?,?,00411ED1,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0041E4C3
                                    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00411ED1,?,?,?,00000055,?,-00000050,?,?), ref: 0041E4EE
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0041E651
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$CodeInfoLocalePageValid
                                    • String ID: utf8
                                    • API String ID: 607553120-905460609
                                    • Opcode ID: 1eb3fb8f5e23b37753c7c554b08859c7808b39e1099525de27aec97b4695ee5a
                                    • Instruction ID: e1a377e19c5f71cd44c11824ea9e35987c280acd53c56ff76f51ea565ef0af36
                                    • Opcode Fuzzy Hash: 1eb3fb8f5e23b37753c7c554b08859c7808b39e1099525de27aec97b4695ee5a
                                    • Instruction Fuzzy Hash: AB71F779A00201BADB24AB77CC46BEB73A9EF44718F14442BFD05D7281FA7CE9818659
                                    Function 00415625 Relevance: 6.3, APIs: 4, Instructions: 337COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _strrchr
                                    • String ID:
                                    • API String ID: 3213747228-0
                                    • Opcode ID: d8f824a3a597dbe048be884bb3e91045552750dfa5ffe6b567c0d7537b351b3d
                                    • Instruction ID: a35172905f2c9e80df687ae2f548e4ff91b5a56ee58bfd6494556f9989062819
                                    • Opcode Fuzzy Hash: d8f824a3a597dbe048be884bb3e91045552750dfa5ffe6b567c0d7537b351b3d
                                    • Instruction Fuzzy Hash: 44B16A72E00655DFDB11DF68C8817EEBBA5EF85310F14416BE815AB381D238DD81CBA9
                                    Function 00407AF1 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00407AFD
                                    • IsDebuggerPresent.KERNEL32 ref: 00407BC9
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00407BE9
                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 00407BF3
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                    • String ID:
                                    • API String ID: 254469556-0
                                    • Opcode ID: bdb8d4ffe5861b74027a400539b36d4e8f115b4355d90c864d7f04757154f5f6
                                    • Instruction ID: e6d40a2ad45d1a0383389914ec1c7b177219f7559a83785ff08c1c1c590c79bb
                                    • Opcode Fuzzy Hash: bdb8d4ffe5861b74027a400539b36d4e8f115b4355d90c864d7f04757154f5f6
                                    • Instruction Fuzzy Hash: 76314975D0521CDBDB21DFA0D989BCDBBB8BF08304F1040AAE40DAB290EB755A85CF49
                                    Function 00404B10 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 191COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00404B3C
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00404B59
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00404B7D
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00404BA8
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00404C1A
                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00404C6F
                                    • __Getctype.LIBCPMT ref: 00404C86
                                    • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00404CC6
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00404D68
                                    • std::_Facet_Register.LIBCPMT ref: 00404D6E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_GetctypeLocinfo_ctorLocinfo_dtorRegister
                                    • String ID: bad locale name
                                    • API String ID: 103145292-1405518554
                                    • Opcode ID: 81219dc4db23479c84afdb1307dfd8c6002d8f883ebe74432aeade31619f26d4
                                    • Instruction ID: 6e9f63e8d2ea1b6a4942e0921d9002d8c0fd89e6bfff9ad2541224c8a884b4bc
                                    • Opcode Fuzzy Hash: 81219dc4db23479c84afdb1307dfd8c6002d8f883ebe74432aeade31619f26d4
                                    • Instruction Fuzzy Hash: D56191B19047408BE710DF65D981B5BB7E4AFD4304F05483EF989A7392E738E948CB5A
                                    Function 0040A988 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • type_info::operator==.LIBVCRUNTIME ref: 0040AAA7
                                    • ___TypeMatch.LIBVCRUNTIME ref: 0040ABB5
                                    • _UnwindNestedFrames.LIBCMT ref: 0040AD07
                                    • CallUnexpected.LIBVCRUNTIME ref: 0040AD22
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                    • String ID: csm$csm$csm$hqB
                                    • API String ID: 2751267872-961717235
                                    • Opcode ID: 7439b9a888896d6d7415fcf0a94b891480292f76d3d97f9c7f8d7dc31207bc23
                                    • Instruction ID: 60820d6e0ecca0eb9fd5676567882ca170ad0f0461b4efe27468591c46910b05
                                    • Opcode Fuzzy Hash: 7439b9a888896d6d7415fcf0a94b891480292f76d3d97f9c7f8d7dc31207bc23
                                    • Instruction Fuzzy Hash: D1B177719003099FDF24DFA5C9809AFB7B5FF14304B15456AE8017B282D339EA61CF9A
                                    Function 00422D30 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,0042484F), ref: 00422D49
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DecodePointer
                                    • String ID: acos$asin$exp$log$log10$pow$sqrt
                                    • API String ID: 3527080286-3064271455
                                    • Opcode ID: 7b307bdfa77ac4e727fad644a701e6850a4604595a9cd81a6cd06f0e8c4ceaf9
                                    • Instruction ID: c72ee430fc5992e789082aa674a62eb4bc159944c4a08777ca012a565c4a57b4
                                    • Opcode Fuzzy Hash: 7b307bdfa77ac4e727fad644a701e6850a4604595a9cd81a6cd06f0e8c4ceaf9
                                    • Instruction Fuzzy Hash: C2515F71B0062AEBCF108F59FA481AE7BB0FB05304FD24157D891A7264CBBD8925DB5E
                                    Function 00405A19 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 82COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3.LIBCMT ref: 00405A20
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00405A2A
                                      • Part of subcall function 00401980: std::_Lockit::_Lockit.LIBCPMT ref: 0040199C
                                      • Part of subcall function 00401980: std::_Lockit::~_Lockit.LIBCPMT ref: 004019B9
                                    • codecvt.LIBCPMT ref: 00405A64
                                    • std::_Facet_Register.LIBCPMT ref: 00405A7B
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00405A9B
                                    • __EH_prolog3.LIBCMT ref: 00405AB5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::_$Lockit$H_prolog3Lockit::_Lockit::~_$Facet_Registercodecvt
                                    • String ID: 1]@$pdB
                                    • API String ID: 2149013928-2574904542
                                    • Opcode ID: 87fa27b329b58bb0820ba5778a16c16ccb42a78a6ac52ceca13bda061ed9a22f
                                    • Instruction ID: 1fff8ceacf2ecb39c27e56d9020840733d4f764cb4c361a3b7bfeab0285b565b
                                    • Opcode Fuzzy Hash: 87fa27b329b58bb0820ba5778a16c16ccb42a78a6ac52ceca13bda061ed9a22f
                                    • Instruction Fuzzy Hash: 98316174A00615CFCB11EF68C480A6EB7F1FF44314F54456EE455AB391DB79AA00CF89
                                    Function 0040717D Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00407183
                                    • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00407191
                                    • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 004071A2
                                    • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 004071B3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$HandleModule
                                    • String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
                                    • API String ID: 667068680-1247241052
                                    • Opcode ID: 12cc8ab004fe47f31fffcbf58e36badd15f6e56e2ad587471c9b10d870eb8305
                                    • Instruction ID: 3afd18a413fbafaec0d1884410ec314f69904bb85606d66d63126fe90f125993
                                    • Opcode Fuzzy Hash: 12cc8ab004fe47f31fffcbf58e36badd15f6e56e2ad587471c9b10d870eb8305
                                    • Instruction Fuzzy Hash: 3CE0EC71749671AB83209F70BC0EDAA3AA4EE0971139205B2BD15D2361D6BC44559B9C
                                    Function 00424315 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __freea$__alloca_probe_16$Info
                                    • String ID:
                                    • API String ID: 127012223-0
                                    • Opcode ID: faf4b7bb4f82d6e060df7418f04cdf54d9d5ced2acf79a653a27d1271983cb36
                                    • Instruction ID: 2268128186bf180321159b17a5804e3cf269d1f4a161c5de96289f76b50a9a64
                                    • Opcode Fuzzy Hash: faf4b7bb4f82d6e060df7418f04cdf54d9d5ced2acf79a653a27d1271983cb36
                                    • Instruction Fuzzy Hash: 55711872B00225ABDF20AF94AC41BAF77A5DFC9714FA4001BEA54A7381D73CDC818769
                                    Function 004142F1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,4A8DC782,?,004143FE,004038D3,?,?,00000000), ref: 004143B2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FreeLibrary
                                    • String ID: api-ms-$ext-ms-
                                    • API String ID: 3664257935-537541572
                                    • Opcode ID: 86759f0994eafd6f84a6647c0fdf9b4e30a2247b6dec6dce197b99e7f52573c2
                                    • Instruction ID: 29acd09180d048b520d34109221675969bd24e1d04ac4f63b004638bf800aa58
                                    • Opcode Fuzzy Hash: 86759f0994eafd6f84a6647c0fdf9b4e30a2247b6dec6dce197b99e7f52573c2
                                    • Instruction Fuzzy Hash: 9A210572B01218EBCB219B61EC45FDB3758AF81765F250222ED26A7380D738ED41C6D8
                                    Function 00422220 Relevance: 9.3, APIs: 6, Instructions: 298COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 210f578ede6e8c57bcd3a2866613218aeec721f6e00fb4164bfe4fb791038aae
                                    • Instruction ID: 0fa8f66f13a9205f03f3c964acb7b0f3d35d0cf0561fe90a84cb6ac065f7fb8a
                                    • Opcode Fuzzy Hash: 210f578ede6e8c57bcd3a2866613218aeec721f6e00fb4164bfe4fb791038aae
                                    • Instruction Fuzzy Hash: 2FB1FA70B00265BFDB11DF59D980BAE7BB1BF85304F54815AE400AB392C7F99D42CB69
                                    Function 0040A61A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,0040A611,00408D4A,00407CA3), ref: 0040A628
                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040A636
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040A64F
                                    • SetLastError.KERNEL32(00000000,0040A611,00408D4A,00407CA3), ref: 0040A6A1
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastValue___vcrt_
                                    • String ID:
                                    • API String ID: 3852720340-0
                                    • Opcode ID: ae45c1247d460aeef4a55944b3b1230935dad25d08089cdd7459330339187624
                                    • Instruction ID: 17c3b720e5989fb0f4645250ee9d2db9be2b1969e3f2a356d50bd165ba2ebccc
                                    • Opcode Fuzzy Hash: ae45c1247d460aeef4a55944b3b1230935dad25d08089cdd7459330339187624
                                    • Instruction Fuzzy Hash: 4C01D2322083111EE62836B5BC456672678DB21378734023FF114B22E1EF7F1C11558D
                                    Function 004114B8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,4A8DC782,?,?,00000000,0042533E,000000FF,?,00411448,?,?,0041141C,00000016), ref: 004114ED
                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004114FF
                                    • FreeLibrary.KERNEL32(00000000,?,00000000,0042533E,000000FF,?,00411448,?,?,0041141C,00000016), ref: 00411521
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressFreeHandleLibraryModuleProc
                                    • String ID: CorExitProcess$mscoree.dll
                                    • API String ID: 4061214504-1276376045
                                    • Opcode ID: da08a1f12de9d9fa0ab2bf8521bb4e597b9d9615b2022019d023aedce6e96a45
                                    • Instruction ID: 1c3cb0f38f93fbefe2a6f9ddff53ce04e6b84d498977bd807167e5d34d417036
                                    • Opcode Fuzzy Hash: da08a1f12de9d9fa0ab2bf8521bb4e597b9d9615b2022019d023aedce6e96a45
                                    • Instruction Fuzzy Hash: 3801A231B40625FFDB218F50DC09BBEBBB9FB44B15F400526E912A22A0DB789D00CA98
                                    Function 00418EA1 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                    Download Yara Rule
                                    APIs
                                    • __alloca_probe_16.LIBCMT ref: 00418F28
                                    • __alloca_probe_16.LIBCMT ref: 00418FE9
                                    • __freea.LIBCMT ref: 00419050
                                      • Part of subcall function 00415416: HeapAlloc.KERNEL32(00000000,?,?,?,0040743B,?,?,004038D3,0000000C), ref: 00415448
                                    • __freea.LIBCMT ref: 00419065
                                    • __freea.LIBCMT ref: 00419075
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __freea$__alloca_probe_16$AllocHeap
                                    • String ID:
                                    • API String ID: 1096550386-0
                                    • Opcode ID: e87fd6e571ad0e28fa7a801ff3008c7610ce0f637704132bd005f8cf4c9e9da1
                                    • Instruction ID: 70ac7dc22d859429bcfaf21a5452dbaba508fd75fda8d3d1cad1bcbaee3c79d9
                                    • Opcode Fuzzy Hash: e87fd6e571ad0e28fa7a801ff3008c7610ce0f637704132bd005f8cf4c9e9da1
                                    • Instruction Fuzzy Hash: CE51C872600216AFEB249F65CC41EFB3AAAEF48754B15012EFD08D7250EB39DC918769
                                    Function 00401F00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___std_exception_copy.LIBVCRUNTIME ref: 00401F9D
                                      • Part of subcall function 00408080: RaiseException.KERNEL32(E06D7363,00000001,00000003,00407F9B,?,?,?,?,00407F9B,0000000C,00432FA4,0000000C), ref: 004080E0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionRaise___std_exception_copy
                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                    • API String ID: 3109751735-1866435925
                                    • Opcode ID: 91b28bbe8eed88cc1cd97ef8b2774f50d30fcea71945d036a5df43f520429438
                                    • Instruction ID: d02687490f24597757631495c4e1f09aa39ba096523de16938e047820cfe1a48
                                    • Opcode Fuzzy Hash: 91b28bbe8eed88cc1cd97ef8b2774f50d30fcea71945d036a5df43f520429438
                                    • Instruction Fuzzy Hash: 7B1124B2910715ABC710DF58D801B96B3E8AF08310F14853FF954E7291F778A844CBA9
                                    Function 0040B762 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,0040B713,00000000,00000001,0043568C,?,?,?,0040B8B6,00000004,InitializeCriticalSectionEx,00427C38,InitializeCriticalSectionEx), ref: 0040B76F
                                    • GetLastError.KERNEL32(?,0040B713,00000000,00000001,0043568C,?,?,?,0040B8B6,00000004,InitializeCriticalSectionEx,00427C38,InitializeCriticalSectionEx,00000000,?,0040B66D), ref: 0040B779
                                    • LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,0040A583), ref: 0040B7A1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LibraryLoad$ErrorLast
                                    • String ID: api-ms-
                                    • API String ID: 3177248105-2084034818
                                    • Opcode ID: 22226141dfb546a2f16a4bc61347b62053759e468ff986d8c484c8ccf3c75455
                                    • Instruction ID: 6663bac76f2ed2691183a1b60790d81093b85d379b5950931f3594d96b826320
                                    • Opcode Fuzzy Hash: 22226141dfb546a2f16a4bc61347b62053759e468ff986d8c484c8ccf3c75455
                                    • Instruction Fuzzy Hash: 95E01A34384208BFEF605B61EC06F5A3E64AB80B85FA04031FA0DE91E1E779A96195CC
                                    Function 004164B2 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetConsoleOutputCP.KERNEL32(4A8DC782,00000000,00000000,0040BDA8), ref: 00416515
                                      • Part of subcall function 0041B07B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00419046,?,00000000,-00000008), ref: 0041B127
                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00416770
                                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 004167B8
                                    • GetLastError.KERNEL32 ref: 0041685B
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                    • String ID:
                                    • API String ID: 2112829910-0
                                    • Opcode ID: 9c03409dc5e3a637d6edbebb8196099dd852bb166edf4384a40f4e99c6182c37
                                    • Instruction ID: 23b960d84f86169114bff6dd91ebd8bfb000f40d43b919249b886c4f1d777fdd
                                    • Opcode Fuzzy Hash: 9c03409dc5e3a637d6edbebb8196099dd852bb166edf4384a40f4e99c6182c37
                                    • Instruction Fuzzy Hash: 57D17975E002589FCB11DFA8D880AEDBBB5FF48304F19452AE866E7341D734E882CB54
                                    Function 0040A731 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AdjustPointer
                                    • String ID:
                                    • API String ID: 1740715915-0
                                    • Opcode ID: 651f461737145a99faeddf7e9cbc434de1019a0abfbd738a44b85bf0bb0bacfa
                                    • Instruction ID: 563ab20b51bfab9fbe5384d5980a8cd95d5d08f0ac2ebead566dcb8f0746e7f3
                                    • Opcode Fuzzy Hash: 651f461737145a99faeddf7e9cbc434de1019a0abfbd738a44b85bf0bb0bacfa
                                    • Instruction Fuzzy Hash: 8E51CF72A003069FEB29AF11C941B7A77B4EF04314F14853FE8056B2D1E739E862C79A
                                    Function 0041B497 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041B07B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00419046,?,00000000,-00000008), ref: 0041B127
                                    • GetLastError.KERNEL32 ref: 0041B4FB
                                    • __dosmaperr.LIBCMT ref: 0041B502
                                    • GetLastError.KERNEL32(?,?,?,?), ref: 0041B53C
                                    • __dosmaperr.LIBCMT ref: 0041B543
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                    • String ID:
                                    • API String ID: 1913693674-0
                                    • Opcode ID: 98539fc020fd00bd43affe0888965e6ed426553bce3dc314c44ab490fe6ade4c
                                    • Instruction ID: e5a019830a3c5c962b54c78c2afe39edf9115806d1ecbdc6188aeecc851efa14
                                    • Opcode Fuzzy Hash: 98539fc020fd00bd43affe0888965e6ed426553bce3dc314c44ab490fe6ade4c
                                    • Instruction Fuzzy Hash: 3E21B371600615BFDB20AF6688809ABB7A9FF04368710C52FF91997251D778EC9087E8
                                    Function 00410892 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 66e116e2024aada6cab71803717b56169a7abbe351efb3759331a0be8796517d
                                    • Instruction ID: 3ec36e4c3c4c4b3940ca693e254ce5ca1d14e98f6d28ba957a4fd44e2fb4f4c4
                                    • Opcode Fuzzy Hash: 66e116e2024aada6cab71803717b56169a7abbe351efb3759331a0be8796517d
                                    • Instruction Fuzzy Hash: E621D7B1210205AFEB20AF62CC609AB7768BF40368710452BF959D7252D7B8ECD087A8
                                    Function 0041C42D Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetEnvironmentStringsW.KERNEL32 ref: 0041C435
                                      • Part of subcall function 0041B07B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00419046,?,00000000,-00000008), ref: 0041B127
                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041C46D
                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041C48D
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                    • String ID:
                                    • API String ID: 158306478-0
                                    • Opcode ID: 4d096bac32b07df6f96bbfc29f435c2dddc1c3056e5e13fb52e26ce166ed4541
                                    • Instruction ID: 0fd12c7dda382d3999d10f706f970f90d8e04c4becb4264e138dc4c2bd032ff0
                                    • Opcode Fuzzy Hash: 4d096bac32b07df6f96bbfc29f435c2dddc1c3056e5e13fb52e26ce166ed4541
                                    • Instruction Fuzzy Hash: 4F11C4B6605515BFA72127B25CDACFF6D5CDE89398710402BF901D2102EA3CDD8295BD
                                    Function 004241D9 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00421C32,00000000,00000001,00000000,0040BDA8,?,004168AF,0040BDA8,00000000,00000000), ref: 004241F0
                                    • GetLastError.KERNEL32(?,00421C32,00000000,00000001,00000000,0040BDA8,?,004168AF,0040BDA8,00000000,00000000,0040BDA8,0040BDA8,?,00416E6D,?), ref: 004241FC
                                      • Part of subcall function 004241C2: CloseHandle.KERNEL32(FFFFFFFE,0042420C,?,00421C32,00000000,00000001,00000000,0040BDA8,?,004168AF,0040BDA8,00000000,00000000,0040BDA8,0040BDA8), ref: 004241D2
                                    • ___initconout.LIBCMT ref: 0042420C
                                      • Part of subcall function 00424184: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004241B3,00421C1F,0040BDA8,?,004168AF,0040BDA8,00000000,00000000,0040BDA8), ref: 00424197
                                    • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,00421C32,00000000,00000001,00000000,0040BDA8,?,004168AF,0040BDA8,00000000,00000000,0040BDA8), ref: 00424221
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                    • String ID:
                                    • API String ID: 2744216297-0
                                    • Opcode ID: ca09305258c16a54d0dcba451752d25af7c96ee1953d8ec0ee725fe34d53713b
                                    • Instruction ID: daf606a8d683033c96f790e5cebbb7c3d718dd05ed61dfd599687816ed725ea8
                                    • Opcode Fuzzy Hash: ca09305258c16a54d0dcba451752d25af7c96ee1953d8ec0ee725fe34d53713b
                                    • Instruction Fuzzy Hash: E4F03736700124BBCF226F95FC0899A3F26FF453B1F454565FE1995130CA319870AB98
                                    Function 0041029D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                    Download Yara Rule
                                    APIs
                                    • __startOneArgErrorHandling.LIBCMT ref: 0041032D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorHandling__start
                                    • String ID: pow
                                    • API String ID: 3213639722-2276729525
                                    • Opcode ID: c0cf26b477ce003e2ec9021a6fbfbc89d90c79d8eb5fc1b2203591be7fd8a1bc
                                    • Instruction ID: fc6d2ca4dc19ba0b715d37a90518746425c4eaa4db822c587b4b2213400e0bc5
                                    • Opcode Fuzzy Hash: c0cf26b477ce003e2ec9021a6fbfbc89d90c79d8eb5fc1b2203591be7fd8a1bc
                                    • Instruction Fuzzy Hash: 6F519F71A0A60587CB157714DA413EB3B90AB00711F644D6BE8A1463E9EB7D8CF2DA8F
                                    Function 00401E50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 129COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___std_exception_copy.LIBVCRUNTIME ref: 00401F9D
                                      • Part of subcall function 00408080: RaiseException.KERNEL32(E06D7363,00000001,00000003,00407F9B,?,?,?,?,00407F9B,0000000C,00432FA4,0000000C), ref: 004080E0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionRaise___std_exception_copy
                                    • String ID: ios_base::badbit set$ios_base::failbit set
                                    • API String ID: 3109751735-1240500531
                                    • Opcode ID: a6219f3ed20e78c8ecec39b4d305196ed738984f55f2ccdbe9894b6cdb82f452
                                    • Instruction ID: 4f5bf0a45fc4208832a8654eef8c337e9c06d50c54c87a988f481c954303cb93
                                    • Opcode Fuzzy Hash: a6219f3ed20e78c8ecec39b4d305196ed738984f55f2ccdbe9894b6cdb82f452
                                    • Instruction Fuzzy Hash: 7F4147B1504305AFC304DF29C841A9BF7E8EF89310F14862FF994A76A1E778E945CB99
                                    Function 0040A420 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 0040A45F
                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 0040A513
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CurrentImageNonwritable___except_validate_context_record
                                    • String ID: csm
                                    • API String ID: 3480331319-1018135373
                                    • Opcode ID: ca5a29bd391d885cd4634227e419514380eff920c463d90092caad24f93c2f58
                                    • Instruction ID: 18bede24dd224cfa91d1e00103c3baabbd685d05025061fa587fd2bb58ff80c9
                                    • Opcode Fuzzy Hash: ca5a29bd391d885cd4634227e419514380eff920c463d90092caad24f93c2f58
                                    • Instruction Fuzzy Hash: 8041D934A002189BCF10DF69C885A9E7BB0FF44318F14817BE8146B3D2D779A921CB9A
                                    Function 0040AD2D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • EncodePointer.KERNEL32(00000000,?), ref: 0040AD52
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: EncodePointer
                                    • String ID: MOC$RCC
                                    • API String ID: 2118026453-2084237596
                                    • Opcode ID: 5b710ab2a9f474c2cc4afd51bace25907f511bb75432380764933eab186ad071
                                    • Instruction ID: 578a82eb6ed92837561ac62ae5e682fef8a2830442736a5cd94d75dd4d38702e
                                    • Opcode Fuzzy Hash: 5b710ab2a9f474c2cc4afd51bace25907f511bb75432380764933eab186ad071
                                    • Instruction Fuzzy Hash: 2F417D71900209AFCF16DF94CD81AEEBBB5FF48304F19406AF9047B291D3399960DB95
                                    Function 00407413 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00407D98
                                    • ___raise_securityfailure.LIBCMT ref: 00407E80
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FeaturePresentProcessor___raise_securityfailure
                                    • String ID: @SC
                                    • API String ID: 3761405300-4053289583
                                    • Opcode ID: 42319827a0e0b74c587616dcc60c70791287d7417a5014e862dc5be5bea1f8a0
                                    • Instruction ID: c5c0fd815b2f08e14ceb602fe243d88e4d65426d2e31bcd62793ea7bd9420f3f
                                    • Opcode Fuzzy Hash: 42319827a0e0b74c587616dcc60c70791287d7417a5014e862dc5be5bea1f8a0
                                    • Instruction Fuzzy Hash: 972104B4640A009BD328CF15FD857983BF4BB68359FA0643AE9088B3B0D3B46484CF1E
                                    Function 00407E93 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00407E9E
                                    • ___raise_securityfailure.LIBCMT ref: 00407F5B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FeaturePresentProcessor___raise_securityfailure
                                    • String ID: @SC
                                    • API String ID: 3761405300-4053289583
                                    • Opcode ID: ee42222a1a21f84a104741ef492a216a118de1db3b1281724e16a62be68f0859
                                    • Instruction ID: 2125179719012bf3b699bacd38cc00c528494cfbc9043f550ba33f2ea8b81d37
                                    • Opcode Fuzzy Hash: ee42222a1a21f84a104741ef492a216a118de1db3b1281724e16a62be68f0859
                                    • Instruction Fuzzy Hash: DC11E3B4651A04DBC318CF15F8817883BB4BB28346B50B03AE8088B371E3B4A5958F5E
                                    Function 00401870 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00401875
                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004018BA
                                      • Part of subcall function 0040589A: _Yarn.LIBCPMT ref: 004058B9
                                      • Part of subcall function 0040589A: _Yarn.LIBCPMT ref: 004058DD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                    • String ID: bad locale name
                                    • API String ID: 1908188788-1405518554
                                    • Opcode ID: 72551ae77e736be2171b1fcc8d603e91bdd62b17c33b334120392a8c0c99013b
                                    • Instruction ID: fbb5483a5c0b3d6c860fa312477ba2c73c4b5eacc305877fe335d4945849315c
                                    • Opcode Fuzzy Hash: 72551ae77e736be2171b1fcc8d603e91bdd62b17c33b334120392a8c0c99013b
                                    • Instruction Fuzzy Hash: D8F01261505B508ED370DF368404743BEE0AF25714F048E2ED4C9D7A91D379E508CBA9
                                    Function 004012D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 004012D5
                                      • Part of subcall function 004055CE: std::invalid_argument::invalid_argument.LIBCONCRT ref: 004055DA
                                    • ___std_exception_copy.LIBVCRUNTIME ref: 004012FC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1681601241.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Xinvalid_argument___std_exception_copystd::_std::invalid_argument::invalid_argument
                                    • String ID: string too long
                                    • API String ID: 1846318660-2556327735
                                    • Opcode ID: eec1613a6e5de1fed6b120e3f0db330d510a1a6c3e4767863945605622e3c6ff
                                    • Instruction ID: 272e35dc6304a19a67255a0f261e943e5561bca0c73071cc2d95ade12bed5fb2
                                    • Opcode Fuzzy Hash: eec1613a6e5de1fed6b120e3f0db330d510a1a6c3e4767863945605622e3c6ff
                                    • Instruction Fuzzy Hash: DEE0C2B2A343119BD200AF94AC01986B6D99F55314712CA2FF444F3200F3B8A8808768

                                    Execution Graph

                                    Execution Coverage:9.5%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:0%
                                    Total number of Nodes:25
                                    Total number of Limit Nodes:2
                                    execution_graph 10239 13ce778 10240 13ce7ba 10239->10240 10241 13ce7c0 GetModuleHandleW 10239->10241 10240->10241 10242 13ce7ed 10241->10242 10243 13ce820 10244 13ce834 10243->10244 10245 13ce859 10244->10245 10247 13ce2a8 10244->10247 10248 13cea00 LoadLibraryExW 10247->10248 10250 13cea79 10248->10250 10250->10245 10251 13c7ae0 10252 13c7afd 10251->10252 10253 13c7b05 10252->10253 10255 13c7c50 10252->10255 10256 13c7c75 10255->10256 10260 13c7d60 10256->10260 10264 13c7d50 10256->10264 10262 13c7d87 10260->10262 10261 13c7e64 10261->10261 10262->10261 10268 13c4be8 10262->10268 10267 13c7d5a 10264->10267 10265 13c7e64 10266 13c4be8 CreateActCtxA 10266->10265 10267->10265 10267->10266 10269 13c91f0 CreateActCtxA 10268->10269 10271 13c92b3 10269->10271

                                    Executed Functions

                                    Function 013C91E5 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 494 13c91e5-13c91ee 495 13c91f0-13c92b1 CreateActCtxA 494->495 497 13c92ba-13c9314 495->497 498 13c92b3-13c92b9 495->498 505 13c9316-13c9319 497->505 506 13c9323-13c9327 497->506 498->497 505->506 507 13c9338 506->507 508 13c9329-13c9335 506->508 510 13c9339 507->510 508->507 510->510
                                    APIs
                                    • CreateActCtxA.KERNEL32(?), ref: 013C92A1
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.1698011327.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_13c0000_DMINktnUtY.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: c6832ab8b187c117de86e78db446096a8f7d8b8d9894c6ce1b76d3afb37465d9
                                    • Instruction ID: 3f42a50a46aa959d382e0a84f7673540b100093e97592fe31b6c886bdb29479d
                                    • Opcode Fuzzy Hash: c6832ab8b187c117de86e78db446096a8f7d8b8d9894c6ce1b76d3afb37465d9
                                    • Instruction Fuzzy Hash: 3541F1B0C0071DCEDB24CFA9C94478DBBF5BF49708F24809AD448AB255DBB56946CF91
                                    Function 013C4BE8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 511 13c4be8-13c92b1 CreateActCtxA 514 13c92ba-13c9314 511->514 515 13c92b3-13c92b9 511->515 522 13c9316-13c9319 514->522 523 13c9323-13c9327 514->523 515->514 522->523 524 13c9338 523->524 525 13c9329-13c9335 523->525 527 13c9339 524->527 525->524 527->527
                                    APIs
                                    • CreateActCtxA.KERNEL32(?), ref: 013C92A1
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.1698011327.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_13c0000_DMINktnUtY.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: a9423cea9bbd5ae1c97be661a8f4ff1b48a9817805ee9e5ecf64803feebe5993
                                    • Instruction ID: c18c2d0873e184bbfdeb5ace7610e3d22356b099af35d70d293966320b917a7e
                                    • Opcode Fuzzy Hash: a9423cea9bbd5ae1c97be661a8f4ff1b48a9817805ee9e5ecf64803feebe5993
                                    • Instruction Fuzzy Hash: 6C41F1B0C0061DCFDB24CFA9C944B8EBBF5BF48708F20806AD408AB255DB756986CF90
                                    Function 013CE2A8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 528 13ce2a8-13cea40 530 13cea48-13cea77 LoadLibraryExW 528->530 531 13cea42-13cea45 528->531 532 13cea79-13cea7f 530->532 533 13cea80-13cea9d 530->533 531->530 532->533
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,013CE859,00000800,00000000,00000000), ref: 013CEA6A
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.1698011327.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_13c0000_DMINktnUtY.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 07dad40ff0fdda4e6e7fd26d455d2cd828fafe317deb8d2bf6acd67dff14fb5f
                                    • Instruction ID: 8f15a0c822aabbfcbead8fc8b1c9cea3cc12cf7da5b5cf8b1320e61f7634fac0
                                    • Opcode Fuzzy Hash: 07dad40ff0fdda4e6e7fd26d455d2cd828fafe317deb8d2bf6acd67dff14fb5f
                                    • Instruction Fuzzy Hash: 111114BA9002489FEB14CF9AC444ADEFFF4FB48714F10842EE519A7210C375A945CFA4
                                    Function 013CE778 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 536 13ce778-13ce7b8 537 13ce7ba-13ce7bd 536->537 538 13ce7c0-13ce7eb GetModuleHandleW 536->538 537->538 539 13ce7ed-13ce7f3 538->539 540 13ce7f4-13ce808 538->540 539->540
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 013CE7DE
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.1698011327.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_13c0000_DMINktnUtY.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: 420360efaa10ad8ca7f681aaaa698e068c42fa407e6e3022baecdc44ba46cfd4
                                    • Instruction ID: c5111727d4c7e75e45eac26b6bbee8da7128aec0c6255acf4372c51f1272c38b
                                    • Opcode Fuzzy Hash: 420360efaa10ad8ca7f681aaaa698e068c42fa407e6e3022baecdc44ba46cfd4
                                    • Instruction Fuzzy Hash: E11110B9C002498FDB10CF9AC844ADEFBF5AB88724F10842AD428A7210C375A945CFA5
                                    Function 0131D4D8 Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.1697333367.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_131d000_DMINktnUtY.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 59b22ff4d3d7225668d0d22c79ef22dd8f101a56e57fce97bb4ca15e4f2ecaee
                                    • Instruction ID: 7949802b2b4ae51f17eadd4facc95bf213b6ed04c55c02b7bde791939302e529
                                    • Opcode Fuzzy Hash: 59b22ff4d3d7225668d0d22c79ef22dd8f101a56e57fce97bb4ca15e4f2ecaee
                                    • Instruction Fuzzy Hash: 28212571500204DFDB09DF98D9C8B27BFA5FB8931CF208569E9094B25AC336D456CBA2
                                    Function 0132D1D4 Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.1697389907.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_132d000_DMINktnUtY.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 25ebd96f327da1b43bff17e0a5829bca6a7f3bc8c24677006f999e3e093e0c09
                                    • Instruction ID: 7c71793815bbfb3edae428a9294099b0696456fbb64c761604d70930fb1be6c3
                                    • Opcode Fuzzy Hash: 25ebd96f327da1b43bff17e0a5829bca6a7f3bc8c24677006f999e3e093e0c09
                                    • Instruction Fuzzy Hash: 8A212671504304EFDB05EF98D9C4B26BBA5FB85328F20C66DE9094B356C336D446CA61
                                    Function 0132D01C Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.1697389907.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_132d000_DMINktnUtY.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bb705cdcbb79cf56d3bc0b69dc8e8ed67df754192563a5875275943f8e530a8d
                                    • Instruction ID: a64b03eea1e92e92ce01722ed0e8a4d8cf048fa3cda8daff90893fb34399b75d
                                    • Opcode Fuzzy Hash: bb705cdcbb79cf56d3bc0b69dc8e8ed67df754192563a5875275943f8e530a8d
                                    • Instruction Fuzzy Hash: 11213471604244DFCB15EF58D9C4B26BFA5FB84318F20C56DD90A4B3A6C33AD447CAA1
                                    Function 0132D006 Relevance: .1, Instructions: 63COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.1697389907.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_132d000_DMINktnUtY.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4c120fd9e637aa4fb1dbfa551a092fd91d15b0dbeb9a2d237d232fbc8eedff0f
                                    • Instruction ID: eab9e6af0b08da1304d235bc731fe1c2a6d2039b2a3786e85e0a82558932054b
                                    • Opcode Fuzzy Hash: 4c120fd9e637aa4fb1dbfa551a092fd91d15b0dbeb9a2d237d232fbc8eedff0f
                                    • Instruction Fuzzy Hash: 4B2180755083809FCB03DF64D994711BF71EB46218F28C5DAD8498F2A7C33A981ACB62
                                    Function 0131D4D3 Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.1697333367.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_131d000_DMINktnUtY.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                    • Instruction ID: aa6d20c44e2fb840ab89bd339684d9ea4ea5818d307029434f27384245348ac4
                                    • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                    • Instruction Fuzzy Hash: AC11D376504240CFDB16CF54D5C4B16BF72FB95318F24C6A9D9090B25BC33AD45ACBA1
                                    Function 0132D1CF Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.1697389907.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_132d000_DMINktnUtY.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                    • Instruction ID: 98fa446b88f8e831432d224b6915b2de0e2477f00e027e81e7d4c9572dbee78e
                                    • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                    • Instruction Fuzzy Hash: 6C11BB75504380DFDB02DF54D5C4B15BFB1FB85228F24C6AAD8494B296C33AD40ACB61

                                    Executed Functions

                                    Function 029F9D65 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateActCtxA.KERNEL32(?), ref: 029F9E21
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1699681901.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_29f0000_J48w21dBmF.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: 53181890b570844d2a41d192f66e781d8f4b1e9e08dd28fa1b663b2e3e773e7b
                                    • Instruction ID: 16ea60a5a5e2a6454bc785f2d365a6ba0f94039ce5377114f32a52e677e7888b
                                    • Opcode Fuzzy Hash: 53181890b570844d2a41d192f66e781d8f4b1e9e08dd28fa1b663b2e3e773e7b
                                    • Instruction Fuzzy Hash: 684105B1C00219CFDB24CFA9C944BDDBBF5BF49304F24809AD508AB261DB756946CF90
                                    Function 029F84F0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateActCtxA.KERNEL32(?), ref: 029F9E21
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1699681901.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_29f0000_J48w21dBmF.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: b8f9d707deffcc4db20c59331f3fd2c671c56b43c77dbda21c16c5f681bb5778
                                    • Instruction ID: 50fad855b4ba103279fa5fbc20a7374e4f4d73fc33c0b5d2c68763485fb0cac5
                                    • Opcode Fuzzy Hash: b8f9d707deffcc4db20c59331f3fd2c671c56b43c77dbda21c16c5f681bb5778
                                    • Instruction Fuzzy Hash: 0341E3B1C00619CBEB64CFA9C944BDDBBF5BF48304F24806AD508AB255DB756946CF90
                                    Function 05392188 Relevance: 1.6, APIs: 1, Instructions: 79windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,?,?,?), ref: 0539223D
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1707950879.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_5390000_J48w21dBmF.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID:
                                    • API String ID: 3850602802-0
                                    • Opcode ID: 4afafc0c541c721f21fa3580cedc454b5ed3de624f63948dbcd6964fa1f9c243
                                    • Instruction ID: 2eb9c55cb49a5f36810f53ef2611f66674fd092aa6756cfb9d0d2e1915d5764a
                                    • Opcode Fuzzy Hash: 4afafc0c541c721f21fa3580cedc454b5ed3de624f63948dbcd6964fa1f9c243
                                    • Instruction Fuzzy Hash: E1217CB59003089FCB14DFAAD844A9EBBF8FF48310F208459E559A7751C770A941CFA5
                                    Function 05392C49 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetClassInfoW.USER32(?,00000000), ref: 05392CCC
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1707950879.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_5390000_J48w21dBmF.jbxd
                                    Similarity
                                    • API ID: ClassInfo
                                    • String ID:
                                    • API String ID: 3534257612-0
                                    • Opcode ID: fdc8622a74ae55409befa1bb119be20617052fa70fc4950cf46bb872f5c90873
                                    • Instruction ID: 7a828e161331a160d4e202061a8928dee5e0acce841b6a7fc5d7bb3d63fae11a
                                    • Opcode Fuzzy Hash: fdc8622a74ae55409befa1bb119be20617052fa70fc4950cf46bb872f5c90873
                                    • Instruction Fuzzy Hash: 8A2107B69017199FDB14CF9AC885ADEFBF4FB48310F14842AE459A7340D374A944CFA5
                                    Function 05392C50 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetClassInfoW.USER32(?,00000000), ref: 05392CCC
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1707950879.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_5390000_J48w21dBmF.jbxd
                                    Similarity
                                    • API ID: ClassInfo
                                    • String ID:
                                    • API String ID: 3534257612-0
                                    • Opcode ID: abf109352af46eeb9d4c72257aa2e5ac4657d492044715c68d9036e436efd97d
                                    • Instruction ID: db2c48c32c3aa758eaae840a87713ea90e087fa7266e1aaf3b375a918ba5bf79
                                    • Opcode Fuzzy Hash: abf109352af46eeb9d4c72257aa2e5ac4657d492044715c68d9036e436efd97d
                                    • Instruction Fuzzy Hash: 012115B5D017099FDB14CF9AC884ADEFBF8FB48320F14842AE459A3240D374A944CFA5
                                    Function 029FEE18 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,029FF3D9,00000800,00000000,00000000), ref: 029FF5EA
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1699681901.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_29f0000_J48w21dBmF.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 60d6ce44160feb461fc56ab41fe21eb4a980e8d04c9e76d33fbf773cc5d37644
                                    • Instruction ID: 3d404723026b7a6d30e8230f2a0a0449e7a829b8cf859904f042532d12d86b43
                                    • Opcode Fuzzy Hash: 60d6ce44160feb461fc56ab41fe21eb4a980e8d04c9e76d33fbf773cc5d37644
                                    • Instruction Fuzzy Hash: 1B1114B6D003099FDB60CF9AC844AEEFBF8EB48314F14842AD519B7650C375A545CFA4
                                    Function 0515F291 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowTextW.USER32(?,00000000), ref: 0515F302
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1707472521.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_5150000_J48w21dBmF.jbxd
                                    Similarity
                                    • API ID: TextWindow
                                    • String ID:
                                    • API String ID: 530164218-0
                                    • Opcode ID: 0b713308e6bef052b923541d63f93638f9fb44bd9fecdf015eb7a0afd739fde4
                                    • Instruction ID: 6c99ed2cedd277d4b7c86b3f35a38e284c1d2bf9d047f89757134bd11af40cab
                                    • Opcode Fuzzy Hash: 0b713308e6bef052b923541d63f93638f9fb44bd9fecdf015eb7a0afd739fde4
                                    • Instruction Fuzzy Hash: 8B1103B6C002098FDB14CF9AC544BEEBBF4AB48320F14842AD869B7650D338A546CFA5
                                    Function 0515F298 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowTextW.USER32(?,00000000), ref: 0515F302
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1707472521.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_5150000_J48w21dBmF.jbxd
                                    Similarity
                                    • API ID: TextWindow
                                    • String ID:
                                    • API String ID: 530164218-0
                                    • Opcode ID: 35140d0d9215485d9f1d14c5e8983d862600ff2a7be10087167dd58d694a0837
                                    • Instruction ID: 64ed4db111f399c07248b5ebe706024b257d4a6fd56275c8c0d8a99bbfe8bb6a
                                    • Opcode Fuzzy Hash: 35140d0d9215485d9f1d14c5e8983d862600ff2a7be10087167dd58d694a0837
                                    • Instruction Fuzzy Hash: 6811E4B69002498FDB14CF9AC444ADEFBF8EB88320F14842AD869A7650D378A545CFA5
                                    Function 029FF2F8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 029FF35E
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1699681901.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_29f0000_J48w21dBmF.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: a72ea33cff4527d60f251bb07e85d23e931fa853f025c98eee3938e54e923ea4
                                    • Instruction ID: ff53275e774ff36a290e36b9192e9919aecb9fc8b99600a1dd7b5d8e8f6b3e29
                                    • Opcode Fuzzy Hash: a72ea33cff4527d60f251bb07e85d23e931fa853f025c98eee3938e54e923ea4
                                    • Instruction Fuzzy Hash: 211110B6D003498FCB10CF9AC444ADEFBF8EF88324F10842AD529A7650C379A545CFA1
                                    Function 05390DD1 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageW.USER32(?,?,?,?), ref: 05390E35
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1707950879.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_5390000_J48w21dBmF.jbxd
                                    Similarity
                                    • API ID: MessagePost
                                    • String ID:
                                    • API String ID: 410705778-0
                                    • Opcode ID: 6e48dc54ff2b0361dbf173ddc367e33827675a3bc3399c738b05b5ee644ffb0d
                                    • Instruction ID: 61294304c643c79668382026e5465976fbed1a2005dde9d79b2176e765e53dc7
                                    • Opcode Fuzzy Hash: 6e48dc54ff2b0361dbf173ddc367e33827675a3bc3399c738b05b5ee644ffb0d
                                    • Instruction Fuzzy Hash: F111F2B5800349DFDB10DF9AD849BDEBFF8EB48320F108419E558A7210C375A584CFA5
                                    Function 05390DD8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageW.USER32(?,?,?,?), ref: 05390E35
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1707950879.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_5390000_J48w21dBmF.jbxd
                                    Similarity
                                    • API ID: MessagePost
                                    • String ID:
                                    • API String ID: 410705778-0
                                    • Opcode ID: 163e7c877c91c3dde9b44680b9bca0955f2ac7c69f3f2b9ec68e0ddfb1ac3302
                                    • Instruction ID: cc698d9da03ca778fd0c5160649b6e45b5ffbaab06da7cc33929f901cc04df06
                                    • Opcode Fuzzy Hash: 163e7c877c91c3dde9b44680b9bca0955f2ac7c69f3f2b9ec68e0ddfb1ac3302
                                    • Instruction Fuzzy Hash: F911D3B5800349DFDB14DF9AC849BDEBFF8EB48324F108419D558A7610C375A584CFA5
                                    Function 00FBD4D8 Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1698441894.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_fbd000_J48w21dBmF.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e75d5c2cfb966d7ded73e026345f32c12cec1067451641559a7b046e1ec8ed61
                                    • Instruction ID: 1e2827fc5bf67a84acb19c8b1856ad7002d781934f5fe35470470ecaa74f9f90
                                    • Opcode Fuzzy Hash: e75d5c2cfb966d7ded73e026345f32c12cec1067451641559a7b046e1ec8ed61
                                    • Instruction Fuzzy Hash: D4212572500200DFCB15DF14D9C0B66BFA5FB98328F288169E9094B256D336D856EAA3
                                    Function 00FCD01C Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1698626396.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_fcd000_J48w21dBmF.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d8cc004b166feafd32555033890b35d5c3add8b4e5d32f5c5a4b89971bb1c34e
                                    • Instruction ID: 9c403de741f4c9494a42032edf58a6befa7c87a85cc01fbfdad5cdd4f3f77153
                                    • Opcode Fuzzy Hash: d8cc004b166feafd32555033890b35d5c3add8b4e5d32f5c5a4b89971bb1c34e
                                    • Instruction Fuzzy Hash: E421F571584201DFCB14DF18D6C5F1ABBA5FB84324F20C57DD84A4B25AC336D847DA61
                                    Function 00FCD1D4 Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1698626396.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_fcd000_J48w21dBmF.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 528f8ea4a808a5e2266778316450f398a7b9727f633ddf7404f61bf10db1885e
                                    • Instruction ID: 556a845e01b30d5577a1bf331f50f22e9718b407c4587c3062c101657756627b
                                    • Opcode Fuzzy Hash: 528f8ea4a808a5e2266778316450f398a7b9727f633ddf7404f61bf10db1885e
                                    • Instruction Fuzzy Hash: AF214672904201EFDB05DF14CAC1F2ABBA5FB84324F20C67DE8094B292C336D846DA61
                                    Function 00FCD005 Relevance: .1, Instructions: 62COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1698626396.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_fcd000_J48w21dBmF.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 92747110116f4c55f311046300e42c842ef0c55a4bdcf0ffb022eddf3cbbb537
                                    • Instruction ID: f9f98cf71fcb3facc7558f3d05d768d3e324d6d7ec3659c08fe4b35d60d69240
                                    • Opcode Fuzzy Hash: 92747110116f4c55f311046300e42c842ef0c55a4bdcf0ffb022eddf3cbbb537
                                    • Instruction Fuzzy Hash: 662183755493808FD702CF24D594B15BF71EB46314F28C5EED8498F6A7C33A980ACB62
                                    Function 00FBD4D3 Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1698441894.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_fbd000_J48w21dBmF.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                    • Instruction ID: f30a02009a079ccb8be793501e5bdbcb08c5ca0a777a94bed0df0fd83707cc6b
                                    • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                    • Instruction Fuzzy Hash: 0511D376904240CFCB16CF14D5C4B56BF71FB94328F28C6A9D9090B256C33AD85ADFA2
                                    Function 00FCD1CF Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1698626396.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_fcd000_J48w21dBmF.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                    • Instruction ID: 5c6c6b25a70af572a843ba09f84a711d0b8355b1d9e75f82c114d5f15ead0a0f
                                    • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                    • Instruction Fuzzy Hash: A011BE75904240DFCB05CF10CAC4B59BB61FB84324F24C6AED8494B256C33AD80ADB51